In this post I will be discussing on how to create MSIX package using MSIX Packaging Tool. There are couple of requirements to create MSIX package which includes creating Code signing Certificate, downloading and creating package using MSIX packaging tool and to sign the application with Code signing certificate.
What is MSIX package?
If you are wondering what is MSIX package and why we require it. Let’s understand what exactly it is. MSIX is a Windows app package usually we see these kind of packages available on Microsoft Store. You can think about MSIX package as a combination of MSI + appx packages. Hence it has the feature of msi files along with the security features of using appx file extensions. In a layman term think about something like this:
MSIX = MSI + .appx
MSIX is not just limited to converting msi files, we can use other formats as well such exe, scripts etc.
Deploying MSIX packages are the modern way of deploying the packages which Microsoft recommends. MSIX is designed for modern systems and cloud. You get following benefits of using MSIX packages :
- Reliability : MSIX boasts of installing reliable package with 99.96% success rate with a guaranteed uninstall.
- Network bandwidth optimization: MSIX reduces the impact on network bandwidth by downloading the content in 64k block.
- Disk space optimizations: With MSIX there is no duplication of files across apps.
Requirement for creating MSIX package
- Create Code signing Certificate for MSIX Installer : We need to create a code signing certificate. This can be either purchased through a vendor or we can create our own if we have Active Directory Certificate services role installed on on-premises environment.
- Export Code Signing Certificate: We will be exporting the Code signing certificate in pfx format which requires password.
- Download MSIX Packaging Tool
- Create MSIX package: Using MSIX Packaging Tool, we will capture the installation of existing msi or exe file and will sign the package with Code signing certificate.
Note: In this demonstration we will be using Notepad++ application (in exe format), download it using the link.
Once the msix package is created, it can be used for deployment using SCCM / Configuration Manager or Intune. You may check the link How to deploy MSIX package using Intune
Create Code Signing Certificate for MSIX Installer
Let’s proceed with very first requirement. We are going to create a Code Signing Certificate, we are not going to use 3rd party vendors certificate, rather going to create own using Certificate Authority when Active Directory Certificate Services role is installed as one of the Server roles.
Login to the server where ADCS role (Active Directory Certificate Services) is installed. Launch Certificate Authority. You may also run Certsrv.msc through Windows + Run.
Select the folder Certificate Templates, right click and select Manage
This will launch Certificate Templates Console. Under list of all Template Display Name, select Code Signing Certificate, right click and Duplicate Template.
This will open property of new duplicate template, provide a better name for Template display name which suits your organization and you may change Validity period which is by default 1 year, I am changing it to 5 years.
Click on Request Handling tab, and select Allow private key to be exported.
Under Subject Name tab, select Supply in the request.
Click on Security tab to add Domain Computers and specify Permissions as Read, Enroll. For automatic enrollment purpose you may also go with Autoenroll.
We are done with creating the Certificate Template for Code Signing Certificate with the name manishbangia.com Code Signing, we can close the window Certificate Templates Console to return back to Certificate Authority.
Under Certificate Authority > Certificate Templates, right click and select New > Certificate Template to issue.
Under Enable Certificate Templates window, select recently created Code Signing Certificate and click OK.
We can now see our Code Signing Certificate listed under Certificate Templates and ready to be used.
Launch Current user certificate store, this can be launched in 2 ways:
- Easiest way is to run command – certmgr.msc
- Another way is to launch mmc and add following Snap-ins – Certificates > My user Account
Under Certificates – Current User > Personal > Certificates, right click and select All Tasks > Request new certificate
Under Request Certificates, click the Code Signing Certificate we created previously
Click on More information is required to enroll for this certificate. Click here to configure settings. This is required as we previously we have selected to “supply in request” for Subject name.
Under Certificate Properties > Subject name, with Full DN selected provide a value such as CN=manishbangia.com and click on Enroll.
We can see manishbangia.com certificate issued under Personal certificate store showing 5 years of validity starting from today.
Right click this certificate > All Tasks > Export. Click Next on Welcome page.
Under Certificate Export Wizard page, select “Yes, export the private key” and click Next.
Under Export File format, select Personal Information Exchange – PKCS #12 (.PFX) with default selection and click Next.
Under Security page, provide the password and click Next.
Under File to Export, provide the location where this certificate is going to be saved in pfx format.
We have now certificate successfully exported under c:\temp directory.
Create MSIX package using MSIX packaging tool
What is MSIX Packaging Tool
With MSIX Packaging tool, you can convert following of the below options to MSIX application package:
- Manual installation
How to install MSIX Packaging Tool in offline mode
If you have internet connectivity issue or don’t have direct access to Microsoft Store, you can download the latest version of MSIX Packaging Tool from here – Download MSIX Packaging Tool offline. Offline package downloaded will be having msixbundle extension.
Run following command to install MSIX Packaging Tool using PowerShell:
Add-AppPackage -Path C:\Toos\MSIXPackagingTool_1.2022.110.0.msixbundle
It is recommended to install MSIX Packaging Tool on a VDI or any system which has minimal applications installed as we are going to capture the application installation instructions during whole process.
If you have Hyper-V installed, you can easily create one of the Virtual machine with MSIX Packaging Tool Environment. For this launch Hyper-V Manager, right click and select Quick Create.
This brings up a windows with “Select and operating system” where we have following options:
MSIX Packaging Tool Environment
Ubuntu 18.04.3 LTS
Windows 11 dev environment.
Once you select MSIX Packaging Tool Environment, it will download and create VM for you latest Windows 10 Operating system installed along with MSIX Packaging Tool already in there, this will require approx. 5 GB of download from internet.
If you are manually installing tool from Microsoft store, following prerequisites are required for MSIX Packaging Tool:
- Windows 10, version 1809 (or later)
- Participation in the Windows Insider Program (if you’re using an Insider build)
- A valid Microsoft account (MSA) alias to access the app from the Microsoft Store
- Admin privileges on your PC account
Once Tool is installed on separate Windows 10 / Windows 11 system, launch it and select Application package (with Modification package and Package editor as additional options).
On Create new package page, under Packaging method select Create package on this computer and click Next.
On Prepare computer page, tool will go through few checks and will install MSIX Packaging Tool Driver
You might see following error while trying to install MSIX Packaging Tool Driver:
Driver Installation failure
We encountered an error when trying to install your driver. More information is available in your logs.
Make sure you have access to Microsoft store ( as one of the prerequisite) or else you will get Error code 0x80131500.
If you phase the above error, navigate to Get the MSIX packaging Tool driver, this page will allow us to download the specific FOD.cab file which contains the driver (MSIX packaging tool driver is part of Feature on Demand (FOD) package )
Once MSIX Packaging Tool Driver is installed, return to Packaging Tool, select “Windows Search is active” and click Next.
On Choose the installer you want to package, browse to select the downloaded Notepad++ installer.
Under Signing preference, we can either go with Sign with Device Guard signing version 2 or Sign with a certificate (.pfx), we are going to use the latter one. Browse for the certificate we created previously and provide the password and click Next.
On Package information page, provide:
Package Name: NotePadPlusPlusMSIX
Package display name:NotePadPlusPlus MSIX
Publisher name: This will be auto populated based upon subject name we specified earlier for the certificate
Publisher display name: manishbangia.com
Version: Provide the info for the version such as 8.2.1
Package Description: NotePadPlusPlus MSIX Application
Installation location: leave it blank for default location
On Installation page, it will trigger the application installer, click on the user interface to initiate the installation process. Whatever we are doing here is getting monitored along with files getting created and registry values getting created and will be saved as part of our msix package to be used.
Once the installation is done, uncheck the box Run Notepad++v8.2.1 and click Finish.
If application requires restart, this is the perfect time to do so by clicking Restart machine as same behaviour will be captured for our msix package, click Next.
On Manage first launch tasks page, you have option to specify post-installation tasks. This could be important in scenario where you wanted to customise the application for user such as changing the default save location etc, click Next.
MSIX Packaging Tool will give you warning with Yes, move on to start creating the packaging process.
Service report page will be detecting any service changes (start / stop ) to capture, click Next.
On Create package page, provide the save location, just for the sake of understanding you may also click on Package editor to provide more enhance custom settings.
Package editor consists of:
- Package information : This consist of basic package information we provided earlier
- Services report : This is the same Service report page which used to capture the service status
- Capabilities: This page shows the capabilities you can provide for this package
- Virtual registry : This shows the registry values created as part of the application installation, this is the good time to create your own registry values used for company branding.
- Package files: This will show all files and folders created during application installation process.
We are good to go as we are not doing any further customization, hence click on Create.
Here you go, you will have MSIX package created successfully under save location, we can also check Package report logs which will be located under c:\users\username\AppData\Local\Packages
Let’s try to install the application which is available with following name NotePadPlusPlusMSIX_18.104.22.168_x64__twve9bt9x6ty8.msix
While trying to install msix file by double clicking it, we see following error
NotePadPlusPlus MSIX installation failed, reason:
To install this app, enable sideload apps mode and re-initiate the install. If you can’t enable it, ask your system administrator to unlock the device for sideloading (0x80073CFF)
The reason for this error is Microsoft doesn’t allow to install any msix application, by default applications installed through Microsoft Store apps are allowed. To change this behaviour, navigate to Settings > Update & Security > For developers, under Developer features we have 3 options:
Microsoft Store apps
Select Sideload apps and try to install the msix file again. This time we see Notepad++ installed successfully.