I think we can all agree that application deployment is probably the most challenging part of an Intune implementation. The wide variety of Line of Business applications and different installation types can give you sleepless nights. It’s true that Microsoft has made some real improvements in application deployment with the support for most applications extensions. But there are always some applications that simply can’t be deployed with Intune or are very hard to deploy and manage.
With the introduction of MSIX I dare to say that you can now practically deploy any application successfully with Intune. In this blog I describe how you can create and deploy an MSIX package with Microsoft Intune. In this blog I will cover:
- Create a Self-Signed Certificate (testing purposes)
- Deploy a certificate with Intune
- Create a MSIX package
- Deploy the MSIX package
Please note that in order to install MSIX packages you must enable Application Sideloading.
Create a self-signed certificate
Before you can deploy a MSIX package you need a certificate to sign your package. The signing of a package is a required step in the creation of the package. This is necessary because this is the only way you can assure that package is valid and came from a trusted provider. Preferably you should use a Code Signing certificate from a 3rd party provider. For now I use a self-signed certificate so that the deployment can be tested, but for you production environment I wouldn’t recommend this.
To create a self-signed certificate, you can start PowerShell as an administrator from any VM. Enter the following cmd, where you replace <Your Organisation> with a name of your choosing:
New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject “CN=<Your Organisation>” -KeyAlgorithm RSA -KeyLength 2048 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert
To Export the certificate open certmgr, your certificate is located in the Personal Certificates folder. Select the certificate –> all Tasks –> Export. Choose Next –> Yes, Export the private Key –> Choose Next –> For Encryption choose AES265 and enter a Password –> Enter a save location –> and choose Finish. You now have the certificate with a pfx extension.
We also need a certificate with the cer extension, so run the export Wizard again. Select the certificate –> all Tasks –> Export. Choose Next –> No, do not export the private key –> Choose Next –> Enter a save location –> and choose Finish.
You now have the certificate to sign your MSIX package and you have a certificate to distribute it via Intune.
Deploy Certificate Using Intune
Before you can install the MSIX package on any machine the certificate to sign the application must be trusted by the machine. Otherwise the application wont start. To install the certificate on the machine we can use Intune to distribute the certificate.
From the Intune Management Portal go to –> Device Configuration –> Profiles and choose Create Profile. Here you enter the name and description of the Profile. For the platform you choose Windows 10 and later, for Profile type select Trusted certificate. In the new blade you select the .cer certificate that you exported. After you created the Profile you than assign the profile to a group with has a test device in it.
Create a MSIX Package
For this blog I wanted to package an application that I had some trouble with in the past, the Citrix Receiver.
I have copied the Citrix Receiver installation file and the pfx certificate to the packaging VM and have launched the MSIX Packaging Tool. Here I want to create a new package, so I select ‘Application Package’.
Select Create package on this computer and choose Next. The packaging tool will now check some prerequisites and make sure that the drivers are installed.
In the next screen select the installation file. For now, I leave the installer arguments empty. For Signing preference, I select Sign with a certificate. This step is important. If you don’t select a certificate the application won’t be able to install.
Now provide some information for you package. Give your package a Name and a Display name. The Publisher name is provided from the certificate. The display name must be the same as the certificate, if these values don’t match the application won’t install. The installation location is not a mandatory field but is recommended.
By clicking next you will now enter the installation stage. The installation of your application will now start. You can just run through the installation as you normally would. When the installation is completed you can continue by clicking Next.
If the application requires any first launch tasks, they can now be performed otherwise press Next and continue Yes, move on. The package will now be created.
Finally provide a save location for the package and choose Create.
Deploy MSIX with Intune
Now that the MSIX package is ready we can start deploying it with Intune. Simply go to the Intune management portal –> Client apps –> Add App. Here you select Line-of-business app. Here you can upload the MSIX package you created.
When you click the app information blade you can see that most of the information is already filled out with the information from the MSIX package. After adding the app, just wait till the application is uploaded. The final step is to assign the application to a group.
After some time check your test machine to confirm that the application is deployed.
Recap
As you can see the packaging and distribution of an application with MSIX and Intune is really easy. But it doesn’t stop here, after you deployed one version of the application you might want to provide the application with an update. With MSIX this process is even easier. So in my next blog I will show you can can upgrade the Citrix Receiver application to the new Citrix Workspace application!
Hi Stephan
This is a great post. This is something I am trying to deploy to a customer who needs to manage application updates and they dont want to invest or use another 3rd party app.
I have just tried to do this in my lab and couldn’t get it to work. Packaging the app is all fine, I think the issue is around the cer deployment through Intune.
I can see through Intune that it is saying the cert has deployed but when I check the trusted root store I dont see it. What’s odd is when I created the profile, I did this under the Windows 10 profile however once I save the profile it creates it under Windows 8.1 or later?? I also try to install the MSIX manually and it reports that it’s an untrusted app with a red x.
When I install the cert manually then the msix app installs successfully and I can also see the cert in the trusted root store.
Do you know what might be wrong?
Hi,
I checked my deployment and I can confirm it that the platform supported status is Windows 8.1 and later.
It also seems to me that there is something wrong with the certificate deployment. Without the certificate the package wont install.
I reran the steps but the certificate is installing on my side, so Im not sure what is causing your issues I’m afraid. You could check the event logs under Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider.
Hi Stephan,
I created an MSIX app attach for Workspace App and deployed/attached it to my WvD servers.
The Workspace app is visible/available when i login to WvD , i can launch the Citrix Workspace app so it is working. But….. if I connect to a citrix storefront server I get a .ICA file from the server but seems there is no extention relationship with the Workspace App……. and if i search for an app to my computer to open the ICA file the Workspace app does not appear in the available App list??
Any idea how to fix this?
Rgds
Richard van de Ven
Hi Richard,
Good question! Hope this will help you 🙂
http://stephanvdkruis.com/2020/10/msix-filetype-association/