Packaging and signing your .msix package with Device Guard certificate

If you don’t have a PKI but want to start converting your applications to .msix. Then you need a certificate to sign your new packages. Luckily, you have the option to use the Device Guard certificate from Microsoft Store for Business. I created a video to guide you through the process

If you play around with it and enable sideloading but then decide to disable it again… That might not be the simplest of tasks…

But I found out that a couple of GPO settings did the trick. Disable these and do a quick ‘GPUpdate /force’ and you’re back to normal.

Computer Configuration\Policies\Administrative Templates\Windows Components\App Package Deployment

Download the Enable-Sideloading.ps1 script from my GitHub repository:

https://github.com/larsinus/Public/blob/master/Intune/Enable-Sideloading.ps1

Deploying the app…

You can use MEM (both ConfigMgr and Intune) to deploy the .msix package.

MEM aka Intune

Create a new Windows application and select ‘Line-of-business app
Browse and select your .msix package
Edit any metadata and add an icon for a more professional look!
Verify that the upload was successful and assign the application to a group (device/user)

MEM aka Configuration Manager

Create a new application and select ‘Windows app package (*.appx, *.appxbundle,*.MSIX, *.msixbundle)
Browse and select your .msix package
After a successful creation, remember to distribute the content to your DP’s and deploy it to a collection (device/user)

Have fun!

Leave a Reply