Something's gone wrong!An error ocurred performing that action. Please try refreshing the page.

MSIX: Packaging

By Katy Nicholson, posted on 16 January, 2022

MSIX is a modern packaging solution designed to separate application and system states, and to be easy to cleanly uninstall. Some of this is performed by redirecting read/write to certain locations to a per-user/per-package folder, which can then cleanly be removed. You can read more on Microsoft docs about what MSIX packages are and how they work on Windows.

In this post I will go through creating an MSIX package and how it can be deployed. I have also looked at MSIX App Attach for Azure Virtual Desktop in a separate post..

Installing the packaging tool and pre-requisites

There are a few different ways to create an MSIX package. As we're most focussed on deploying existing applications with MEM, I'll look at re-packaging over creating our own deployments. There are many tools available, one example is Advanced Installer who do a free 'Express' version for MSIX re-packaging, but for the purposes of this post I will be concentrating on the Microsoft MSIX Packaging Tool, available from the Microsoft Store.

The re-packaging tool basically monitors the system for changes to the file system and registry after the application installer has been executed. For this kind of re-packaging it's always a good idea to have a clean reference machine. The re-packaging tool will let us target a Hyper-V virtual machine when performing the packaging operation, so I'd recommend setting up a clean install VM of your target operating system version, with nothing else installed, and use snapshots to reset back to a clean state after each package has been captured. You don't need to install the packaging tool on your reference VM, you can run that from the host PC.

Before you start creating a package you will need to consider signing. Typically you would use a PFX which contains a code signing certificate along with the private key. Signing is very important and you can't skip it - if you don't sign the package, it won't install. You can use a certificate from an AD CA, but the devices you deploy to must already have your CA certificate as a trusted root CA.

Creating your first package

When you start up the MSIX Packaging Tool, you'll be given three choices:

  • Application Package - select this to create the MSIX package
  • Modification Package - select this to create an MSIX package which will modify an existing app
  • Package Editor - edit an existing MSIX package

Select Application Package and then if you created a reference VM, select Create package on a local virtual machine. You can then select the VM from the dropdown list. You will need to provide credentials for logging on to the VM - if you just installed from media and didn't domain join or configure anything, this would be the username/password entered during OOBE.

Screenshot of 'Select Environment' screen of MSIX packaging tool, showing we have selected local virtual machine Packaging-VM and entered credentials
I'd recommend to use a reference VM to capture the package, rather than the local machine. This way you can make sure that you won't run into any compatibility issues around previously installed applications.

You will find a remote desktop window pop up after connecting - enter the credentials to connect. You can use this window after the application has been installed to perform any changes you may wish to be captured, such as setting a few default options within the application.

Next we will be shown the Prepare Computer screen. If desired you can turn off Windows Search from this page, I'd recommend doing this as it'll result in a cleaner package. The tool will automatically install the packaging driver if it's not already installed, and will disable Windows Update for the duration of the packaging process.

Screenshot of 'Create new package' page, showing the MSIX packaging tool driver has been installed, but that Windows Search is active.
Wait for the preparations to complete, then disable Windows Search if desired.

Next you will need to select the installer file, and pass any parameters (e.g. /silent). This installer does not need to reside on the virtual machine - the packaging tool will copy it across and execute it for you. For this example I have been original and imaginative and used Notepad++.

Select to sign with a certificate, find your PFX file and enter the password used when the PFX was created. Finally you will need to enter a timestamp server URL. The only one I could find from a quick google that worked at time of writing was the Symantec one: sha256timestamp.ws.symantec.com/sha256/timestamp

Providing the time stamp URL is highly recommended - if the package is signed without timestamping, it will no longer install once the certificate has expired. If it has been timestamped, it will still install, as the certificate was verified at signing.

Screenshot of 'Select installer' page of MSIX packaging tool, showing Notepad++ installer has been selected, and signed with a PFX
Browse to the installer and specify any installation arguments. Select to sign with a PFX and add the timestamp server URL.

Following that you will be asked to fill out the package information. Some of these details will be pulled from the original installer (especially if you used an MSI rather than EXE).

Screenshot of 'Package information' screen in MSIX packaging tool, showing the package data for Notepad++
Fill out the name, display name, publisher name and version.

Next the installation will run on the VM, and you should see the First launch tasks screen. If applicable, run the application and perform any tasks - in my example I launched Notepad++ and installed the XMLTools plugin, to ensure that it would come installed as default in the resulting MSIX package.

Screenshot of 'First launch tasks' page on MSIX packaging tool
Here you can perform any first launch tasks - even setting defaults within the application UI. You can perform this through the remote desktop window that appeared earlier on in the process.

Follow the rest of the steps to complete the process and you should end up with an MSIX and XML file generated.

Deploying the MSIX package

Now we have our MSIX package, we can look at how we will deploy it to our devices. There are several ways of doing this, I'll cover them briefly as this post is not intended to be a "how to deploy" guide.

  • Endpoint Manager (Intune) - You can deploy the app by selecting 'Line-of-business app' during the app deployment process.
  • Configuration Manager - One of the options in the Add Application process covers MSIX packages (along with appx bundles).
  • Microsoft Store - MSIX packages can be published and deployed through the Microsoft Store
  • PowerShell - using Add-AppXPackage
  • On Azure Virtual Desktop, using MSIX App Attach - I will be writing a post on this in the future as it involves unpacking the MSIX into a VHD container.

Finally, you can test that the package works (or manually install if it suits your use case) by double-clicking the MSIX file and clicking Install.

Screenshot of App Install process
You can test the package by double-clicking the MSIX file and installing.

Further Reading

In this post

Support My Work

I hope you find my content useful. Please consider tipping to support the running costs of hosting, licensing etc on my Ko-fi page.

Support me on Ko-fi

Search