Automatic conversion of applications to MSIX with ConfigMgr

Microsoft Configuration Manager (ConfigMgr) 1810 was released by Microsoft on 27 November 2018. In this version a few new functions where released among which the possibility of conversion of applications to MSIX.

More info about the new functions of ConfigMgr 1810 can be found on the Microsoft website:
https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1810

This blog will look in the conversion of applications and packages to MSIX. Is the conversion tooling production ready, and how does this process work?

Only one scenario will be covered in this blog post

  • MSI Application to MSIX Conversion

Unfortunately, scripted installations (EXE) and App-V packages cannot automatically be converted. App-V can be converted by hand using the MSIX Packaging tool.

About MSIX

The required basics that are needed for the automatic conversion:

  • ConfigMgr 1810 must be installed, the feature Package Conversion Manager must be enabled.
  • Windows 10 1809 (Semi-Annual Channel; LTSC is don’t have the Microsoft store and don’t have the possibility to sideload the MSIX conversion tool). The use of a VM is advised.
  • ConfigMgr console must be installed on the Windows 10 1809 machine.
  • There is an internal Certificate Authority with permissions to modify templates and make these available (The MSIX must be signed).

NOTE: A Windows installation with as few as possible installed applications and features as possible is necessary to make a good package. Make sure that a snapshot of the sequencer is created before convert an application so it can be reverted after each conversion. Richard Newton has created a great tool called “Windows10Debloater” for cleaning the image. It’s available for free on GitHub: https://github.com/Sycnex/Windows10Debloater.

Creating the Software signing certificate

Instead of having an internal CA it’s also possible to get a signing certificate from a trusted external CA like Globalsign or Comodo. These will cost about $100 per year. In this blog post an internal CA will be used. If the External CA is chosen, this step can be skipped.

Open the certificate authority, go to the properties of the certificate templates and click manage.

Search for the “Code Signing” certificate and duplicate this template.

On the general tab, enter a descriptive text and set the validity period. Choose a period that suits the environment as all applications must be resigned when the certificate is expired.
Set the “Publish certificate in Active Directory” checkbox.

In the “Request Handling” tab, check the checkbox “Allow private key to be exported”.
Select “Prompt the user during enrollment”.

On the Subject name tab, check the “Supply in the request” checkbox.
Based on the requirements, set the security of this template to  whoever is allowed to enroll this certificate (in the security tab). For management simplicity set the security to a active directory group.
The certificate template is now ready.
Close the “Certificate template console”.

In the CA, go to the properties of Certificate templates. Click new -> Certificate Template to Issue.

Select the MSIX Signing template that has been created and click ok.
On the Windows 10 computer open the user certificates MMC.

Go to the properties of the Personal certificates, All Tasks -> Request New Certificate.

In the “Select Certificate Enrollment Policy” select “Active Directory Enrollment Policy”.

Select the MSIX Signing template and click Properties.

Under subject name set the type to “Common name” and enter a descriptive value.
Click the add button and click OK.

Click Enroll and click finish in the next screen.

Go to the properties of the certificate that has been enrolled and click Export.

Select “Yes, export the private key”, click Next.

Keep the default settings and click Next.

Set the password for the private key and click Next.

Set the location where the certificate will be saved, click Next and finish the wizard.

Install the MSIX packaging Tool

The MSIX packaging tool is needed to convert the applications and packages to MSIX. This tool must be downloaded from the Microsoft Store.

https://www.microsoft.com/en-us/p/msix-packaging-tool/9n5lw3jbcxkf

This is the point to snapshot the virtual machine and use this as the “master” image.

 

Convert application to MSIX

Open the ConfigMgr Console on the Windows 10 PC, go to “Software Library -> Application Management -> Applications”.

Go to the properties of the application that must be converted and click “Convert to MSIX”.

Make sure all requirements are met, if not a notification will appear. Click Next.

Give a subject name for the signing certificate, and a package save location. Click Next.
The content of the subject name is not important as there will be loaded a software signing certificate in a later stage.

Check the details in the summary. Information like the PublisherDisplayName and the Application version is fetched from the ConfigMgr database. Correct those when wrong in this wizard and restart the wizard. If these are all ok, click next. The package conversion will start.

During the conversion process I encountered an error. After a while of troubleshooting I found out that the machine must have an active internet connection for the package conversion. The internet connection was removed from the VM after the installation of the MSIX conversion tool from the Microsoft Store.

The internet connection was restored, and the wizard was rerun.

With an active internet connection, the conversion went well and has been completed.

Signing MSIX Packages

Despite the fact that a subject name for the certificate is given during the conversion progress, the MSIX package still needs to be signed with a software signing certificate. When the package is not signed it cannot be installed. The certificate that was generated in an earlier stage of this blog post will be used to do this. The MSIX Packaging tool will be used for signing the MSIX package.

Start the MSIX Packaging tool and open the generated MSIX package.

Click on “Specify your own certificate to sign with”, browse for the certificate and enter the certificate password. Save the package and the package is signed.

Distribute MSIX using ConfigMgr

An MSIX application can be added the same way as any other application (MSI, App-V, scripted).
Copy the created MSIX file to the sources share on the ConfigMgr server.

Under type, select “Windows app package” and browse for the MSIX package on the sources share.

Check all the imported information and click next.

Specify additional information if needed and click Next.

Check the summary information, click Next.

Click close.

The application is now imported and can be assigned to a collection to be distributed.
Of course the application also needs to be distributed to the distribution points.

It’s also possible sideload the application or to use the Microsoft Store for business to distribute the MSIX. This will not be covered in this blog post.

Conclusion

I was a little bit surprised that the repackaging tool is not mature yet. The repackaging to MSIX is a specialized exercise just like this is with APP-V and MSI repackaging, not something the ConfigMgr administrator should do. It’s not possible to have an App-V converted with the help of ConfigMgr, something I really had expected to be live with the “release” status of this feature within ConfigMgr.

During research I found a great presentation of Tim Mangan about App-X. 

Based on my results as well as the results of Tim Mangan I would recommend to follow the process of MSIX as it will get more mature in the feature. This could become a great tool.

 

Photo by qinghill on Unsplash

Leave a Reply

Your email address will not be published. Required fields are marked *