I have a provisioned appx package of a UWP app that is certified by Microsoft which I installed using DISM with /Add-ProvisionedAppxPackage (adding the required dependencies using /DependencyPackagePath)
I found out that when the BIOS secure boot is enabled, the app crashes and from the Process Monitor, it seems that the shared libraries like mrt100_app.dll and SharedLibrary.dll (Microsoft.VCLibs and Microsoft.NET related libraries) are not found. This does not happen when BIOS secure boot is disabled.
I confirmed using Get-AppxPackage that all the dependencies are installed, and since these these dependency files are also certified by Microsoft, they shouldn't they be accessible and allowed to run as well? I need to configure the app to install and run fine regardless if secure boot is enabled or disabled. I would like to hear some ideas to secure that.
It turns out the UWP app does not have a signed SCCD, causing the app to crash during launch. We have confirmed the issue by installing the app via MS Store, while secure boot is enabled. MS Store throws an error:
0x800701C8: While preparing to process the request, the system failed to register the windows.capability extension due to the following error: The custom capability's SCCD has an invalid catalog.
Other debug information that had clues leading to security issues come from remote debugging an installed version of the app. A FailFast Exception is seen on the CallStack with the error:
The class is configured to run as a security id different from the caller