MSIX is a modern packaging solution designed to separate application and system states, and to be easy to cleanly uninstall. Some of this is performed by redirecting read/write to certain locations to a per-user/per-package folder, which can then cleanly be removed. You can read more on Microsoft docs about what MSIX packages are and how they work on Windows.
In this post I will go through creating an MSIX package and how it can be deployed. I have also looked at MSIX App Attach for Azure Virtual Desktop in a separate post..
There are a few different ways to create an MSIX package. As we're most focussed on deploying existing applications with MEM, I'll look at re-packaging over creating our own deployments. There are many tools available, one example is Advanced Installer who do a free 'Express' version for MSIX re-packaging, but for the purposes of this post I will be concentrating on the Microsoft MSIX Packaging Tool, available from the Microsoft Store.
The re-packaging tool basically monitors the system for changes to the file system and registry after the application installer has been executed. For this kind of re-packaging it's always a good idea to have a clean reference machine. The re-packaging tool will let us target a Hyper-V virtual machine when performing the packaging operation, so I'd recommend setting up a clean install VM of your target operating system version, with nothing else installed, and use snapshots to reset back to a clean state after each package has been captured. You don't need to install the packaging tool on your reference VM, you can run that from the host PC.
Before you start creating a package you will need to consider signing. Typically you would use a PFX which contains a code signing certificate along with the private key. Signing is very important and you can't skip it - if you don't sign the package, it won't install. You can use a certificate from an AD CA, but the devices you deploy to must already have your CA certificate as a trusted root CA.
When you start up the MSIX Packaging Tool, you'll be given three choices:
- Application Package - select this to create the MSIX package
- Modification Package - select this to create an MSIX package which will modify an existing app
- Package Editor - edit an existing MSIX package
Select Application Package and then if you created a reference VM, select Create package on a local virtual machine. You can then select the VM from the dropdown list. You will need to provide credentials for logging on to the VM - if you just installed from media and didn't domain join or configure anything, this would be the username/password entered during OOBE.
You will find a remote desktop window pop up after connecting - enter the credentials to connect. You can use this window after the application has been installed to perform any changes you may wish to be captured, such as setting a few default options within the application.
Next we will be shown the Prepare Computer screen. If desired you can turn off Windows Search from this page, I'd recommend doing this as it'll result in a cleaner package. The tool will automatically install the packaging driver if it's not already installed, and will disable Windows Update for the duration of the packaging process.
Next you will need to select the installer file, and pass any parameters (e.g. /silent). This installer does not need to reside on the virtual machine - the packaging tool will copy it across and execute it for you. For this example I have been original and imaginative and used Notepad++.
Select to sign with a certificate, find your PFX file and enter the password used when the PFX was created. Finally you will need to enter a timestamp server URL. The only one I could find from a quick google that worked at time of writing was the Symantec one: sha256timestamp.ws.symantec.com/sha256/timestamp
Providing the time stamp URL is highly recommended - if the package is signed without timestamping, it will no longer install once the certificate has expired. If it has been timestamped, it will still install, as the certificate was verified at signing.
Following that you will be asked to fill out the package information. Some of these details will be pulled from the original installer (especially if you used an MSI rather than EXE).
Next the installation will run on the VM, and you should see the First launch tasks screen. If applicable, run the application and perform any tasks - in my example I launched Notepad++ and installed the XMLTools plugin, to ensure that it would come installed as default in the resulting MSIX package.
Follow the rest of the steps to complete the process and you should end up with an MSIX and XML file generated.
Now we have our MSIX package, we can look at how we will deploy it to our devices. There are several ways of doing this, I'll cover them briefly as this post is not intended to be a "how to deploy" guide.
- Endpoint Manager (Intune) - You can deploy the app by selecting 'Line-of-business app' during the app deployment process.
- Configuration Manager - One of the options in the Add Application process covers MSIX packages (along with appx bundles).
- Microsoft Store - MSIX packages can be published and deployed through the Microsoft Store
- PowerShell - using Add-AppXPackage
- On Azure Virtual Desktop, using MSIX App Attach - I will be writing a post on this in the future as it involves unpacking the MSIX into a VHD container.
Finally, you can test that the package works (or manually install if it suits your use case) by double-clicking the MSIX file and clicking Install.
In this post
- Installing the packaging tool and pre-requisites
- Creating your first package
- Deploying the MSIX package
- Further Reading
Support My Work
I hope you find my content useful. Please consider tipping to support the running costs of hosting, licensing etc on my Ko-fi page.