Edit

Share via


App capability declarations

Note

Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Which kinds of apps do app capabilities apply to?

Most scenarios for app capabilities are relevant only to apps that have package identity, and that run in an AppContainer. All UWP apps meet those criteria; so capabilities apply to them. But you can also give a desktop app package identity, and configure it as an AppContainer app. So capabilities apply to some desktop apps, too.

A desktop app that's an AppContainer app can be identified by uap10:TrustLevel="appContainer" in its app package manifest (for more info, see Application (Windows 10)). Similarly, a desktop app with mediumIL (an integrity level of medium) has uap10:TrustLevel="mediumIL". Medium IL apps—which are also known as full trust apps—don't run in an AppContainer.

The internetClient and enterpriseAuthentication capabilities grant an application the ability to perform certain operations that the user can already do. So those are examples of capabilities that apply only to AppContainer apps. Conversely, a Medium IL app is already running as the user; so an app like that can already perform those operations without requiring those capabilities.

But there are some scenarios where a Medium IL app should declare a capability, too. In fact, a Medium IL app needs to declare the runFullTrust restricted capability. And, to be able to register out-of-process COM servers for inter-process communication (IPC), a packaged app needs runFullTrust. That feature is known as Packaged COM (for more info, see the blog post COM Server and OLE Document support for the Desktop Bridge).

For info about another scenario that applies even to Medium IL apps, see Privacy-sensitive capabilities in this topic.

You can determine whether your app package manifest needs runFullTrust simply by building your package. Makeappx.exe will validate the schema, and if runFullTrust isn't declared but something needs it, then you'll see a detailed error message including what the problem is, together with line and column numbers.

Declaring capabilities

If you want to access certain APIs or resources (such as pictures or music), or devices (such as the camera or the microphone), then you must declare the appropriate app capabilities in your Windows app's package manifest

You can declare general capabilities by using the Manifest Designer in Visual Studio; or you can add them manually. For more info, see How to specify capabilities in a package manifest. It's important to know that when customers get your app from the Microsoft Store, they're notified of all the capabilities that the app declares. So be sure to declare only the capabilities that your app needs.

Privacy-sensitive capabilities

A sensitive resource is a resource that can access the user's personal data, or cost the user money. In this topic, capabilities that provide apps with access to a sensitive resource are annotated by an asterisk (*) in the Capability scenario column.

Privacy-sensitive capabilities signal to the operating system (OS)—and to the user—what the app intends to do. Since it's good to send this signal to the users of your app, we recommend that you declare privacy-sensitive capabilities even for Medium IL apps (where the application identity is used to provide individual privacy toggles). Doing so allows those apps to be managed in the privacy settings pages (managed by Windows Settings) as soon as they're installed; as opposed to later, when they access privacy-sensitive resources.

Those privacy settings let the user dynamically control access to sensitive resources. Thus, it's important that your app doesn't assume that a sensitive resource is always available. For more info about accessing sensitive resources, see Security.

Different kinds of capabilities

There are several kinds of capabilities.

General-use capabilities

General-use capabilities are specified by using Capability elements in your app package manifest. These capabilities apply to the most common app scenarios.

Note

All Capability elements must come before any CustomCapability and DeviceCapability elements under the Capabilities node in the package manifest.

Capability scenario Capability usage
Music* The musicLibrary capability provides programmatic access to the user's Music library, allowing the app to enumerate and access all files in the library without user interaction. This capability is typically used in jukebox apps that make use of the entire Music library.

The file picker provides a robust UI mechanism that lets users open files for use with an app. Declare the musicLibrary capability only when the scenarios for your app require programmatic access and can't be realized by using the file picker.

The musicLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="musicLibrary"/></Capabilities>
Pictures* The picturesLibrary capability provides programmatic access to the user's Pictures library, allowing the app to enumerate and access all files in the library without user interaction. This capability is typically used in photo apps that make use of the entire Pictures library.

The file picker provides a robust UI mechanism that lets users open files for use with an app. Declare the picturesLibrary capability only when the scenarios for your app require programmatic access and can't be realized them by using the file picker.

The picturesLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="picturesLibrary"/></Capabilities>
Videos* The videosLibrary capability provides programmatic access to the user's Videos, allowing the app to enumerate and access all files in the library without user interaction. This capability is typically used in movie-playback apps that make use of the entire Videos library.

The file picker provides a robust UI mechanism that lets users open files for use with an app. Declare the videosLibrary capability only when the scenarios for your app require programmatic access and can't be realized by using the file picker.

The videosLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="videosLibrary"/></Capabilities>
Removable Storage The removableStorage capability provides programmatic access to files on removable storage, like USB keys and external hard drives, filtered to the file-type associations declared in the package manifest. For example, if a document-reader app declares a .doc file-type association, it can open .doc files on the removable storage device, but not other types of files. Be careful when you declare this capability, because users may include a variety of info in their removable storage devices, and will expect your app to provide a valid justification for programmatic access to the removable storage for all files of the declared type.

Users will expect your app to handle any file associations that you declare. So don't declare file associations that your app cannot handle responsibly. The file picker provides a robust UI mechanism that lets users open files for use with an app.

Declare the removableStorage capability only when the scenarios for your app require programmatic access and can't be realized by using the file picker.

The removableStorage capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="removableStorage"/></Capabilities>
Internet and public networks* There are two capabilities that provide different levels of access to the Internet and public networks.

The internetClient capability indicates that apps can receive incoming data from the Internet. Cannot act as a server. No local network access.
The internetClientServer capability indicates that apps can receive incoming data from the Internet. Can act as a server. No local network access.

Most apps that have a web service component will use internetClient. Apps that enable peer-to-peer (P2P) scenarios where the app needs to listen for incoming network connections should use internetClientServer. The internetClientServer capability includes the access that the internetClient capability provides, so you don't need to specify internetClient when you specify internetClientServer.
Homes and work networks* The privateNetworkClientServer capability provides inbound and outbound access to home and work networks through the firewall. This capability is typically used for games that communicate across the local area network (LAN), and for apps that share data across a variety of local devices. If your app specifies musicLibrary, picturesLibrary, or videosLibrary, you don't need to use this capability to access the corresponding library in a Home Group. On Windows, this capability does not provide access to the Internet.
Appointments The appointments capability provides access to the user's appointment store. This capability allows read access to appointments obtained from the synced network accounts and to other apps that write to the appointment store. With this capability, your app can create new calendars and write appointments to calendars that it creates.

The appointments capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="appointments"/></Capabilities>
Contacts* The contacts capability provides access to the aggregated view of the contacts from various contacts stores. This capability gives the app limited access (network permitting rules apply) to contacts that were synced from various networks and the local contact store.

The contacts capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="contacts"/></Capabilities>
Code generation The codeGeneration capability allows apps to access the following functions which provide JIT capabilities to apps.

VirtualProtectFromApp
CreateFileMappingFromApp
OpenFileMappingFromApp
MapViewOfFileFromApp
AllJoyn The allJoyn capability allows AllJoyn-enabled apps and devices on a network to discover and interact with each other.

All apps that access APIs in the Windows.Devices.AllJoyn namespace must use this capability.
Phone calls The phoneCall capability allows apps to access all of the phone lines on the device and perform the following functions.
  • Place a call on the phone line and show the system dialer without prompting the user.
  • Access line-related metadata.
  • Access line-related triggers.
  • Allows the user-selected spam filter app to set and check block list and call origin information.
The phoneCall capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="phoneCall"/></Capabilities>

The phoneCallHistoryPublic capability allows apps to read cellular and some VoIP call history information on the device. This capability also allows the app to write VoIP call history entries. This capability is required to access all members of the PhoneCallHistoryStore class.
Recorded Calls Folder* The recordedCallsFolder device capability allows apps to access the recorded calls folder.

The recordedCallsFolder capability must include the mobile namespace when you declare it in your app's package manifest as shown below.

<Capabilities><mobile:Capability Name="recordedCallsFolder"/></Capabilities>
User Account Information* The userAccountInformation capability gives apps the ability to access the user's name and picture.

This capability is required to access some APIs in the Windows.System.UserProfile namespace.

The userAccountInformation capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="userAccountInformation"/></Capabilities>
VoIP calling The voipCall capability allows apps to access the VoIP calling APIs in the Windows.ApplicationModel.Calls namespace.

The voipCall capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="voipCall"/></Capabilities>
3D Objects The objects3D capability allows apps to have programmatic access to the 3D object files. This capability is typically used in 3D apps and games that need access to the entire 3D objects library.

This capability is required to access the folder that contains the 3D objects using APIs in the Windows.Storage namespace.

The objects3D capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="objects3D"/></Capabilities>
Chat Message Access* The chat capability allows apps to read and delete SMS and MMS messages. It also allows apps to store messages in the system data store.

This capability is required to access messages using APIs in the Windows.ApplicationModel.Chat namespace.

The chat capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="chat"/></Capabilities>
Read Blocked Messages* The blockedChatMessages capability allows apps to read SMS and MMS messages that have been blocked by the Spam Filter app.

This capability is required to access the blocked messages using APIs in the Windows.ApplicationModel.Chat namespace.

The blockedChatMessages capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="blockedChatMessages"/></Capabilities>
Custom Devices The lowLevelDevices capability allows apps to access custom devices when a number of additional requirements are met. This capability should not be confused with the lowLevel device capability, which allows access to GPIO, I2C, SPI, and PWM devices.

If you develop a custom driver that exposes a device interface and you wish to open a handle to this device and send IOCTLs, you must: You can then use Windows.Devices.Custom.CustomDevice to open a handle to your device. For more information, see UWP device apps for internal devices.
IoT System Administration The systemManagement capability allows apps to have basic system administration privileges such as shutting down or rebooting, locale, and timezone.

This capability is required to access some of the APIs in the Windows.System namespace.

The systemManagement capability must include the iot namespace when you declare it in your app's package manifest as shown below.

<Capabilities><iot:Capability Name="systemManagement"/></Capabilities>
Background Media Playback The backgroundMediaPlayback capability changes the behavior of the media-specific APIs like the MediaPlayer and AudioGraph classes to enable media playback while your app is in the background. All active audio streams will no longer mute, but will continue to be audible when an app transitions to the background. Additionally, app lifetime will be extended automatically while playback is occurring.
Remote System The remoteSystem capability allows apps to have access to a list of devices associated with the user's Microsoft Account. Access to the device list is necessary to perform any operations that persist across devices. This capability is required to access to all members of the following.
Spatial Perception The spatialPerception capability provides programmatic access to spatial mapping data, giving mixed reality apps information about surfaces in application-specified regions of space near the user. Declare the spatialPerception capability only when your app will explicitly use these surface meshes, as the capability is not required for mixed reality apps to perform holographic rendering based on the user's head pose.
Global Media Control The globalMediaControl capability allows apps to access to playback sessions throughout the system that have integrated with SystemMediaTransportControls to provide playback info and allow remote control. This capability is required to use some APIs in the Windows.Media.Control namespace. This capability is defined in the uap7:Capability element.
Graphics Capture The graphicsCapture capability allows apps to take screenshots of windows or displays when allowed by the user. This capability is required to use the Windows.Graphics.Capture.GraphicsCapturePicker object. This capability is defined in the uap6:Capability element.
Borderless Graphics Capture The graphicsCaptureWithoutBorder capability allows apps to take screenshots without showing a screenshot border around the window or display. This capability is required to use the Windows.Graphics.Capture.GraphicsCaptureSession.IsBorderRequired property. This capability is defined in the uap11:Capability element.
Programmatic Graphics Capture The graphicsCaptureProgrammatic capability allows apps to take screenshots of various windows or displays on its own. This capability is required to create a Windows.Graphics.Capture.GraphicsCaptureItem object from a WindowId or DisplayId. This capability is defined in the uap11:Capability element.
User Data Tasks The userDataTasks capability provides access to APIs in the Windows.ApplicationModel.UserDataTasks namespace, which provide access to the task items that are stored in Windows by Exchange ActiveSync (EAS) connections and other provider apps.
User Notification Listener The userNotificationListener capability provides access to APIs in the Windows.UI.Notifications.Management namespace, which enable management of user notifications.

Device capabilities

Device capabilities allow your app to access peripheral and internal devices. Device capabilities are specified by using DeviceCapability elements in your app package manifest. This element may require additional child elements and some device capabilities need to be added to the package manifest manually. For more info, see How to specify device capabilities in a package manifest and DeviceCapability Schema reference.

Note

You can have multiple DeviceCapability elements under the Capabilities element in the package manifest. All DeviceCapability elements must come after any Capability and CustomCapability elements.

Capability scenario Capability usage
Location* The location capability provides access to location functionality that is retrieved from dedicated hardware like a GPS sensor in the PC or is derived from available network info. Apps must handle the case in which the user has disabled location services from the Settings charm.
Microphone The microphone capability provides access to the microphone's audio feed, which allows the app to record audio from connected microphones. Apps must handle the case in which the user has disabled the microphone from the Settings charm.
Proximity The proximity capability enables multiple devices in close proximity to communicate with one another. This capability is typically used in casual multi-player games and in apps that exchange information. Devices attempt to use the communication technology that provides the best possible connection, including Bluetooth, Wi-Fi, and the Internet. This capability is used only to initiate communication between the devices.
Webcam The webcam capability provides access to the video feed of a built-in camera or external webcam, which allows the app to capture photos and videos. On Windows, apps must handle the case in which the user has disabled the camera from the Settings charm.
The webcam capability only grants access to the video stream. In order to grant access to the audio stream as well, the microphone capability must be added.
USB The usb device capability enables access to APIs in the Updating the app manifest package for a USB device.
Human interface device (HID) The humaninterfacedevice device capability enables access to APIs in the How to specify device capabilities for HID.
Point of Service (POS) The pointOfService device capability enables access to APIs in the Windows.Devices.PointOfService namespace. This namespace lets your app access Point of Service (POS) barcode scanners and magnetic stripe readers. The namespace provides a vendor-neutral interface for accessing POS devices from various manufacturers from a UWP app.
Bluetooth The bluetooth device capability allows apps to communicate with already paired bluetooth devices over both Generic Attribute (GATT) or Classic Basic Rate (RFCOMM) protocol.
This capability is required to use some APIs in the Windows.Devices.Bluetooth namespace.
Wi-Fi Networking IMPORTANT. The wiFiControl device capability will be affected by upcoming changes to operating system behavior, planned for fall 2024. For more info, see Changes to API behavior for Wi-Fi access and location.

The wiFiControl device capability allows apps to scan and connect to Wi-Fi networks.
This capability is required to use some APIs in the Windows.Devices.WiFi namespace.
Radio state The radios device capability allows apps to toggle the Wi-Fi and Bluetooth radios.
This capability is required to use the APIs in the Windows.Devices.Radios namespace.
Optical disc The optical device capability allows apps to access functions on optical disk drives such as CD, DVD, and Blu-ray.
This capability is required to use some APIs in the Windows.Devices.Custom namespace.
Motion activity The activity device capability allows apps to detect the current motion of the device.
This capability is required to use some APIs in the Windows.Devices.Sensors namespace.
Presence Sensing The humanPresence device capability allows apps to access Presence Sensors on the device which can provide information on user presence and engagement.
This capability is required to use some APIs in the Windows.Devices.Sensors namespace.
Serial communication The serialcommunication device capability provides access to APIs in the Windows.Devices.SerialCommunication namespace, which allows a Windows app to communicate with a device that exposes a serial port or some abstraction of a serial port. This capability is required to use the APIs in the Windows.Devices.SerialCommnication namespace.
Eye Tracker The gazeInput capability allows apps to detect where the user is looking within the application bounds when a compatible eye tracking device is connected or for Mixed Reality devices that support gaze tracking. This capability is required to use some APIs in the Windows.Devices.Input.Preview namespace. For Mixed Reality devices, this capability is required for APIs in the Windows.Perception.People.EyesPose.
GPIO, I2C, SPI, and PWM The lowLevel device capability provides access to GPIO, I2C, SPI, and PWM devices. This capability is required to use the APIs in the following namespaces: Windows.Devices.Gpio, Windows.Devices.I2c, Windows.Devices.Spi,Windows.Devices.Pwm.

<Capabilities><DeviceCapability Name="lowLevel"/></Capabilities>

Restricted capabilities

If your app declares any restricted capabilities, then you must provide info during the app submission process in order to be approved to publish your app to the Microsoft Store. You provide this info on the Submission options page of your submission, explaining how your app uses each restricted capability that it declares.

Important

Restricted capabilities are intended for very specific scenarios. The use of these capabilities is highly restricted and subject to additional Store onboarding policy and review. Note that you can sideload apps that declare restricted capabilities without needing to receive any approval. Approval is only required when submitting these apps to the Store.

Be sure not to declare these restricted capabilities unless your app truly needs them. There are cases where such capabilities are necessary and appropriate, such as banking with two-factor authentication, where users provide a smart card with a digital certificate that confirms their identity. Other apps may be designed primarily for enterprise customers and may need access to corporate resources that can't be accessed without the user's domain credentials.

To declare a restricted capability, modify your app package manifest source file (Package.appxmanifest). Add the xmlns:rescap XML namespace declaration, and use the rescap prefix when you declare your restricted capability. For example, here's how to declare the appCaptureSettings capability.

<?xml version="1.0" encoding="utf-8"?>
<Package
    ...
    xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
    IgnorableNamespaces="... rescap">
...
<Capabilities>
    <rescap:Capability Name="appCaptureSettings"/>
</Capabilities>
</Package>

Note

All restricted capability elements must come before any CustomCapability and DeviceCapability elements under the Capabilities node in the package manifest.

Restricted capability approval process

Previously, we required you to contact support to get approval to use a capability. We now allow you to provide this info in Partner Center as part of the submission process.

When you upload packages for your submission, we will detect whether any restricted capabilities are declared. If we do so, you will be required to provide details about how your product uses each capability on the Submission options page. Be sure to provide as much detail as possible to help us understand why your product needs to declare the capability. Note that this may add some additional time for your submission to complete the certification process.

During the certification process, our testers will review the info you provide to determine whether your submission is approved to use the capability. Note that this may add some additional time for your submission to complete the certification process. If we approve your use of the capability, your app will continue through the rest of the certification process. You generally will not have to repeat the capability approval process when you submit updates to your app (unless you declare additional capabilities).

If we don't approve your use of the capability, your submission will fail certification, and we will provide feedback in the certification report. You then have the option to create a new submission and upload packages which don't declare the capability, or, if applicable, address any issues related to your use of the capability and request approval in a new submission.

Note

If your submission uses a development sandbox in Partner Center (for example, this is the case for any game that integrates with Xbox Live), you must request approval in advance rather than providing info on the Submission options page. You can request approval in advance if you're publishing a game to Xbox through ID@Xbox or as a managed partner. To do so, please contact your Microsoft account team.

The team will need a brief description about how you are using the capability and why it is necessary for your product. If you do not provide all the information necessary, your request will be denied. You may also be asked to provide more information. Note that this process typically takes 5 business days or longer, so please submit your request well in advance.

You may also use this method of requesting approval (rather than providing this info during your submission), whether or not you're using a development sandbox, if you prefer to confirm that you are approved to use a restricted capability before you start your submission.

Restricted capability list

The following table lists the restricted capabilities. You may request approval for these capabilities in apps that you submit to the Store by following the process described above.

Important

Some of these restricted capabilities are almost never approved for apps submitted to the Store, except in very specific and limited circumstances. These capabilities are called out in the table below. We recommend not declaring these capabilities in your app if you plan to distribute it through the Store.

Capability scenario Capability usage
Enterprise Windows domain credentials enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. The enterpriseAuthentication capability is typically used in line-of-business apps that connect to servers within an enterprise.

You don't need this capability for generic communication across the Internet.

The enterpriseAuthentication capability is intended to support common line-of-business apps. Don't declare it in apps that don't need to access corporate resources. The file picker provides a robust UI mechanism that enables users to open files on a network share for use with an app. Declare the enterpriseAuthentication capability only when the scenarios for your app require programmatic access, and you cannot realize them by using the file picker.

The enterpriseAuthentication capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="enterpriseAuthentication"/></Capabilities>

This capability is required to call the GetUserNameEx function.

The enterpriseDataPolicy capability allows apps to handle enterprise data separately and safely when the app is managed with Windows Information Protection policy (For example: Mobile Device Management and Mobile Application Management systems). Declare this restricted capability as shown below.

<Capabilities><rescap:Capability Name="enterpriseDataPolicy"/></Capabilities>

This capability is required to use all members of the following classes.
Shared user certificates The sharedUserCertificates capability enables an app to add and access software and hardware-based certificates in the Shared User store, such as certificates stored on a smart card. This capability is typically used for financial or enterprise apps that require a smart card for authentication.

The sharedUserCertificates capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="sharedUserCertificates"/></Capabilities>
Documents* The documentsLibrary capability provides programmatic access to the user's Documents library, filtered to the file type associations declared in the package manifest. For example, if a word processing app declared a .doc file type association, it can open .doc files in the user's Documents library.

The documentsLibrary capability is only needed if your application programmatically accesses the Documents library without user intervention. Your application does not need the documentsLibrary capability to access the Documents library if the user chooses it with a picker API. Generally, apps should allow the user to choose the location of their files, using one of the following picker APIs: Using these APIs allows the user to choose a location that works best for them, such as a cloud-synced account (eg, OneDrive). After the user has picked a file or folder using these APIs, your app can get ongoing access to the location by using the FutureAccessList API. This API allows your app to access the files or folders in the future without asking the user to pick them again.

In cases where existing workflows assume files will be in the Documents library (for example, interop with an existing desktop application) or where you do not want the user to have to choose the location, you can declare the documentsLibrary capability for your application. If you use the documentsLibrary capability for your application, it is recommended that you also allow the user to pick locations manually.

The documentsLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.

<Capabilities><uap:Capability Name="documentsLibrary"/></Capabilities>
Game DVR Settings The appCaptureSettings restricted capability allows apps to control the user settings for the Game DVR.

This capability is required to use some APIs in the Windows.Media.Capture namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Cellular The cellularDeviceControl restricted capability allows apps to have control over the cellular device.

The cellularDeviceIdentity capability allows apps to access cellular identification data.

The cellularMessaging capability allows apps to make use of SMS and RCS.

These capabilities are required to use some APIs in the Windows.Devices.Sms namespaces.
Device Unlock The deviceUnlock restricted capability allows apps to unlock a device for developer and enterprise sideloading scenarios.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Dual SIM Tiles The dualSimTiles restricted capability allows apps to create an additional app list entry on devices that have multiple SIMs.

This capability is required to use some APIs in the Windows.UI.StartScreen namespace.
Enterprise Shared Storage The enterpriseDeviceLockdown restricted capability allows apps to use the device lock down API and access the enterprise shared storage folders.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
System Input Injection The inputInjectionBrokered restricted capability allows apps to inject various forms of input such as HID, touch, pen, keyboard or mouse into the system programmatically. This capability is typically used for collaboration apps that can take control of the system.

For a PC, input injection from an app that has this capability will only be received by processes in the same App Container.

<Capabilities><rescap:Capability Name="inputInjectionBrokered" /></Capabilities>
Observe Input* The inputObservation restricted capability allows apps to observe various forms of raw input such as HID, touch, pen, keyboard, or mouse being received by the system regardless of its final destination.

This capability and the APIs related to it are only available for use by select Microsoft partners.
Suppress Input The inputSuppression restricted capability allows apps to suppress various forms of raw input such as HID, touch, pen, keyboard, or mouse from being received by the system.

This capability and the APIs related to it are only available for use by select Microsoft partners.
VPN App The networkingVpnProvider restricted capability allows apps to have full access to VPN features, including the ability to manage connections and provide VPN Plugin functionality.

This capability is required to use some APIs in the Windows.Networking.Vpn namespace.
Other App Management The packageManagement restricted capability allows apps to manage other apps directly.

The packageQuery device capability allows apps to gather information about other apps.

These capabilities are required to access some methods and properties in the PackageManager class.
Screen Projection The screenDuplication restricted capability allows apps to project the screen on another device.

This capability is required to use APIs in the DirectX namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
User Principal Name The userPrincipalName restricted capability allows apps to access the user principal name (UPN) of the current user.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Wallet The walletSystem restricted capability allows apps to have full access to the stored wallet cards.

This capability is required to use APIs in the Windows.ApplicationModel.Wallet.System namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Location History The locationHistory restricted capability allows apps to access the location history of the device.

This capability is required to use APIs in the Windows.Devices.Geolocation namespace.
App Close Confirmation The confirmAppClose restricted capability allows apps to close themselves, their own windows, and delay the closing of their app.

Apps may request this capability in Windows 10 version 1703 (build 10.0.15063) and beyond. In prior Windows 10 versions the capability is private and will cause app install to fail with error message "The requested capability can not be authorized for this application."
Call History* The phoneCallHistory restricted capability allows apps to read the call history and to delete entries in the history.

This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
System Level Appointment Access The appointmentsSystem restricted capability allows apps to read and modify all appointments on the user's calendar.

This capability is required to use APIs in the Windows.ApplicationModel.Appointment namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
System Level Chat Message Access* The chatSystem restricted capability allows apps to read and write all SMS and MMS messages.
This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
System Level Contact Access The contactsSystem restricted capability allows apps to read contact information that has been designated as restricted or sensitive and modify existing contact information.

This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Email Access The email restricted capability allows apps to read, triage, and send user emails.

This capability is required to use APIs in the Windows.ApplicationModel.Email namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
System Level Email Access The emailSystem restricted capability allows apps to read, triage, and send user restricted or sensitive emails.

This capability is required to use APIs in the Windows.ApplicationModel.Email namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
System Level Call History Access The phoneCallHistorySystem restricted capability allows apps to fully modify the call history by changing existing entries and writing new ones.

This capability is required to use APIs in the Windows.ApplicationModel.Calls namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Send Text Messages* The smsSend restricted capability allows apps to send SMS and MMS messages.

This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.
System Level Access to All User Data The userDataSystem restricted capability allows apps to access the user data system datastore.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Store Preview Features The previewStore restricted capability allows apps to retrieve and purchase SKUs of in-app products.

This capability is required to use certain APIs in the Windows.ApplicationModel.Store.Preview namespace.
First-Time Sign-in Settings The firstSignInSettings restricted capability allows apps to access user settings that were set when the user first signed in to their device.
Windows Team Experience The teamEditionExperience restricted capability allows apps to access internal APIs that control many experiential aspects of a Windows Team session. A Windows Team session is likely to be running on a team device such as a Microsoft Surface Hub.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Remote Unlock The remotePassportAuthentication restricted capability allows apps to access credentials that can be used to unlock a remote PC.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Preview Composition The previewUiComposition restricted capability allows apps to preview the Windows.UI.Composition namespace for their user interface so they can provide feedback on the API before it is completed. Please contact wincomposition@microsoft.com for more information.
Secure Assessment Lockdown The secureAssessment restricted capability allows apps to lockdown Windows into a single app mode for secure assessments.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Connection Manager Provisioning The networkConnectionManagerProvisioning restricted capability allows apps to define the policies that connect the device with WWAN and WLAN interfaces. Apps that use this capability are created by Mobile Operators to govern the devices that connect to their mobile network.
Data Plan Provisioning The networkDataPlanProvisioning restricted capability allows apps to gather information about data plans on the device and read network usage. Apps that use this capability are created by Mobile Operators to integrate their customers' actual data usage into the OS Data usage setting.
Software Licensing The slapiQueryLicenseValue restricted capability allows apps to query software licensing policies.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Extended Execution The extendedBackgroundTaskTime restricted capability prevents background tasks from being cancelled or terminated due to execution time limits. They are still subject to all other memory and energy usage limits. This capability can be restricted using the Battery Usage or Privacy Background Apps Settings. Note that consumers and administrators still have the ability to control background tasks through the Group Policy settings.

The extendedExecutionBackgroundAudio restricted capability allows apps to play audio when the app is not in the foreground.

The extendedExecutionCritical restricted capability allows apps to begin a critical extended execution session.

The extendedExecutionUnconstrained restricted capability allows apps to begin an unconstrained extended execution session.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.

See Postpone app suspension with extended execution for more information about using extended execution to postpone when your app is suspended.
Mobile Device Management The deviceManagementDmAccount restricted capability allows apps to provision and configure Mobile Operator Open Mobile Alliance - Device Management (MO OMA-DM) accounts.

The deviceManagementFoundation restricted capability allows apps to have basic access to the Mobile Device Management (MDM) configuration service provider (CSP) infrastructure on the device. Note that other capabilities are needed to access specific CSPs.

The deviceManagementWapSecurityPolicies restricted capability allows apps to configure Wireless Application Protocol (WAP)-based services such as MMs, Service Indication/Service Loading (SI/SL), and Open Mobile Alliance - Client Provisioning (OMA-CP).

The deviceManagementEmailAccount restricted capability allows apps created by Mobile Operators to add and manage an email account on devices they provision to users.
Package Policy Control The packagePolicySystem restricted capability allows apps to have control of system policies related to apps that are installed on the device.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Games List The gameList restricted capability allows apps to get a list of known games installed on the system.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Xbox Accessory The xboxAccessoryManagement restricted capability allows apps to directly manage Xbox devices that conform to the Xbox hardware specification.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Speech Recognition for Accessories The cortanaSpeechAccessory restricted capability allows apps to invoke and pass commands to Cortana.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Accessory Management The accessoryManager restricted capability allows apps to register as an accessory app and opt-in to specific app notifications so that they may be forwarded to accessories and display to the user.
Driver access The interopServices restricted capability allows apps to interact directly with drivers.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Foreground observation The inputForegroundObservation restricted capability allows apps in the foreground to intercept keyboard input and byasses all non-app keyboard input processing. SAS combinations cannot be intercepted by this capability. This capability is required to access members of the KeyboardDeliveryInterceptor class.
OEM and MO Partner apps The oemDeployment restricted capability allows apps that are created by Microsoft partners to install new apps and query currently installed apps on the device.

The oemPublicDirectory restricted capability allows apps that are created by Microsoft partners to have access to the shared app folder. We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
App Licensing The appLicensing restricted capability allows apps to run without the need of a license. You cannot submit your app to the store if you declare this capability in your manifest.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Location System The locationSystem restricted capability allows apps to perform certain privileged location configurations like setting the default location for the device.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
User Data Accounts Provider The userDataAccountsProvider restricted capability allows apps to fully manage the mail, calendar, and contact accounts.
Pen Workspace The previewPenWorkspace capability allows an app to access the Windows.ApplicationModel.Preview.Notes namespace to be hosted inside the pen workspace as the remember action handler.
Secondary Authentication Factor The secondaryAuthenticationFactor capability allows an app to unlock a PC by passing the secrets store on a nearby companion authentication device. For example, a companion fitness band can be used to unlock the PC. This capability is required to access APIs in the Windows.Security.Authentication.Identity.Provider namespace.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Store License Management The storeLicenseManagement capability allows Microsoft partner hub-apps to manage store licenses on the device. This capability is required to access APIs in the Windows.ApplicationModel.Store.LicenseManagement namespace.
User System ID The userSystemId capability allows apps to get a system identifier specific to the user. This identifier uniquely identifies the current user on a specific system and can be used to correlate information across apps. This capability is required to access the SystemIdentification.GetSystemIdForUser(User) method.
Targeted Content The targetedContent capability provides an application the ability to retrieve and use targeted subscription content provided by the Windows.Services.TargetedContent namespace.

This capability is required to use some APIs in the Windows.System.Profile.SystemIdentification namespace.
UI Automation The uiAutomation capability allows a UI automation client, such as Narrator, to connect to a UI Automation server or provider.

This capability is required to use some APIs in the Windows.Xbox.Media.Capture.Broadcaster namespace.
Game Bar Services The gameBarServices is restricted to 1st party store updatable inbox UWAs.

This capability is required to use the Windows.Media.Capture.GameBarsSrvices class.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
App Capture Services The appCaptureServices capacity is limited to parties with which Microsoft has contractual relationships. These relationships are granted based on partner agreements, which are being driven with the help of Xbox Services and bizdev.

This capability is required to use the Windows.Media.Capture.AppCaptureServices class.
App Broadcast Services The appBroadcastServices capability is limited to parties with which Microsoft has contractual relationships. These relationships are granted based on partner agreements, which are being driven with the help of Xbox Services.

This capability is required to use the Windows.Media.capture.AppBroadcastServices class.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Audio Device Configuration The audioDeviceConfiguration This capability allows an application to query, configure, enable, and disable audio effects exposed by the audio driver.

This capability is required to use the Windows.Media.Devices.AudioDeviceModulesManager class.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved. This is because AudioDeviceModulesManager allows an application to access to all audio effects on a given system. Potentially, the audio effects can be set to negatively impact audio performance on the device.
Background Media Recording The backgroundMediaRecording capability changes the behavior of the media-specific APIs like the MediaCapture and AudioGraph classes to enable media recording while your app is in the background.
Preview Ink Workspace The previewInkWorkspace capability allows an app to access the Preview Ink namespace hosted inside the ink workspace. Generally speaking, this is used by an OEM to replace the whiteboard application on a device.

This capability is required to the APIs in the Windows.ApplicationModel.Preview.InkWorkspace namespace.
Start Screen Management The startScreenManagement capability allows apps to silently pin Tiles to the Start screen. Apps can also pin from the background. Not having the startScreenManagement capability does not block any APIs; rather, using startScreenManagement means that the Shell will not display any UI when an app uses the Pin API.
Cortana Permissions The cortanaPermissions capability allows an app to enumerate the permissions that the user has granted Cortana on the device. The capability also allows an app to grant and revoke Cortana permissions on the device. Note that using cortanaPermissions requires that the device display legal text before granting permissions. As such, it is the responsiblity of the app to inform the user of the legal consequences of modifying permissions.


This capability is required to gain read access to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search registry settings.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
All App Mods The allAppMods capability allows an app to access the AppMods folder for all apps. Mod Management utilities use allAppMods to manage mods outside of the game or app that consume them.
Expanded Resources The expandedResources capability allows an app access to the Game Mode resources. On Xbox, and on PCs that meet a sufficient bar, Game Mode resources represent a subset of the available CPU cores that are reserved for the app's exclusive use. On Xbox, the app also has exclusive use of a memory partition of at least 4GB.

This capability is required to gain exclusive use of CPU and memory resources as defined above.
Protected App The protectedApp capability grants an app the ability to be loaded into a procteded process by the store. When the app is ingested into the store, the store adds a blob to the executable. The store also page signs the executable with a Microsoft key. The process loader checks for this blob rather than the capability to enforce protected process, as the blob needs a Microsoft signature.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Game Monitor The gameMonitor capability causes the system to use active monitoring to detect game cheats by the app.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
App Diagnostics The appDiagnostics capability allows an app to get diagnostic information, (such as package information, memory usage, and account name) for any other running UWP app. The information returned includes the domain/machine account name under which the app is running; if the calling app is launched with Administrator rights then the app can retrieve a list of all running apps for all accounts on the machine.

This capability is required to use the Windows.System.AppDiagnosticInfo, Windows.System.AppDiagnosticInfo.RequestAppDiagnosticInfoAsync, and Windows.ApplicationModel.AppInfo classes.
Device Portal Providers The devicePortalProvider capability allows apps to call the Windows.System.Diagnostics.DevicePortal APIs, and serve as a webserver for diagnostic tooling while in Developer Mode.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Enterprise Cloud Single Sign On The enterpriseCloudSSO capability allows apps to use single sign on with Azure Active Director (AAD) resources inside a hosted web view control.
Automatically accept VoIP calls The backgroundVoIP capability allows you to automatically receive and accept incoming VoIP calls without requiring the user to accept the call explicitly. Apps utilizing this capability are granted full control of camera and microphone and can use these resources in the background.

We don't recommend declaring this capability in apps submitted to the Microsoft Store. For most developers, use of this capability won't be approved.
Reserve resources for VoIP calls The oneProcessVoIP capability allows you to reserve the CPU and memory resources necessary for a VoIP call in a single-process application.

We don't recommend declaring this capability in apps submitted to the Microsoft Store. For most developers, use of this capability won't be approved.
Development Mode Network The developmentModeNetwork capability allows apps to access network paths using the credentials from the signed-in user when calling the OpenFile Win32 API in a C++/CX UWP app or C++ Windows Runtime component.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Broad Filesystem Access The broadFileSystemAccess capability allows apps to get the same access to the file system as the user who is currently running the app without any additional file-picker style prompts during runtime. It is important to note that this capability is not required to access files that the user has already chosen using the FilePicker or FolderPicker.

This capability works for the Windows.Storage APIs. Because users can grant or deny the permission any time in Settings, you should ensure that your app is resilient to those changes. In the April 2018 update, the default for the permission is On. In the October 2018 update, the default is Off. It is also important that you do not declare any special folder capabilities such as Documents, Pictures, or Videos with this capability. You can enable this capability in your app by adding broadFileSystemAccess to your manifest. For an example, see the File access permissions article.

In most cases, to get access to file system locations, your app can use the FileOpenPicker, FileSavePicker, FolderPicker, and FutureAccessList APIs. If you want to request approval to use the broadFileSystemAccess capability, then you must provide specific reasons as to why those APIs aren't sufficient for your needs.

Note: This capability is not supported on Xbox.
System Firmware and BIOS The smbios capability allows apps to access bios data and system firmware data.
Full Trust Permission Level This is the runFullTrust restricted capability. Terms are defined below, but in short, a package needs this capability if the package uses features for which full trust is needed. A common example is a package that contains one or more full-trust apps. The runFullTrust restricted capability allows a package like that to be installed on a machine.

A full trust app is one that sets uap10:TrustLevel to mediumIL (see the Application element). A full trust app has a process that runs with an integrity level of medium (see Mandatory Integrity Control). And a package is an .appx or MSIX package (see Building an MSIX package from your code).

Another example where this capability is needed is a package with an extension category of windows.firewallRules (see desktop2:Extension). That's considered a full-trust feature; and in that example there's no app to activate, and no process to launch.

To use the FullTrustProcessLauncher class, this capability is required, too.
Elevation The allowElevation restricted capability enables apps developed by Microsoft partners or enterprise organizations to maintain existing desktop functionality that depends on auto-elevation, either at launch or during runtime.

For Microsoft Store submissions, this capability is subject to approval under strict criteria. If you intend to use this capability, contact reportapp@microsoft.com in advance with a detailed justification.
Windows Team Device Credentials The teamEditionDeviceCredential restricted capability allows apps to access APIs that request device account credentials on a Surface Hub device running Windows 10, version 1703 or later.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Windows Team Application View The teamEditionView restricted capability allows apps to access APIs for hosting an application view on a Surface Hub device running Windows 10, version 1703 or later.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Camera Processing Extension The cameraProcessingExtension restricted capability allows apps to process images captured from the camera without direct camera control.

This capability is required to call APIs in the Windows.Devices.PointOfService.Provider namespace.

Anyone may request access to this capability for store submission.
Data usage Management The networkDataUsageManagement restricted capability allows apps to gather network data usage information.

This capability is required to call GetAttributedNetworkUsageAsync.

Anyone may request access to this capability for store submission.
Manage phone line connectivity The phoneLineTransportManagement capability allows apps to manage system devices responsible for phone line connectivity.

This capability is required to use PhoneLineTransportDevice APIs in the Windows.ApplicationModel.Calls namespace.
Unvirtualized Resources The unvirtualizedResources restricted capability enables your application to declare the RegistryWriteVirtualization and FileSystemWriteVirtualization elements in its package manifest to disable virtualization for the registry and file system. These declarations prevent the system from virtualizing any writes to HKEY_CURRENT_USER or to the user's AppData folder, respectively. This is useful in scenarios where your application expects other applications to read or write the same registry or file system entries as your application.

This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. It's also needed for apps packaged with external location (see Grant package identity by packaging with external location). It is not intended to be used for other scenarios, because it could compromise the system's ability to uninstall cleanly.
Modifiable App The modifiableApp restricted capability enables your application to declare the windows.mutablePackageDirectories extension in its package manifest. This enables you to provide a name for the folder where your application expects modified or added files to be located. The OS will create this folder and enable your application to use the files in this folder instead of (or in addition to) the files originally installed by the application.

This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. It will not be granted for other scenarios, because it can allow unsigned code to execute.
Package Write Redirection Compatibility Shim The packageWriteRedirectionCompatibilityShim restricted capability configures your application to create all new files in a per-user location. Any preexisting files opened for writes are first copied into a per-user location and modifications happen to the file in that location. This capability is useful for applications that create or modify files in their installation folder.

This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. However, it might also be applicable to other apps in some cases.
Custom Install Actions The customInstallActions restricted capability enables your application to declare the windows.customInstall extension in its package manifest so that it can specify one or more additional installer files (.exe or .msi) that are executed with your application. This allows you to specify custom actions for any of the standard deployment scenarios: install, update, repair, or uninstall. For example, this is useful for applications that bundle a 3rd party redistributable component.

This capability is designed for certain types of desktop PC games that are published by Microsoft and our partners. It will not be granted for other scenarios.
Packaged Services The packagedServices restricted capability allows applications that are created by Microsoft partners and enterprises to declare the windows.service extension in its package manifest so that it can install one or more services along with the app. These services can be configured to run under the Local Service, Network Service or Local System accounts. Local Service and Network Service services only require the packagedServices capability. Local System services require both the packagedServices and localSystemServices capabilities.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Local System Services The localSystemServices restricted capability allows applications that are created by Microsoft partners and enterprises to install one or more Local System services along with the app (that is, your application can declare the StartAccount for the services to be LocalSystem). This scenario also requires the packagedServices capability.

We don't recommend that you declare this capability in applications that you submit to the Microsoft Store. In most cases, the use of this capability won't be approved.
Background Spatial Perception The backgroundSpatialPerception restricted capability allows an application to access the movement of the user's head, hands, motion controllers, and other tracked objects while the app is running in the background.
UI Access UIAccess is a feature in Windows that allows certain trusted applications to interact with the user interface (UI) of other applications, even when they are running with higher privileges or in a secure desktop session. This feature is often used by accessibility tools and automation software to provide users with alternative ways to interact with applications. The uiAccess restricted capability must be specified when the uiAccess attribute of the requestedExecutionLevel element is set to true in the app manifest file. For more information see, Security Considerations for Assistive Technologies.

Custom capabilities

The restricted capabilities section above describes the same capability approval process that you can use to request approval to use a custom capability. The embedded SIM APIs are examples of APIs that require a custom capability. If you only want to run your application locally in developer mode, then you don't need the custom capability. But you need it to publish your app to the Microsoft Store, or to run it outside of developer mode.

If you have a Windows Technical Account Manager (TAM), then you can work with your TAM to request access. You can find more details at Contact your Microsoft TAM.

To declare a custom capability, modify your app package manifest source file (Package.appxmanifest). Add the xmlns:uap4 XML namespace declaration, and use the uap4 prefix when you declare your custom capability. Here's an example.

<?xml version="1.0" encoding="utf-8"?>
<Package
    ...
    xmlns:uap4="http://schemas.microsoft.com/appx/manifest/uap/windows10/4">
...
<Capabilities>
    <uap4:CustomCapability Name="CompanyName.customCapabilityName_PublisherID"/>
</Capabilities>
</Package>

Note

All CustomCapability elements must come after any Capability elements and before any DeviceCapability elements under the Capabilities node in the package manifest.

Capability scenario Capability usage
App URI handler An app can register itself as a handler for a given URI, such that when the user opens a link to the specified URI, the app is launched instead of opening the browser. That requires registration on the local machine, and verification by the target web server. The Microsoft.delegatedWebFeatures_8wekyb3d8bbwe custom capability enables an app to host a Progressive Web App (PWA), and to verify that PWA as an app URI handler without referring to the target website for confirmation.
Cellular SAR configuration The Microsoft.cellularSARConfiguration_8wekyb3d8bbwe custom capability enables an app to perform configuration of a device's specific absorption rate (SAR) properties. See the MobileBroadbandSarManager class.
CoreApplication activation An app that declares the Microsoft.coreAppActivation_8wekyb3d8bbwe custom capability is CoreApplication-based, but requires to run with full-trust, similar to a Desktop Bridge app.
Custom install actions Enables the app to use custom install/uninstall actions. An app can use custom actions if it has the customInstallActions restricted capability AND (it is an MSIXVC Xbox Game Pass app, OR it has the Microsoft.classicAppInstaller_8wekyb3d8bbwe custom capability).
ESim management The Microsoft.eSIMManagement_8wekyb3d8bbwe custom capability enables an app to perform configuration of a device's embedded SIM (eSIM). See the ESim class.
Legacy install behaviors The Microsoft.classicAppCompat_8wekyb3d8bbwe custom capability protects the case where an app declares a legacy install feature; for example, writing custom COM ProgIds in the Windows Registry.
Machine-wide install Protects the case where an app declares a legacy install feature that's configured for machine-wide/HKLM registration, which requires-elevation. Specifically required for anything in the app's manifest where the app declares Scope="machine".

For example, an MSIX-based app using the desktop7:ApprovedShellExtension element needs to set scope to machine, and therefore needs to declare the Microsoft.classicAppCompatElevated_8wekyb3d8bbwe custom capability. For more info about that scenario, see desktop7:ApprovedShellExtension.
On-Demand Network The Microsoft.onDemandHotspotControl_8wekyb3d8bbwe custom capability (the On-Demand Network capability) will be made available only to app developers building end-to-end Wi-Fi hotspot scenarios between a tethering-capable hardware device and a Windows PC. See the WiFiOnDemandHotspotNetwork class.
Registering an approved shell extension See the Machine-wide install capability scenario.
S-mode An app that declares the Microsoft.requiresNonSMode_8wekyb3d8bbwe custom capability will be prevented from running on a Windows device in S-mode.
Startup apps An app can be set up to start automatically at user login. Normally, the user can enable/disable that behavior for each app. The Microsoft.nonUserConfigurableStartupTasks_8wekyb3d8bbwe custom capability configures an app such that the user can't enable/disable its startup behavior.
Windows core 1 An app that declares the Microsoft.deployFullTrustOnHost_8wekyb3d8bbwe custom capability is fully-trusted to use native Win32 APIs on a Windows core device.
Windows core 2 A Desktop Bridge app that declares the Microsoft.notSupportedInCoreV1_8wekyb3d8bbwe custom capability will be prevented from running on a Windows core device.
Windows Hello companion device framework The functionality related to the Microsoft.secondaryAuthenticationFactorForLogon_8wekyb3d8bbwe custom capability is deprecated as of Windows 10, version 2004 (10.0; Build 19041), and we no longer grant this capability to developer accounts. An app that declares this capability can be registered with the companion device framework to enable Windows unlock with the app's associated companion device. For more info, see Windows Unlock with Windows Hello companion (IoT) devices.