In this post I will be discussing on how to deploy the msix package using Intune. To deploy msix package, we need to have Code Signing Certificate created and deployed. We also need to have msix file created. We will be then deploying the certificate using Intune and then deploying the actual msix package.
- Steps required for deploying msix package through Intune
- Create Code Signing Certificate
- Use Code Signing Certificate to sign msix package
- Create Configuration Profile for Code Signing Certificate on Intune
- Allow Sideload Apps
- Create MSIX package using Intune
Steps required for deploying msix package through Intune
We have to perform multiple steps to deploy the msix package using Intune. If we have msix package without deploying the Code Signing certificate, we will see following error:
This app package is not signed with a trusted certificate. Contact your system administrator or the app developer to obtain a new certificate or app package with trusted certificates. The root certificate and all immediate certificates of the signature in the app package must be trusted (0x800B010A)
To get rid of this error, important thing to have is a Code Signing Certificate installed under Device’s Trusted Root Certification Authority (Local Computer)
- We will be creating the Code Signing Certificate. These certificate is having 2 purpose, one is for signing the msix package during creation of msix application using MSIX Packaging Tool or any other tool your prefer. We can generate a certificate for the purpose or else better option is: if we have on-premises Domain Controller with Certification Authority installed, we can take privilege of creating the certificate. I will cover both ways.
- The certificate created needs to be deployed using Intune, if we haven’t deployed the certificate first, we will see the above mentioned error with code 0X800B010A. This will be done through Configuration Profile feature of Intune.
- We will be creating Line of business application for msix on Intune portal.
Create Code Signing Certificate
Very first step is how to create a Code Signing Certificate. I will be covering 2 ways to do this.
Create Code Signing Certificate using Active Directory Certificate authority
I have covered this through in-depth post for How to create MSIX package using MSIX packaging tool which covers each and every step to show how to create Code Signing Certificate. This is the summary of what we will achieve:
- Once you launch Certification Authority ( on Domain controller / member server), navigate to Certificate Template and through Manage we are going to duplicate existing Code Signing Certificate with specific settings.
- We will then use Certificate Template to Issue under Certificate Templates
- Open Current User Certificate store and Request New Certificate and specify the recently created Code Signing Certificate.
- Once this is done, you will be able to see 2 certificates. One under Personal > Certificates and another under Trusted Root Certification Authority > Certificates
1st one (under Personal Certificate store) needs to be exported with Private Key which will create Code Signing Certificate in .pfx format required to Sign the msix package. You may notice that this certificate is having Intended Purposes as Code Signing.
2nd one (under Trusted Root CA certificate store) needs to be exported without Private Key to create certificate in .cer format. This certificate will be required to be deployed via Intune Configuration Profiles. The indented Purposes column will show as <All> for this kind of certificate
I have 2 certificates available now with .pfx and .cer format.
As pfx format is used to sign the msix package, you may check creation of msix package for more detail on this.
.cer will be used later for deploying it through Intune.
Create Code Signing Certificate Manually
This process is much easier as this requires a single PowerShell command to create Code-Signing Certificate, but it is not recommended for big organizations, rather we prefer Organizations own Certificate authority or a 3rd party vendor from where you can purchase the certificate for intended purpose.
Login to any Windows 10 workstation and launch PowerShell with elevated prompt and run following command:
New-SelfSignedCertificate -Subject manishbangia.com -DnsName manishbangia.com -Type CodeSigningCert -CertStoreLocation Cert:\CurrentUser\My
This will create Code Signing Certificate within seconds under Current User Personal Certificate store. You may verify the certificate by launching certmgr.msc and navigating to Certificates – Current User > Personal > Certificates
We now need to export the certificate:
1 with private key (.pfx) and 2nd without private key (.cer), the process is quite similar. Select the certificate right click it > all tasks and export.
Under Export Private Key page, first time select “Yes, export the private key”. Repeat the process and second time select “No, do not export the private key”
We have now 2 Certificates ready with .pfx and .cer, the same way we made available through Active Directory Certificate Authority.
Hence, either way we are good for creating certificate.
Use Code Signing Certificate to sign msix package
Follow how to create msix package where 1st certificate (ie. .pfx file) will be used to sign the msix package during creation process
Create Configuration Profile for Code Signing Certificate on Intune
We are ready with certificate .cer extension. This will be used to deploy the certificate on Windows 10 / Windows 11 devices using Intune. Browse the URL MEM Admin Center, and navigate to Home > Devices > Configuration profiles. Click on Create profile and select Template name “Trusted certificate” and click Create.
Specify name of the Configuration Profile “Code Signing Certificate” and click Next.
Under Configuration settings page, click on Browse to specify the Certificate file, under Destination store we have 3 options to specify as Destination store:
- Computer certificate store – Root
- Computer certificate store – Intermediate
- User certificate store – Intermediate
Select 1st option ie. Computer certificate store – Root
Go through rest of selection pages and under Assignments, Specify the group and click Next.
Verify settings under Review + create and click on Create.
After waiting for few minutes, we can see the device showing success under Device Status.
We can verify the certificate got installed successfully on Windows 10 device by navigating to Certificates – Local Computer > Trusted Root Certification Authority > Certificates (certlm.msc is the shortcut)
Going this path, we can see the certificate is showing Intended Purposes as <All> as we used it from Active Directory Certificate Authority. For self signed certificate (Code signing), it will show Code signing.
Allow Sideload Apps
On Windows devices, we need to allow sideloading of apps.
What is Sideloading apps ?
Download or uploading of any application on your device without internet connection is called sideloading. Here I am talking more specifically in terms of Microsoft Store applications. By default Microsoft apps are the only trusted applications on Windows 10 devices. If you wanted to install any applications apart from trusted store, such as msix file (which is signed by codesigning certificate) you will see failure and get the following error:
To install this app, enable sideload apps mode and re-initiate the install. If you can’t enable it, ask your system administrator to unlock the device for sideloading (0x80073CFF)
You can enable the sideload by navigating to Settings > Update & Security > For developers, under Developer features we have 3 options:
Microsoft Store apps, Sideload apps and Developer mode.
Select the 2nd option “Sideload apps”
This can also be achieved through Group policy, open Group policy editor to create / edit policy. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > App Package Deployment.
Select Allow all trusted apps to install
Create MSIX package using Intune
As our certificate is deployed, this is the time to deploy MSIX package using Intune. Navigate to Home > Apps and click on Add. Specify App type as Line-of-business app which supports :
- Android (APK)
- iOS (IPA)
- macOS (.IntuneMac)
- Windows (.msi, .appx, .appxbundle, .msix, and .msixbundle)
Under App information, select App package file and browse for msix file.
Automatically populated fields will be there in App information, you may also select the custom logo which can be downloaded through:
- Download icons From github
- Microsoft intune Icons – Download 873 Free Microsoft intune icons here (iconarchive.com)
Skip Scope tags, and under Assignments specify the group and click next. Follow rest of process to complete the deployment.
After waiting for couple of minutes we can see NotePad++ gets installed successfully on the device while going through Device install status.