Push your programs via MSIX packages

To start using Intune as an endpoint management tool we will need to define what makes up the “Modern” workplace for our users. The automatic configuration, the security and compliance aspects, the collaboration tools and last but not least, our (legacy) applications.

This last group often is a tough cooky as it contains some customizations during the installation and program usage process. It is at this stage where the MSIX (packager) enters the room.

With the MSIX packager you’ll be able to install your program and make customizations while installed and mold it into an Intune installer package.

To start things off, download the MSIX Packaging Tool via de Microsoft Store:

MSIX Packaging Tool

You will be presented with 3 options:
– Create a new application package

– Add a modification package, this serves as a option A, B, C etc. package for the original installer.
Consider installing 7-ZIP and creating 3 modification packages which all contain a modification which sets the language for the program.
Because the MSIX packager records all the registry changes the program (or the installer when you create a new one) makes these packages will be add-ons to the original installer.

– Modify an existing package, which gives you the option to take a deep dive into the created package. This may come in handy when you are not sure if the packager has added all the registry keys you captured while creating the package or if you want to sign the package when you’ve forgotten to do so during package creation.

Let’s start the show!

Capturing a new MSIX package

Select the Application Package option

You will be requested to choose how you want the package to be captured.
I’m a huge fan of the option to use a virtual machine because everything you change on the VM will be “untouched” once you restore a clean installation snapshot.
Speaking of which, I would advise you o consider making a snapshot of your VM and restoring it every time you start creating a package. The tool will not do this for you which could cause some previously configured settings to end up in your MSIX package.

The packaging tool will then check if the required capturing driver has been installed and it will temporarily disable Windows Update to make sure changes created by the Update service are not captured. Also Windows Search will be disabled because of indexing purposes which are not needed.

Next up you will select the application’s installer file for the application you wish to package. You are not required to select this in the UI as the tool looks which installer is being launched during the capturing process.
This makes it possible to copy the installer files to the VM before you start the tool.

A requirement for deployment via Intune is signing the application with a certificate or by using Device Guard via the Microsoft Store for Business.
I will be selecting the certificate signing option because it’s a fairly easy process to generate and add it to Intune.

You can create a self signed certificate via the following PowerShell command:

New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "CN=MSIX-Signing" -KeyAlgorithm RSA -KeyLength 2048 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert

Remember that you will need to renew the certificate once it expires.
The default expiration date will be 2 years after the certificate has been generated.
The lazy admin way would be to add the -notafter parameter and set it to 99 years:

-NotAfter (Get-Date).AddYears(99)

So it will expire after… 99 years, but you should check if this matches your companies security policy 😉

The result is a self signed certificate which you can export from your personal store and use as a signing certificate for the MSIX package:

Self signed certificate is saved in your personal store

To deploy the certificate, add a device configuration policy to Intune with a certificate template like the example below:

And now, let’s fire up the installer!
During the previous step an RDP connection was already made and I was required to enter the same credentials in order to start the session.
The installer launches and I clicked Next,Next, Next… Next and Finish!

Installation started on the VM

Once the installer closes the MSIX packager notices the process has stopped and reports it back to us

The MSIX packager recognizes the installed applications’ program path and gives you the option to start it and make any customizations.
If the packager doesn’t list the correct path you can select Browse… to select any other detected paths the installer made.

To record the language change I’ve copied the file path and started the executable on the VM. I then changed the language setting from Dutch to English.

Once you’re done with all the modifications to you can click Next in the packaging tool and you will be asked to confirm.

The last step will be choosing the services to include into the package used or created during the installation.

After the process you will be able to edit and/or see the package settings like the language change (none is English).

Dit vind je misschien ook leuk...

1 reactie

Geef een reactie

%d bloggers liken dit: