In this post, Manish Bangia will be discussing how to create an MSIX package using MSIX Packaging Tool. There are a couple of requirements to create an MSIX package, including creating a Code signing Certificate, downloading and creating a package using the MSIX packaging tool and signing the application with a Code signing certificate.
What is an MSIX package?
If you are wondering what is MSIX package and why we require it. Let’s understand what exactly it is. MSIX is a Windows app package. Usually, we see this kind of packages available in the Microsoft Store. You can think about the MSIX package as a combination of MSI + appx packages. Hence it has the feature of MSI files and the security features of using appx file extensions. In a layman term, think about something like this:
MSIX = MSI + .appx
MSIX is not just limited to converting MSI files; we can use other formats such as exe, scripts, etc.
Deploying MSIX packages is the modern way Microsoft recommends deploying the packages. MSIX is designed for modern systems and the cloud. You get the following benefits of using MSIX packages :
- Reliability: MSIX boasts of installing a reliable package with a 99.96% success rate with a guaranteed uninstall.
- Network bandwidth optimization: MSIX reduces the impact on network bandwidth by downloading the content in 64k blocks.
- Disk space optimizations: With MSIX, there is no duplication of files across apps.
Requirement for creating MSIX package
- Create Code signing Certificate for MSIX Installer: We need to create a code signing certificate. This can be either purchased through a vendor, or we can create our own if we have the Active Directory Certificate Services role installed on an on-premises environment.
- Export Code Signing Certificate: We will be exporting the Code signing certificate in a pfx format which requires a password.
- Download MSIX Packaging Tool
- Create MSIX package: Using the MSIX Packaging Tool, we will capture the installation of the existing MSI or exe file and will sign the package with a Code signing certificate.
Note: In this demonstration, we will be using the Notepad++ application (in exe format); download it using the link.
Once the msix package is created, it can be used for deployment using SCCM / Configuration Manager or Intune. You may check the link How to deploy MSIX package using Intune.
Create Code Signing Certificate for MSIX Installer
Let’s proceed with the very first requirement. We will create a Code Signing Certificate; we will not use 3rd party vendor’s certificate, but rather create our own using Certificate Authority when the Active Directory Certificate Services role is installed as one of the Server roles.
Login to the server where the ADCS role (Active Directory Certificate Services) is installed. Launch Certificate Authority. You may also run Certsrv.msc through Windows + Run.
Select the folder Certificate Templates, right click, and select Manage
This will launch Certificate Templates Console. Under the list of all Template Display Name, select Code Signing Certificate, right click and choose Duplicate Template.
This will open the property of a new duplicate template, and provide a better name for the Template display name which suits your organization and you may change the Validity period which is by default 1 year, I am changing it to 5 years.
Click on the Request Handling tab, and select Allow private key to be exported.
Under the Subject Name tab, select Supply in the request.
Click on the Security tab to add Domain Computers and specify Permissions as Read, Enroll. For automatic enrollment purpose, you may also go with Autoenroll.
We are done with creating the Certificate Template for Code Signing Certificate with the name manishbangia.com Code Signing, we can close the window Certificate Templates Console to return back to Certificate Authority.
Under Certificate Authority > Certificate Templates, right-click and select New > Certificate Template to issue.
Under Enable Certificate Templates window, select the recently created Code Signing Certificate and click OK.
We can now see our Code Signing Certificate listed under Certificate Templates and ready to be used.
Launch Current user certificate store, this can be launched in 2 ways:
- The easiest way is to run command – certmgr.msc
- Another way is to launch MMC and add the following Snap-ins – Certificates > My User Account
Under Certificates – Current User > Personal > Certificates, right-click and select All Tasks > Request a new certificate
Under Request Certificates, click the Code Signing Certificate we created previously
Click on More information is required to enroll for this certificate. Click here to configure settings. This is required as we previously we have selected to “supply in request” for Subject name.
Under Certificate Properties > Subject name, with Full DN selected provide a value such as CN=manishbangia.com and click on Enroll.
We can see manishbangia.com certificate issued under the Personal certificate store showing 5 years of validity starting from today.
Right-click this certificate > All Tasks > Export. Click Next on the Welcome page.
Under the Certificate Export Wizard page, select “Yes, export the private key” and click Next.
Under Export File format, select Personal Information Exchange – PKCS #12 (.PFX) with default selection and click Next.
Under the Security page, provide the password and click Next.
Under File to Export, provide the location where this certificate is going to be saved in pfx format.
We have now the certificate successfully exported under the c:\temp directory.
Create an MSIX package using MSIX packaging tool
What is MSIX Packaging Tool
With MSIX Packaging tool, you can convert the following of the below options to MSIX application package:
- Manual installation
How to install MSIX Packaging Tool in offline mode
If you have an internet connectivity issue or don’t have direct access to Microsoft Store, you can download the latest version of MSIX Packaging Tool from here – Download MSIX Packaging Tool offline. The offline package downloaded will be having msixbundle extension.
Run the following command to install MSIX Packaging Tool using PowerShell:
Add-AppPackage -Path C:\Toos\MSIXPackagingTool_1.2022.110.0.msixbundle
It is recommended to install MSIX Packaging Tool on a VDI or any system which has minimal applications installed as we are going to capture the application installation instructions during the whole process.
If you have Hyper-V installed, you can easily create one of the Virtual machines with MSIX Packaging Tool Environment. For this launch Hyper-V Manager, right-click and select Quick Create.
This brings up a windows with “Select an operating system” where we have following options:
MSIX Packaging Tool Environment
Ubuntu 18.04.3 LTS
Windows 11 dev environment.
Once you select MSIX Packaging Tool Environment, it will download and create VM for your latest Windows 10 Operating system installed along with MSIX Packaging Tool already in there, this will require approx. 5 GB of download from the internet.
If you are manually installing the tool from the Microsoft store, the following prerequisites are required for MSIX Packaging Tool:
- Windows 10, version 1809 (or later)
- Participation in the Windows Insider Program (if you’re using an Insider build)
- A valid Microsoft account (MSA) alias to access the app from the Microsoft Store
- Admin privileges on your PC account
Once Tool is installed on separate Windows 10 / Windows 11 system, launch it and select Application package (with Modification package and Package editor as additional options).
On Create new package page, under the Packaging method select Create package on this computer and click Next.
On Prepare computer page, the tool will go through a few checks and will install MSIX Packaging Tool Driver
You might see the following error while trying to install MSIX Packaging Tool Driver:
Driver Installation failure
We encountered an error when trying to install your driver. More information is available in your logs.
Make sure you have access to the Microsoft store ( as one of the prerequisites) or else you will get Error code 0x80131500.
If you phase the above error, navigate to Get the MSIX packaging Tool driver, this page will allow us to download the specific FOD.cab file which contains the driver (MSIX packaging tool driver is part of the Feature on Demand (FOD) package )
Once MSIX Packaging Tool Driver is installed, return to Packaging Tool, select “Windows Search is active” and click Next.
On Choose the installer you want to package, browse to select the downloaded Notepad++ installer.
Under Signing preference, we can either go with Sign with Device Guard signing version 2 or Sign with a certificate (.pfx), we are going to use the latter one. Browse for the certificate we created previously and provide the password and click Next.
On the Package information page, provide:
Package Name: NotePadPlusPlusMSIX
Package display name:NotePadPlusPlus MSIX
Publisher name: This will be auto-populated based upon the subject name we specified earlier for the certificate
Publisher display name: manishbangia.com
Version: Provide the info for the version such as 8.2.1
Package Description: NotePadPlusPlus MSIX Application
Installation location: leave it blank for default location
On the Installation page, it will trigger the application installer, click on the user interface to initiate the installation process. Whatever we are doing here is getting monitored along with files getting created and registry values getting created and will be saved as part of our msix package to be used.
Once the installation is done, uncheck the box Run Notepad++v8.2.1 and click Finish.
If the application requires a restart, this is the perfect time to do so by clicking Restart machine as the same behavior will be captured for our msix package, click Next.
On Manage first launch tasks page, you have option to specify post-installation tasks. This could be important in scenarios where you wanted to customize the application for the user such as changing the default save location etc, click Next.
MSIX Packaging Tool will give you a warning with Yes, move on to start creating the packaging process.
The service report page will be detecting any service changes (start/stop) to capture, click Next.
On the Create package page, provide the save location, just for the sake of understanding you may also click on Package editor to provide more enhanced custom settings.
The package editor consists of:
- Package information: This consist of the basic package information we provided earlier
- Services report: This is the same Service report page which used to capture the service status
- Capabilities: This page shows the capabilities you can provide for this package
- Virtual registry : This shows the registry values created as part of the application installation, this is a good time to create your own registry values used for company branding.
- Package files: This will show all files and folders created during the application installation process.
We are good to go as we are not doing any further customization, hence click on Create.
Here you go, you will have the MSIX package created successfully under save location, we can also check Package report logs which will be located under c:\users\username\AppData\Local\Packages
Let’s try to install the application which is available with following name NotePadPlusPlusMSIX_126.96.36.199_x64__twve9bt9x6ty8.msix
While trying to install msix file by double clicking it, we see following error
NotePadPlusPlus MSIX installation failed, reason:
To install this app, enable sideload apps mode and re-initiate the install. If you can’t enable it, ask your system administrator to unlock the device for sideloading (0x80073CFF)
The reason for this error is Microsoft doesn’t allow to install of any msix application, by default applications installed through Microsoft Store apps are allowed. To change this behavior, navigate to Settings > Update & Security > For developers, under Developer features we have 3 options:
Microsoft Store apps
Select Sideload apps and try to install the msix file again. This time we see Notepad++ installed successfully.