Following on from Part 1 (Win32), this post will run through creating an application in MSIX format
Before starting, make sure you have a virtual machine (ideally running Hyper-V for ease of deployment) as we will need to destroy and re-create between applications.
If you are running Hyper-V on a Windows non-server OS, you can find the MSIX Packaging Tool environment within Quick Create which is what I’m going to be using today.
What is MSIX?
MSIX is Microsoft’s modern application format which is what is used on most store applications.
It gives the advantage that the end-users can terminate, reset and repair applications themselves. You can also package much more complicated applications as it detects all changes to the machine and includes them in the application.
If you are an AVD user, AppAttach takes MSIX to the next level. You can read about that here
Code Signing
There is one important Pre-requisite for MSIX applications, they require a code signing certificate. These can be purchased from most SSL suppliers, or you can create your own self-signed certificate
To do this, you can either follow the official Microsoft instructions here
OR
Download the excellent MSIX Hero application and follow their guide here
Once you have created your certificate, navigate to Intune
Now go to Tenant Administration – Connectors and Tokens – Windows Enterprise Certificate and upload it here
Packaging
Now onto the Packaging. For this example I’ll use Notepad++
First start up and connect to your VM
Start the Packaging Tool application:
We’re building a new package so select Application Package
I’m running this directly on the VM, but you can also have the Packaging Tool on a local machine and run the packager from here to the VM:
It will then install a driver and run some checks. It’s best to disable anything prompted here:
When that has completed, click Next
I normally skip the installer here as I like to run through it myself, you do need to add your certificate at this point though.
Make sure you add a Timestamp server here as well. When installing, the apps check against the certificate to see if it is still active. If you don’t select a timestamp server, you will need to replace the certificate every time it expires.
If you set the server, it checks if the certificate was valid when packaged
Now populate the information on this page:
This is the point of installation. Install your application and make any initial amendments.
If the app needs a restart, use the button and it will auto-resume
Remember, it is monitoring EVERYTHING at this point so make any changes at all, system level, user level, anything goes
When you have finished installing click Next
It will now detect what has been installed
Select the application and click Run to complete any first-use tasks and just check it’s working ok.
If there is anything you don’t want (uninstall executables for example), remove them here
Click Next when you have completed the steps and closed the app you are packaging
This is the point it stops monitoring so it will prompt for confirmation:
If your application installs services, it will list them on this page and you can choose whether to include them or not
You’ll notice the Previous button has now disappeared, we’re past the point of no return
Now, select where to save the MSIX file
Here is a video I recorded packaging Avidemux video editor and then running on a Win 10 box with Sideloading enabled to show a complete run-through:
Add to Intune
Now we have our MSIX file, we need to add it to Intune.
If you followed Part 1 looking at Win32, you’ll find this much much easier!
Navigate to Apps – Windows – Add New
Select Line of Business App
Browse to your file and populate as required:
Add any Scope Tags:
Assign it
You’ll notice you can select which context to install as well:
Select Device if you don’t want the user to be able to remove it! Obviously if you’ve selected All Users or All Devices, this can’t be changed
Finally click Create
There we have it, you have now packaged your first MSIX application and deployed it!
Andrew, great work! Is there a supercede option like Win32 App? I need the new Store app to supercede/uninstall previous versions of updated Store app to prevent old versions from appearing on SecOps vulnerability scan each week.
Thank you 😊
Not for MSIX unfortunately, if you replace the original file, the devices will check-in and update to the latest version (it’s quite clever because it only updates files which have changed rather than re-installing the whole package).
If you have particular apps causing you issues, I’d be happy to look into it further!
Really good training for beginners.
Very helpful of me.
Thank you 😊
Glad it has been useful, thanks for the feedback