Sideloading Universal Windows Apps on Windows 10 (Deep Dive)


  1.  Obtain publisher certificate and install to Trusted Root Authorities
  2.  Enable sideloading via GPO
  3.  Deploy application via SCCM or powershell

Note:If the appx requires VCLibs 120.00 package (Visual C++ 2013 for 8.1 universal apps), then you will encounter problems installing the package on Windows 10.






VCLibs.120 was the latest available version as of today, and the Visual C++ download site specifically lists it for Windows 8.1 https://support.microsoft.com/en-nz/help/2977003/the-latest-supported-visual-c-downloads

If you open the VCLib appx package in 7zip, you'll see an AppXManifest.xml file, which specifies the OS Max version tested.  

In Diligent's case, it looks like:
<?xml version="1.0" encoding="utf-8"?>
<Package xmlns="http://schemas.microsoft.com/appx/2010/manifest">
  <Identity Name="Microsoft.VCLibs.120.00" ProcessorArchitecture="x64" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Version="12.0.21005.1" />
  <Properties>
    <Framework>true</Framework>
    <DisplayName>Microsoft Visual C++ Runtime Package</DisplayName>
    <PublisherDisplayName>Microsoft Platform Extensions</PublisherDisplayName>
    <Description>Microsoft Visual C++ Runtime support for native applications</Description>
    <Logo>logo.png</Logo>
  </Properties>
  <Resources>
    <Resource Language="en-US" />
  </Resources>
  <Prerequisites>
    <OSMinVersion>6.3.0</OSMinVersion>
   <OSMaxVersionTested>6.3.0</OSMaxVersionTested>
  </Prerequisites>
</Package>

Windows 8.1








Windows 10 (1709)

This kind of problem will prevent you from natively deploying an application via SCCM (as an .appx package type) on Windows 10 devices.  The issue is not present when you deploy to Windows 8.1 devices.  However, you can work around this by installing the packages via the Powershell commandlets which appears to bypass the manifest.

Step 1.  Use the Group Policy Editor to enable sideloading

    Run gpedit.msc (requires Administrator rights)
    In the Group Policy editor navigate to the folder:
        "Computer Configuration\Administrative Templates\Windows Components\App Package Deployment" in the Group Policy editor.
    Enable the setting "Allow all trusted apps to install"
 
    (This will set the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps (DWord) = 1)
 
    Step 1 applies to a domain connected device. If the device is not connected to a domain, then a
    Microsoft Sideloading key needs to be installed on the device.


Step 2.  Install the code signing certificate. This needs to be installed into the local machine as a trusted root certificate.
   
    PowerShell Command (run as administrator):
    Import-Certificate -Filepath .\Dragonfly_2.8.2.1735_x86_arm.cer -CertStoreLocation cert:\LocalMachine\Root


Step 3.  Install the app.

    PowerShell Command (run as current user):
    Add-AppxPackage .\Dragonfly_2.8.2.1735_x86_arm.appxbundle -DependencyPath .\Dependencies\Microsoft.VCLibs.x86.12.00.appx, .\Dependencies\Microsoft.VCLibs.x64.12.00.appx -ForceApplicationShutdown


Step 4.    Uninstall the code signing certificate.

    PowerShell Commands (run as administrator):
  
    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root","LocalMachine")
    $store.Open("ReadWrite")
    $store.Remove($store.Certificates.Find("FindBySerialNumber", "7d84a4beb61e19964f8386ca5370fc51", $FALSE)[0])
    $store.Close()

Notes:
    The PowerShell commands assume you are in the directory with the release files.
    These steps can be performed manually or automated using a tool such as SCCM

Uninstall the package via the Name which can be found by running "Get-AppxPackage" in powershell

PS Microsoft.PowerShell.Core\FileSystem::\\pkg\ass\NZPost\diligent 2.8.2> Get-AppxPackage -Name *Diligent*

Name              : 63318D1C.DiligentBoardbooks
Publisher         : CN=29935EB2-E718-4AD7-9C1C-AD4C11C1EB44
Architecture      : X86
ResourceId        :
Version           : 2.8.2.1735
PackageFullName   : 63318D1C.DiligentBoardbooks_2.8.2.1735_x86__nwc34287te1rm
InstallLocation   : C:\Program Files\WindowsApps\63318D1C.DiligentBoardbooks_2.8.2.1735_x86__nwc34287te1rm
IsFramework       : False
PackageFamilyName : 63318D1C.DiligentBoardbooks_nwc34287te1rm
PublisherId       : nwc34287te1rm
IsResourcePackage : False
IsBundle          : False
IsDevelopmentMode : False
Dependencies      : {Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe}
IsPartiallyStaged : False
SignatureKind     : Enterprise
Status            : Ok

Other notes:
https://docs.microsoft.com/en-us/sccm/apps/get-started/creating-windows-applications
"

Support for Universal Windows Platform (UWP) apps

Windows 10 devices do not require a sideloading key to install line-of-business apps. For sideloading to be enabled, however, the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps must have a value of 1.
If this registry key is not configured, Configuration Manager automatically sets this value to 1 the first time you deploy an app to the device. If you have set this value to 0, Configuration Manager cannot automatically change the value, and the deployment of line-of-business apps fails."



Comments

Post a Comment

Popular posts from this blog

AppUserModelID & Disappearing Shortcuts in Windows 8

Image
If you have a package which contains multiple shortcuts to the same executable (but different arguments), then you'll most likely find that most of the shortcuts (except one) will be hidden from the Windows 8 Start Screen, and won't even appear under "All Apps".  This package is authored correctly and fully ICE validated.  This package creates 10 shortcuts, yet only one of the shortcuts which has a target of "Loader32.exe" is showing.  Take a look at the screenshot of the relevant program group as showin in the Windows 8 Start Screen Below. All the rest of the shortcuts that have the same target of "Loader32.exe" are hidden.  This is evident, if I right click any of the three shortcuts above and click on "Open File Location" to reveal the path of where the shortcut physically exists.  See the Windows Explorer (aka File Explorer as it's now called in Windows 8)  screenshot below: The issue is to do with needin
Read more

An alternative method of installing device drivers

Image
Basically, as an alternative to install a device driver using the DifxApp merge module (with Windows Installer), you can stage the device driver into the driver store in Windows 7 & 8 using a native utility called " pnputil .exe".  This is IDEAL for situations where you're using non MSI packaging methods and application virtualisation technologies. i.e. Apps that require a device driver, which should make virtualisation possible if you script the pre-launch logic to install the device driver physically .  Even though the files contained within the virtualised package are virtual, once they are staged into the virtual store, the drivers become physically part of it. For instance, in App-V 5, you could use a StartVirtualEnvironment event action.  For Symantec SWV packages, this would be achieved via the OnPostActivate action. What is the Driver Store ? http://technet.microsoft.com/ en-us/library/cc731478.aspx The driver store is exactly what the name sugges
Read more