Enterprise |
Windows domain credentials enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. The enterpriseAuthentication capability is typically used in line-of-business apps that connect to servers within an enterprise.
You don't need this capability for generic communication across the Internet.
The enterpriseAuthentication capability is intended to support common line-of-business apps. Don't declare it in apps that don't need to access corporate resources. The file picker provides a robust UI mechanism that enables users to open files on a network share for use with an app. Declare the enterpriseAuthentication capability only when the scenarios for your app require programmatic access, and you cannot realize them by using the file picker.
The enterpriseAuthentication capability must include the uap namespace when you declare it in your app's package manifest as shown below.
<Capabilities><uap:Capability Name="enterpriseAuthentication"/></Capabilities>
This capability is required to call the GetUserNameEx function.
The enterpriseDataPolicy capability allows apps to handle enterprise data separately and safely when the app is managed with Windows Information Protection policy (For example: Mobile Device Management and Mobile Application Management systems). Declare this restricted capability as shown below.
<Capabilities><rescap:Capability Name="enterpriseDataPolicy"/></Capabilities>
This capability is required to use all members of the following classes. |
Shared user certificates |
The sharedUserCertificates capability enables an app to add and access software and hardware-based certificates in the Shared User store, such as certificates stored on a smart card. This capability is typically used for financial or enterprise apps that require a smart card for authentication.
The sharedUserCertificates capability must include the uap namespace when you declare it in your app's package manifest as shown below.
<Capabilities><uap:Capability Name="sharedUserCertificates"/></Capabilities> |
Documents* |
The documentsLibrary capability provides programmatic access to the user's Documents library, filtered to the file type associations declared in the package manifest. For example, if a word processing app declared a .doc file type association, it can open .doc files in the user's Documents library.
The documentsLibrary capability is only needed if your application programmatically accesses the Documents library without user intervention. Your application does not need the documentsLibrary capability to access the Documents library if the user chooses it with a picker API. Generally, apps should allow the user to choose the location of their files, using one of the following picker APIs: Using these APIs allows the user to choose a location that works best for them, such as a cloud-synced account (eg, OneDrive). After the user has picked a file or folder using these APIs, your app can get ongoing access to the location by using the FutureAccessList API. This API allows your app to access the files or folders in the future without asking the user to pick them again.
In cases where existing workflows assume files will be in the Documents library (for example, interop with an existing desktop application) or where you do not want the user to have to choose the location, you can declare the documentsLibrary capability for your application. If you use the documentsLibrary capability for your application, it is recommended that you also allow the user to pick locations manually.
The documentsLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.
<Capabilities><uap:Capability Name="documentsLibrary"/></Capabilities> |
Game DVR Settings |
The appCaptureSettings restricted capability allows apps to control the user settings for the Game DVR.
This capability is required to use some APIs in the Windows.Media.Capture namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Cellular |
The cellularDeviceControl restricted capability allows apps to have control over the cellular device.
The cellularDeviceIdentity capability allows apps to access cellular identification data.
The cellularMessaging capability allows apps to make use of SMS and RCS.
These capabilities are required to use some APIs in the Windows.Devices.Sms namespaces. |
Device Unlock |
The deviceUnlock restricted capability allows apps to unlock a device for developer and enterprise sideloading scenarios.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Dual SIM Tiles |
The dualSimTiles restricted capability allows apps to create an additional app list entry on devices that have multiple SIMs.
This capability is required to use some APIs in the Windows.UI.StartScreen namespace. |
Enterprise Shared Storage |
The enterpriseDeviceLockdown restricted capability allows apps to use the device lock down API and access the enterprise shared storage folders.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
System Input Injection |
The inputInjectionBrokered restricted capability allows apps to inject various forms of input such as HID, touch, pen, keyboard or mouse into the system programmatically. This capability is typically used for collaboration apps that can take control of the system.
For a PC, input injection from an app that has this capability will only be received by processes in the same App Container.
<Capabilities><rescap:Capability Name="inputInjectionBrokered" /></Capabilities> |
Observe Input* |
The inputObservation restricted capability allows apps to observe various forms of raw input such as HID, touch, pen, keyboard, or mouse being received by the system regardless of its final destination.
This capability and the APIs related to it are only available for use by select Microsoft partners. |
Suppress Input |
The inputSuppression restricted capability allows apps to suppress various forms of raw input such as HID, touch, pen, keyboard, or mouse from being received by the system.
This capability and the APIs related to it are only available for use by select Microsoft partners. |
VPN App |
The networkingVpnProvider restricted capability allows apps to have full access to VPN features, including the ability to manage connections and provide VPN Plugin functionality.
This capability is required to use some APIs in the Windows.Networking.Vpn namespace. |
Other App Management |
The packageManagement restricted capability allows apps to manage other apps directly.
The packageQuery device capability allows apps to gather information about other apps.
These capabilities are required to access some methods and properties in the PackageManager class. |
Screen Projection |
The screenDuplication restricted capability allows apps to project the screen on another device.
This capability is required to use APIs in the DirectX namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
User Principal Name |
The userPrincipalName restricted capability allows apps to access the user principal name (UPN) of the current user.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Wallet |
The walletSystem restricted capability allows apps to have full access to the stored wallet cards.
This capability is required to use APIs in the Windows.ApplicationModel.Wallet.System namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Location History |
The locationHistory restricted capability allows apps to access the location history of the device.
This capability is required to use APIs in the Windows.Devices.Geolocation namespace. |
App Close Confirmation |
The confirmAppClose restricted capability allows apps to close themselves, their own windows, and delay the closing of their app.
Apps may request this capability in Windows 10 version 1703 (build 10.0.15063) and beyond. In prior Windows 10 versions the capability is private and will cause app install to fail with error message "The requested capability can not be authorized for this application." |
Call History* |
The phoneCallHistory restricted capability allows apps to read the call history and to delete entries in the history.
This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
System Level Appointment Access |
The appointmentsSystem restricted capability allows apps to read and modify all appointments on the user's calendar.
This capability is required to use APIs in the Windows.ApplicationModel.Appointment namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
System Level Chat Message Access* |
The chatSystem restricted capability allows apps to read and write all SMS and MMS messages. This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
System Level Contact Access |
The contactsSystem restricted capability allows apps to read contact information that has been designated as restricted or sensitive and modify existing contact information.
This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Email Access |
The email restricted capability allows apps to read, triage, and send user emails.
This capability is required to use APIs in the Windows.ApplicationModel.Email namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
System Level Email Access |
The emailSystem restricted capability allows apps to read, triage, and send user restricted or sensitive emails.
This capability is required to use APIs in the Windows.ApplicationModel.Email namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
System Level Call History Access |
The phoneCallHistorySystem restricted capability allows apps to fully modify the call history by changing existing entries and writing new ones.
This capability is required to use APIs in the Windows.ApplicationModel.Calls namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Send Text Messages* |
The smsSend restricted capability allows apps to send SMS and MMS messages.
This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace. |
System Level Access to All User Data |
The userDataSystem restricted capability allows apps to access the user data system datastore.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Store Preview Features |
The previewStore restricted capability allows apps to retrieve and purchase SKUs of in-app products.
This capability is required to use certain APIs in the Windows.ApplicationModel.Store.Preview namespace. |
First-Time Sign-in Settings |
The firstSignInSettings restricted capability allows apps to access user settings that were set when the user first signed in to their device. |
Windows Team Experience |
The teamEditionExperience restricted capability allows apps to access internal APIs that control many experiential aspects of a Windows Team session. A Windows Team session is likely to be running on a team device such as a Microsoft Surface Hub.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Remote Unlock |
The remotePassportAuthentication restricted capability allows apps to access credentials that can be used to unlock a remote PC.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Preview Composition |
The previewUiComposition restricted capability allows apps to preview the Windows.UI.Composition namespace for their user interface so they can provide feedback on the API before it is completed. Please contact wincomposition@microsoft.com for more information. |
Secure Assessment Lockdown |
The secureAssessment restricted capability allows apps to lockdown Windows into a single app mode for secure assessments.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Connection Manager Provisioning |
The networkConnectionManagerProvisioning restricted capability allows apps to define the policies that connect the device with WWAN and WLAN interfaces. Apps that use this capability are created by Mobile Operators to govern the devices that connect to their mobile network. |
Data Plan Provisioning |
The networkDataPlanProvisioning restricted capability allows apps to gather information about data plans on the device and read network usage. Apps that use this capability are created by Mobile Operators to integrate their customers' actual data usage into the OS Data usage setting. |
Software Licensing |
The slapiQueryLicenseValue restricted capability allows apps to query software licensing policies.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Extended Execution |
The extendedBackgroundTaskTime restricted capability prevents background tasks from being cancelled or terminated due to execution time limits. They are still subject to all other memory and energy usage limits. This capability can be restricted using the Battery Usage or Privacy Background Apps Settings. Note that consumers and administrators still have the ability to control background tasks through the Group Policy settings.
The extendedExecutionBackgroundAudio restricted capability allows apps to play audio when the app is not in the foreground.
The extendedExecutionCritical restricted capability allows apps to begin a critical extended execution session.
The extendedExecutionUnconstrained restricted capability allows apps to begin an unconstrained extended execution session.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
See Postpone app suspension with extended execution for more information about using extended execution to postpone when your app is suspended. |
Mobile Device Management |
The deviceManagementDmAccount restricted capability allows apps to provision and configure Mobile Operator Open Mobile Alliance - Device Management (MO OMA-DM) accounts.
The deviceManagementFoundation restricted capability allows apps to have basic access to the Mobile Device Management (MDM) configuration service provider (CSP) infrastructure on the device. Note that other capabilities are needed to access specific CSPs.
The deviceManagementWapSecurityPolicies restricted capability allows apps to configure Wireless Application Protocol (WAP)-based services such as MMs, Service Indication/Service Loading (SI/SL), and Open Mobile Alliance - Client Provisioning (OMA-CP).
The deviceManagementEmailAccount restricted capability allows apps created by Mobile Operators to add and manage an email account on devices they provision to users. |
Package Policy Control |
The packagePolicySystem restricted capability allows apps to have control of system policies related to apps that are installed on the device.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Games List |
The gameList restricted capability allows apps to get a list of known games installed on the system.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Xbox Accessory |
The xboxAccessoryManagement restricted capability allows apps to directly manage Xbox devices that conform to the Xbox hardware specification.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Speech Recognition for Accessories |
The cortanaSpeechAccessory restricted capability allows apps to invoke and pass commands to Cortana.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Accessory Management |
The accessoryManager restricted capability allows apps to register as an accessory app and opt-in to specific app notifications so that they may be forwarded to accessories and display to the user. |
Driver access |
The interopServices restricted capability allows apps to interact directly with drivers.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Foreground observation |
The inputForegroundObservation restricted capability allows apps in the foreground to intercept keyboard input and byasses all non-app keyboard input processing. SAS combinations cannot be intercepted by this capability. This capability is required to access members of the KeyboardDeliveryInterceptor class. |
OEM and MO Partner apps |
The oemDeployment restricted capability allows apps that are created by Microsoft partners to install new apps and query currently installed apps on the device.
The oemPublicDirectory restricted capability allows apps that are created by Microsoft partners to have access to the shared app folder. We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
App Licensing |
The appLicensing restricted capability allows apps to run without the need of a license. You cannot submit your app to the store if you declare this capability in your manifest.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Location System |
The locationSystem restricted capability allows apps to perform certain privileged location configurations like setting the default location for the device.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
User Data Accounts Provider |
The userDataAccountsProvider restricted capability allows apps to fully manage the mail, calendar, and contact accounts. |
Pen Workspace |
The previewPenWorkspace capability allows an app to access the Windows.ApplicationModel.Preview.Notes namespace to be hosted inside the pen workspace as the remember action handler. |
Secondary Authentication Factor |
The secondaryAuthenticationFactor capability allows an app to unlock a PC by passing the secrets store on a nearby companion authentication device. For example, a companion fitness band can be used to unlock the PC. This capability is required to access APIs in the Windows.Security.Authentication.Identity.Provider namespace.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Store License Management |
The storeLicenseManagement capability allows Microsoft partner hub-apps to manage store licenses on the device. This capability is required to access APIs in the Windows.ApplicationModel.Store.LicenseManagement namespace. |
User System ID |
The userSystemId capability allows apps to get a system identifier specific to the user. This identifier uniquely identifies the current user on a specific system and can be used to correlate information across apps. This capability is required to access the SystemIdentification.GetSystemIdForUser(User) method. |
Targeted Content |
The targetedContent capability provides an application the ability to retrieve and use targeted subscription content provided by the Windows.Services.TargetedContent namespace.
This capability is required to use some APIs in the Windows.System.Profile.SystemIdentification namespace. |
UI Automation |
The uiAutomation capability allows a UI automation client, such as Narrator, to connect to a UI Automation server or provider.
This capability is required to use some APIs in the Windows.Xbox.Media.Capture.Broadcaster namespace. |
Game Bar Services |
The gameBarServices is restricted to 1st party store updatable inbox UWAs.
This capability is required to use the Windows.Media.Capture.GameBarsSrvices class.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
App Capture Services |
The appCaptureServices capacity is limited to parties with which Microsoft has contractual relationships. These relationships are granted based on partner agreements, which are being driven with the help of Xbox Services and bizdev.
This capability is required to use the Windows.Media.Capture.AppCaptureServices class. |
App Broadcast Services |
The appBroadcastServices capability is limited to parties with which Microsoft has contractual relationships. These relationships are granted based on partner agreements, which are being driven with the help of Xbox Services. This capability is required to use the Windows.Media.capture.AppBroadcastServices class.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Audio Device Configuration |
The audioDeviceConfiguration This capability allows an application to query, configure, enable, and disable audio effects exposed by the audio driver. This capability is required to use the Windows.Media.Devices.AudioDeviceModulesManager class.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. This is because AudioDeviceModulesManager allows an application to access to all audio effects on a given system. Potentially, the audio effects can be set to negatively impact audio performance on the device. |
Background Media Recording |
The backgroundMediaRecording capability changes the behavior of the media-specific APIs like the MediaCapture and AudioGraph classes to enable media recording while your app is in the background. |
Preview Ink Workspace |
The previewInkWorkspace capability allows an app to access the Preview Ink namespace hosted inside the ink workspace. Generally speaking, this is used by an OEM to replace the whiteboard application on a device. This capability is required to the APIs in the Windows.ApplicationModel.Preview.InkWorkspace namespace. |
Start Screen Management |
The startScreenManagement capability allows apps to silently pin Tiles to the Start screen. Apps can also pin from the background. Not having the startScreenManagement capability does not block any APIs; rather, using startScreenManagement means that the Shell will not display any UI when an app uses the Pin API. |
Cortana Permissions |
The cortanaPermissions capability allows an app to enumerate the permissions that the user has granted Cortana on the device. The capability also allows an app to grant and revoke Cortana permissions on the device. Note that using cortanaPermissions requires that the device display legal text before granting permissions. As such, it is the responsiblity of the app to inform the user of the legal consequences of modifying permissions.
This capability is required to gain read access to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search registry settings.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
All App Mods |
The allAppMods capability allows an app to access the AppMods folder for all apps. Mod Management utilities use allAppMods to manage mods outside of the game or app that consume them. |
Expanded Resources |
The expandedResources capability allows an app access to the Game Mode resources. On Xbox, and on PCs that meet a sufficient bar, Game Mode resources represent a subset of the available CPU cores that are reserved for the app's exclusive use. On Xbox, the app also has exclusive use of a memory partition of at least 4GB.
This capability is required to gain exclusive use of CPU and memory resources as defined above. |
Protected App |
The protectedApp capability grants an app the ability to be loaded into a procteded process by the store. When the app is ingested into the store, the store adds a blob to the executable. The store also page signs the executable with a Microsoft key. The process loader checks for this blob rather than the capability to enforce protected process, as the blob needs a Microsoft signature.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Game Monitor |
The gameMonitor capability causes the system to use active monitoring to detect game cheats by the app.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
App Diagnostics |
The appDiagnostics capability allows an app to get diagnostic information, (such as package information, memory usage, and account name) for any other running UWP app. The information returned includes the domain/machine account name under which the app is running; if the calling app is launched with Administrator rights then the app can retrieve a list of all running apps for all accounts on the machine.
This capability is required to use the Windows.System.AppDiagnosticInfo, Windows.System.AppDiagnosticInfo.RequestAppDiagnosticInfoAsync, and Windows.ApplicationModel.AppInfo classes. |
Device Portal Providers |
The devicePortalProvider capability allows apps to call the Windows.System.Diagnostics.DevicePortal APIs, and serve as a webserver for diagnostic tooling while in Developer Mode.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Enterprise Cloud Single Sign On |
The enterpriseCloudSSO capability allows apps to use single sign on with Azure Active Director (AAD) resources inside a hosted web view control. |
Automatically accept VoIP calls |
The backgroundVoIP capability allows you to automatically receive and accept incoming VoIP calls without requiring the user to accept the call explicitly. Apps utilizing this capability are granted full control of camera and microphone and can use these resources in the background.
We don't recommend declaring this capability in apps submitted to the Microsoft Store. For most developers, use of this capability won't be approved. |
Reserve resources for VoIP calls |
The oneProcessVoIP capability allows you to reserve the CPU and memory resources necessary for a VoIP call in a single-process application.
We don't recommend declaring this capability in apps submitted to the Microsoft Store. For most developers, use of this capability won't be approved. |
Development Mode Network |
The developmentModeNetwork capability allows apps to access network paths using the credentials from the signed-in user when calling the OpenFile Win32 API in a C++/CX UWP app or C++ Windows Runtime component.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Broad Filesystem Access |
The broadFileSystemAccess capability allows apps to get the same access to the file system as the user who is currently running the app without any additional file-picker style prompts during runtime. It is important to note that this capability is not required to access files that the user has already chosen using the FilePicker or FolderPicker.
This capability works for the Windows.Storage APIs. Because users can grant or deny the permission any time in Settings, you should ensure that your app is resilient to those changes. In the April 2018 update, the default for the permission is On. In the October 2018 update, the default is Off. It is also important that you do not declare any special folder capabilities such as Documents, Pictures, or Videos with this capability. You can enable this capability in your app by adding broadFileSystemAccess to your manifest. For an example, see the File access permissions article.
In most cases, to get access to file system locations, your app can use the FileOpenPicker, FileSavePicker, FolderPicker, and FutureAccessList APIs. If you want to request approval to use the broadFileSystemAccess capability, then you must provide specific reasons as to why those APIs aren't sufficient for your needs.
Note: This capability is not supported on Xbox. |
System Firmware and BIOS |
The smbios capability allows apps to access bios data and system firmware data. |
Full Trust Permission Level |
This is the runFullTrust restricted capability. Terms are defined below, but in short, a package needs this capability if the package uses features for which full trust is needed. A common example is a package that contains one or more full-trust apps. The runFullTrust restricted capability allows a package like that to be installed on a machine.
A full trust app is one that sets uap10:TrustLevel to mediumIL (see the Application element). A full trust app has a process that runs with an integrity level of medium (see Mandatory Integrity Control). And a package is an .appx or MSIX package (see Building an MSIX package from your code).
Another example where this capability is needed is a package with an extension category of windows.firewallRules (see desktop2:Extension). That's considered a full-trust feature; and in that example there's no app to activate, and no process to launch.
To use the FullTrustProcessLauncher class, this capability is required, too. |
Elevation |
The allowElevation restricted capability allows apps that are created by Microsoft partners and enterprises to preserve existing desktop functionality that requires auto-elevation on launch or during an app's lifetime.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. It will only be approved for line-of-business apps deployed by enterprises to their private store via the Microsoft Store for Business. |
Windows Team Device Credentials |
The teamEditionDeviceCredential restricted capability allows apps to access APIs that request device account credentials on a Surface Hub device running Windows 10, version 1703 or later.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Windows Team Application View |
The teamEditionView restricted capability allows apps to access APIs for hosting an application view on a Surface Hub device running Windows 10, version 1703 or later.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Camera Processing Extension |
The cameraProcessingExtension restricted capability allows apps to process images captured from the camera without direct camera control.
This capability is required to call APIs in the Windows.Devices.PointOfService.Provider namespace.
Anyone may request access to this capability for store submission. |
Data usage Management |
The networkDataUsageManagement restricted capability allows apps to gather network data usage information.
This capability is required to call GetAttributedNetworkUsageAsync.
Anyone may request access to this capability for store submission. |
Manage phone line connectivity |
The phoneLineTransportManagement capability allows apps to manage system devices responsible for phone line connectivity.
This capability is required to use PhoneLineTransportDevice APIs in the Windows.ApplicationModel.Calls namespace. |
Unvirtualized Resources |
The unvirtualizedResources restricted capability enables your application to declare the RegistryWriteVirtualization and FileSystemWriteVirtualization elements in its package manifest to disable virtualization for the registry and file system. These declarations prevent the system from virtualizing any writes to HKEY_CURRENT_USER or to the user's AppData folder, respectively. This is useful in scenarios where your application expects other applications to read or write the same registry or file system entries as your application.
This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. It's also needed for apps packaged with external location (see Grant package identity by packaging with external location). It is not intended to be used for other scenarios, because it could compromise the system's ability to uninstall cleanly. |
Modifiable App |
The modifiableApp restricted capability enables your application to declare the windows.mutablePackageDirectories extension in its package manifest. This enables you to provide a name for the folder where your application expects modified or added files to be located. The OS will create this folder and enable your application to use the files in this folder instead of (or in addition to) the files originally installed by the application.
This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. It will not be granted for other scenarios, because it can allow unsigned code to execute. |
Package Write Redirection Compatibility Shim |
The packageWriteRedirectionCompatibilityShim restricted capability configures your application to create all new files in a per-user location. Any preexisting files opened for writes are first copied into a per-user location and modifications happen to the file in that location. This capability is useful for applications that create or modify files in their installation folder.
This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. However, it might also be applicable to other apps in some cases. |
Custom Install Actions |
The customInstallActions restricted capability enables your application to declare the windows.customInstall extension in its package manifest so that it can specify one or more additional installer files (.exe or .msi) that are executed with your application. This allows you to specify custom actions for any of the standard deployment scenarios: install, update, repair, or uninstall. For example, this is useful for applications that bundle a 3rd party redistributable component.
This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. It will not be granted for other scenarios. |
Packaged Services |
The packagedServices restricted capability allows applications that are created by Microsoft partners and enterprises to declare the windows.service extension in its package manifest so that it can install one or more services along with the app. These services can be configured to run under the Local Service, Network Service or Local System accounts. Local Service and Network Service services only require the packagedServices capability. Local System services require both the packagedServices and localSystemServices capabilities.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Local System Services |
The localSystemServices restricted capability allows applications that are created by Microsoft partners and enterprises to install one or more Local System services along with the app (that is, your application can declare the StartAccount for the services to be LocalSystem). This scenario also requires the packagedServices capability.
We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. |
Background Spatial Perception |
The backgroundSpatialPerception restricted capability allows an application to access the movement of the user's head, hands, motion controllers, and other tracked objects while the app is running in the background. |
UI Access |
UIAccess is a feature in Windows that allows certain trusted applications to interact with the user interface (UI) of other applications, even when they are running with higher privileges or in a secure desktop session. This feature is often used by accessibility tools and automation software to provide users with alternative ways to interact with applications. The uiAccess restricted capability must be specified when the uiAccess attribute of the requestedExecutionLevel element is set to true in the app manifest file. For more information see, Security Considerations for Assistive Technologies. |