MSIX create and deploy

You probably already heard about it, but have you tried making an MSIX package? Let me show you how easy it can be done with code signed certificate (only for testing) and deployed with Intune. First some short info from Microsoft docs.

MSIX is the Windows app package format that provides a modern packaging experience to all Windows apps. The MSIX package format preserves the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and WinForm apps.

Read more at:

MSIX Packaging Tool

Prerequisites check

  • Windows 10, version 1809 (or later)
  • Participation in the Windows Insider Program (if you’re using an Insider build)
  • A valid Microsoft account (MSA) alias to access the app from the Microsoft Store
  • Administrator privileges on your PC to run the tool

Go ahead and download MSIX Packaging Tool click here to download or get it from the Microsoft Store.

Hyper-V MSIX Packaging Tool Environment

Since the MSIX Packaging Tool is listening to everything that happens on the machine, it is recommended you use a clean VM for this purpose only.

Open Hyper-V Manager and click Quick Create
Click MSIX Packaging Tool Environment and click Create Virtual Machine – Install with local user and remember to choose a password.

Create a self-signed certificate


Open Powershell ISE elevated – Replace CN, O, C & FriendlyName(don’t remove quotations), and use the following Powershell to create a new self-signed certificate.

New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName "Your friendly name goes here" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("{text}", "{text}")

Copy the Thumbprint in a notepad

Next, we are going to export the certificate from the local store to a Personal Information Exchange (PFX) file and add a password for usage(REMEMBER THIS PASSWORD).

$pwd = ConvertTo-SecureString -String 1234 -Force -AsPlainText 
Export-PfxCertificate -cert "Cert:\CurrentUser\My\<Thumbprint> -FilePath Filepath.pfx -Password $pwd

Now when you have the .pfx containing the private key exported we will now import .pfx to your local machine so we can export the .cer without the private key to use with Intune.

Search for cert – Open Manage computer certificates – Go to Personal -> Certificates -> Right-click -> All Task -> Import -> Next -> Find .pfx -> Next -> Input Password -> Next -> Next -> Finish.

Next, right-click the <Chosen name>.pfx that will show a small golden key(indicates private key inside) -> All Task -> Export -> Next -> Next -> DER Encoded Binary -> Next -> Filename -> Finish.

You should now have a .cer and .pfx file. The .cer file we will use for Intune and the .pfx file will be used when creating our MSIX package.

Create MSIX package with .pfx

For this, you will need:

  • Notepad++ download link
  • VM turned ON (local User & Password)
  • MSIX Packaging Tool
  • .pfx (and the password set)

Lets open MSIX Packaging Tool choose Application Package since we are creating a new MSIX -> press “browse” and find Notepad++ – Check “Sign package” press browse to find the .pfx we created earlier and input the password you have set -> press next.

Choose to Create Package on a local virtual machine -> Choose your created MSIX Packaging Tool Environment -> input Username & Password -> press next.

Your RDP will now start up and you will be connected to RDP on the VM – leave this RDP session open. MSIX Packaging Tool will now go to the next page itself.

Now you will need to input package name etc. All marked with * is a requirement. See the following screenshot.

Press Next if everything is OK.

The VM you left open will now to begin to install Notepad++ you then need to go ahead and install. Next button is currently greyed out, means you are not done with the installation process. Press Next when the installation is complete.

Now you will see the application entry points and should look the following – press next.

Press “Yes move on” to confirm you are done – Then choose where you are gonna save the new MSIX package together with the installation template.

So now you are done with this part and you added the MSIX package to your collection.

Deploy MSIX & .cer

For this part, you will need:

  • MSIX package signed with .pfx (Code Signed)
  • .cer exported from the .pfx
  • Intune
  • Machine(VM or Physical)

TIP: My demo equipment is a Surface Go so i can test Autopilot White glow and everything else. Since a Virtual Machine can vary from the real world.

First, you will need to create a Configuration Profile and deploy the .cer to the machines you wish to install the MSIX package. If you dont the installation will fail and will look like this.

So let’s create a new Configuration Profile and deploy the certificate.

Next, upload the new MSIX package to Intune under Client Apps -> LOB (Line-of-business app)

Please make sure you install the application with User Context.

When you are using Autopilot, you will see that the Certificats are configured before the applications. So that will mean in this case you also need to make sure the certificate is deployed before targeting a group else the installation will fail.

When that is done and both the Certificate and the MSIX is uploaded. The MSIX will now install successfully.

If you need this for your enterprise environment I recommend you buy a Codesigned certificate from either Digicert or Globalsign.

Advanced Installer is pretty far ahead when it comes to MSIX, suggest you give them a peak aswell.



You may also like...