How to unblock the Modern Application Network Isolation

  
in Win8 In Windows 8, we introduced the new WinRT platform to bring users Modern Apps with dynamic tile and immersive user experience, if you are a corporate user, have a company proxy server environment, or You are a developer and believe that you have found that all Modern Apps are no longer able to access the network after a local connection replacement agent. This is due to the network isolation design of the new WinRT runtime.
In order to implement new security policies and make applications on the WinRT platform more secure, Modern Apps must be declared by the developer before using a feature. For example, to use a network connection, you need to declare, not only to declare that you need a network connection, but also to declare which type of connection is needed. Due to network isolation, all Modern Apps cannot use IP loopback addresses for interprocess communication by default. When we set up a proxy server for the LAN in the connection settings set by the Internet, Modern Apps can't access the Internet. Only the desktop application can access the Internet through the proxy server. (WinRT has the ability to detect the default proxy server on the local network so that Modern Apps can access the Internet, but it can't be detected automatically after manually specifying the LAN proxy.)

Sometimes, when the company When the default network proxy server is not working, the IT administrator may ask the user to manually specify another LAN proxy server. At this time, Modern Apps can't access the Internet, which is really depressed. In fact, we have two ways to remove the network isolation. Restrictions allow Modern Apps to access the Internet during special periods:
Method 1: Use Group Policy to specify Internet proxy for network isolation environment
Open Local Group Policy Editor, expand "Computer Configuration"-"Management Template "-"Network"-"Network Isolation", we can see the following settings:

We can edit the "application's Internet proxy server" to specify an Internet proxy. Note that the proxy specified here is the same as the LAN proxy specified in your connection settings for the desktop IE option, so that Modern Apps can have access to the Internet. That's right, this is just a foundation, because if you only specify this one, the agent you added and the agent detected by the system are a union. Because the automatic detection takes precedence, after the LAN agent is specified on the desktop, it is automatically detected. The proxy is inconsistent with the manually specified LAN proxy, and the result is still not online. So in order for Modern Apps to be able to access the Internet, we also need to enable "Agent Definition Authority" to allow Modern Apps to use only the agents specified here.
Method 2: Use Win8's built-in debug command set to add network isolation to specific applications.
Windows 8 has a built-in command line tool for modern Apps developers to diagnose network problems. We can use it to add some Modern Apps to the network quarantine exclusion list:

Here we use the LoopbackExempt parameter to achieve our needs. For this parameter, its use also has specific secondary parameters that need to be specified.

The program help is very clear, so I won't go into details here. Here, I want to remind everyone that because the AppContainer or the SID of the package is hard to find (requires the registry), I personally recommend that you use –n=[Name] to operate the network through AppContainer or package name. Isolation exemption. Because the way to get the name is very simple, as long as you open the %LocalAppData%Packages path, the names of the following folders are the names of the various Modern Apps, which are available for easy copying and pasting.

It can be seen from the figure that it is not difficult to identify which Modern App in the start screen corresponds to the App, because the part of the folder is the name of the program. For example, we can see the last one, "WinStore_cw5n1h2txyewy", which is undoubtedly the internal name of the application store.
Here, we assume that the default proxy server is broken now, I set up the LAN proxy in the desktop environment, then I need to use the app store to update several of my applications, then I will add network isolation for it. Exempted: Execute "CheckNetIsolation.exe LoopbackExempt -a -n=WinStore_cw5n1h2txyewy" to add the app store to the exempt list.
To verify the exemption list, we use the "CheckNetIsolation.exe LoopbackExempt -a -s" command:

To delete an exemption, change the -a parameter in the exempted command to - d, you can quickly clear the contents of the list, execute "CheckNetIsolation.exe LoopbackExempt -c".
Comparing the above two methods, I personally recommend that you use the second method. There are two reasons:
First, in the group policy method, the proxy port of the proxy server cannot be specified for the isolated network. Therefore, applications that use non-80 ports may still not work properly. For example, when the app store is set up in this way, it can only browse the app, update the software, and download the software.
Second, the use of CheckNetIsolation allows you to easily control and review the exemption situation, and there is no port limitation, the program function is completely normal. Moreover, for IT professionals, this can be integrated into the code, and the code can be reused for automated control.
In the second way, it is recommended that you use the form -n=[AppName] to add a delete exemption than to use -p=[AppSID], not only better than the convenience mentioned above, but also like Store The special Modern App, which has no corresponding SID displayed under the HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsCurrentVersionAppContainerMappings in the registry. After adding the Store exemption by name and reviewing the exemption list, we found that the store's SID=S-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493

Copyright © Windows knowledge All Rights Reserved