ConfigMgr and MSIX authoring

Technical Preview 1810.2 introduced the first cut for converting MSI’s to the new application installation technology MSIX, direct from the ConfigMgr console, and in this post I’m going to kick the features tyre’s and try to get an end to end test out of the way.

Head over to the TP documentation here.

We have some funky technologies to install:

  • MSIX Packaging Tool from the Microsoft Store
  • Latest Windows Insider version of Windows 10

I’m using the following build version:

  • The Windows SDK, which you will need later on as it contains the tooling needed to sign the MSIX so that it be can deployed
  • The ConfigMgr Console.

I opted to install the SDK and Console inside the Windows 10 Insider Preview VM, and run things from there.

I’d recommend with TP1810.2 to edit a ConfigMgr Console XML file to remove an XML attribute, this tripped me up further into the process:

It is called out in the documentation, follow it there. Will be fixed in next TP’s.

I downloaded the Windows SDK ISO and installed everything, initially I tried to install just Windows SDK Signing Tools for Desktop Apps but it left me short of some of the signing tooling such as MakeCert, Pvk2Pfx.

To actually author an MSIX, ConfigMgr is going to drive the MSIX Packaging Tool, giving it the MSI and waiting for the tool to spit out the MSIX.

So let’s get the MSIX packaging tool and install it.

You can open the Microsoft Store from within the Windows 10 Insider Preview build, or open a browser in there and use that to navigate into the store: https://www.microsoft.com/en-us/p/msix-packaging-tool/9n5lw3jbcxkf?activetab=pivot:overviewtab

Below we’re ready to get the MSIX Packaging Tool from within the Microsoft Store.

With that in place we’re now ready to convert an MSI.

I’m using my LogLauncher MSI, which is not trusted and thus is marked as Unknown Publisher. Most MSI’s direct from vendors will have the publisher listed, I’m cheap, and didn’t want to pay lots of money for a signing license, so all my community-tooling is as Unknown Publisher. When it comes time to make a signing certificate to sign this MSI we’ll return to this point.

Note that the reference MSI must not be installed before you proceed.

Opening the Console installed into the Windows 10 build, I visit Applications and right clicked off of LogLauncher, as you see below, the option to Convert to .MSIX is listed, select it:

Read and make sure you’re sorted:

Also make sure the Applications content source is accessible, it will be referenced. We’re not it seems, taking the content from the Content Library but the content source.

Provide an output location for the MSIX Packaging Tool to spew out an MSIX:

Notice the Publisher is noted as CN=Unknown Publisher:

Let it proceed.

You can monitor the CBS and DISM logs, which spew out lots of information as the process proceeds down the rail towards an MSIX.

I noted that logs and other files are deposited inside:

C:\Users\administrator\AppData\Local\Packages\Microsoft.MsixPackagingTool_8wekyb3d8bbwe\LocalState\DiagOutputDir

If it fails, refer to the log file in DiagOutputDir, no issues then you’ll be met with success:

Here’s my new MSIX for the LogLauncher MSI:

I renamed it to LogLauncherV3.6.msix.

MSIX is a container, and if you rename the extension to zip you’ll be able to navigate around, even extract the contents.

Note that the MSI will now be installed on the reference system, uninstall it. Remember also that to repeat the conversion process you will need to uninstall the MSI, also note I had issues repeating the conversion and put it down to file lock sensitivity on logs and possibly the log folder.

Here’s a reference to the MSI being installed:

If you try to install the MSIX, no dice, since it is not signed:

So now we come to signing the MSIX.

This isn’t done in-console today, we jump out and I signed using the CA PKI and the SIGNTOOL unsuccessfully, then with some assistance from the PG reverted to self-signed certificates which was successful.

I won’t cover the CA PKI work as it resulted in failure, I’m not 100% sure if this is expected but for the purposes of turning the handle on the feature, self-signed certificates carried the day, and I’ll document those steps so you can proceed as I did.

You’ve got the SDK installed, so open a CMD prompt and navigate into the Windows SDK folder, C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64 for a default installation.

1. MakeCert

We create our self-signed CER certificate file and private key file.

MakeCert /n “CN=Unknown Publisher” /r /h 0 /eku “1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13” /e “01/01/2040” /sv c:\temp\UnknownPublisherKey.pvk c:\temp\UnknownPublisherKey.cer

If you get a pop-up interactive dialog select None to proceed. I didn’t get this the second time around, and I don’t have Conan around today to offer his wisdom as to why, he’s off rescuing ladies, stealing jewels or overthrowing a bad guy I guess.

2. Pvk2Pfx

We then bundle the CER and PVK together into a PFX.

Pvk2Pfx -pvk c:\temp\UnknownPublisherKey.pvk –pi password -spc c:\temp\UnknownPublisherKey.cer -pfx c:\temp\UnknownPublisherKey.pfx -po password

3. SignTool

Now we sign the MSIX with the PFX certificate.

SignTool sign /fd SHA256 /a /f c:\temp\UnknownPublisherKey.pfx /p password c:\temp\LogLauncherV3.6.msix

Once we’re signed okay, we need to store the CER file into the Windows 10 Insider Preview computers Trusted Root Certification Authorities so that our certificate is trusted.

The next hurdle is to enable sideloading in Windows 10:

To install this app, turn on sideloading mode in Settings > Update & security > For developers. If you can’t turn it on, ask your system administrator to unlock the machine for sideloading (0x80073CFF)

If you have this managed in Group Policy great, otherwise head to GPEDIT.MSC on the Windows 10 Insider Preview build, and navigate down to Computer Configuration\Administrative Templates\Windows Components\App Package Deployment\All all trusted apps to install and enable it:

Helpful information on how to do this here: https://blogs.technet.microsoft.com/askds/2015/09/22/manage-developer-mode-on-windows-10-using-group-policy/

We can now enable the Sideload apps option:

Launch the MSIX manually:

If you have it ticked to Launch when ready it’ll close the wizard (or sorts), and spawn the executable, I assume this is a carry-over from a setting in the MSI without which, you won’t be prompted to launch.

I managed to snap a shot before the installation completed, and we’re done:

Once it’s installed I uninstalled in readiness for the next step using Settings > Apps to perform the uninstall.

Let’s deploy via ConfigMgr.

Create an Application and choose the Windows app package option, specify the content source:

I’ already have LogLauncher as an Application in ConfigMgr, so I’ve modified the name to be LogLauncher MSIX.

This gives rise to considerations about content source management, do you put the MSI and MSIX into the same folder, do you split the folders to denote the installer technology, will you even bother to continue deploying MSI’s?

Worth pondering.

And finally we close off, once we’ve reviewed the output and noted its success:

I distributed the content to the DP’s and deployed the application to my Windows 10 Insider Preview build after deploying the CM client, and assigning to my labs TP 1810.2 site.

Ready up to install:

And we’re done, LogLauncher Windows application is installed successfully:

An MSIX delivered by ConfigMgr to a Windows 10 client.

Nice.

That’s the end to end testing completed.

The CA PKI problem I’ll figure out another time, and put together a post to cover.

Worth noting that this MSIX is treated as a Windows Application, not handled the same as a traditional Windows application, such that it doesn’t install into the root of C:\Program Files or its 32-bit equivalent, instead it is in C:\Program Files\WindowsApps (C:\Program Files\WindowsApps\LogLauncher_1.0.0.0_x64__wzjnk46ffa9tw\VFS\ProgramFilesX64\SMSMarshall\LogLauncher)

To uninstall a Windows application, you have to go to Settings > Apps, it doesn’t show in Control Panels Programs and Features:

And the cupboard was bare:

I’ve been talking to the product group about this feature, and given them some feedback, much of what we’ve discussed I have to treat as NDA, but I’ll revisit conversations and ask what I can reveal, I definitely recommend keeping an eye on this feature, as there is much goodness about to pour forth.

It is great to see ConfigMgr having parity with Intune in being able to deploy MSIX’s, with Current Branch 1806 providing support for MSIX delivery, we just have to wait for the uptake to fully saturate things, and MSIX will be the de facto standard for packaging I’m sure.

I hope this helps accelerate any attempts you make to check out this brilliant feature in TP 1810.2, if you do or have comments about the above, feel free to reach out via the comments in my blog (www.configmgr2012.com) or via twitter @robmvp.

The TP Docs lead to here for signing: https://blogs.msdn.microsoft.com/sgern/2018/09/06/msix-the-msix-packaging-tool-signing-the-msix-package/

Good reference material for SignTool: https://docs.microsoft.com/en-us/windows/desktop/appxpkg/how-to-sign-a-package-using-signtool

Since Build 1806 of Current Branch we can deploy MSIX’s, see Docs here: https://docs.microsoft.com/en-us/sccm/apps/get-started/creating-windows-applications#bkmk_general

Reference material about for code signing using CA PKI: https://blogs.technet.microsoft.com/deploymentguys/2013/06/14/signing-windows-8-applications-using-an-internal-pki/

I found this post from Rory Monaghan (RoryMom) that walks through the MSIX Packaging Tool, useful side-material thanks Rory: https://www.rorymon.com/blog/how-to-create-an-msix-package-with-the-msix-packaging-tool/

I used this as reference material for the CA PKI but it failed: https://blogs.technet.microsoft.com/deploymentguys/2013/06/14/signing-windows-8-applications-using-an-internal-pki/