Search This Blog

Thursday, February 18, 2021

MSIX Modern Packaging – Part 2

clip_image001

Introduction

In the last “MSIX Modern Packaging – Part 1” I showed you how to get a virtual environment to start creating MSIX.

For MSIX to work we need to sign our packages, and this is typically where we say "ok, I give up". At least back in the days when I heard about certificates I got tired right there. Don't be, it is cool and it is easy once you get the pattern.

In this chapter I will show you how to get a certificate (PFX) ready to use for packaging. How cool is that. Just follow the steps and you are soon to begin packaging your very own packages.

Requirements

  • Hyper-V
  • PKI

Setup your PKI

Let’s start by creating a new template for your endpoint

clip_image003

 

Right click and Manage your certificate templates

clip_image005

 

Choose Code Signing and Duplicate Template

clip_image007

 

On Compatibility choose the minimum compatible you need.

clip_image009

 

Go to security tab and add Domain Computers.

Tick Enroll

clip_image011

 

On the General tab give it name MSIX Template

Template name: MSIX_Template

Validity period: whatever your security requires.

clip_image013

 

Go to Request Handling and allow private key to be exported

clip_image015

 

Go to Extensions

Choose Basic Constraints

Edit

Enable this extension

clip_image017

 

Go to Subject Name

Choose Supply in the request (This will make sure we can insert a common name when we request the certificate)

Ok

clip_image019

 

Now we will make the template available for the client devices on the domain

clip_image021

 

Find MSIX Template

Click OK

clip_image023

Now everything we need, to be able to sign our packages, is ready.

Because we build the certificate on a root authority that we trust, no other certificates need to be installed into our environment for our MSIX packages to work.

Export PFX for MSIX packaging

Let’s start on a client that is in our environment.

Go to the start menu and open a CMD with elevated permissions

clip_image025

 

Click Yes

clip_image027

 

Type “MMC”

clip_image029

 

Choose File and “Add/Remove Snap-in”

clip_image031

 

Choose Certificates and click Add>

clip_image033

 

Choose My user account

Finish

ok

clip_image035

 

Choose Personal – Certificates

All Tasks -> Request New Certificate..

clip_image037

 

Next

clip_image039

 

Next

clip_image041

 

Mark the template and click the blue text

clip_image043

 

Choose “Common name”

Value: Mindlab (type your own)

Add

ok

clip_image045

 

Enroll

clip_image047

 

Finish

clip_image049

 

Export the certificate

clip_image051

 

Next

clip_image053

 

Yes, export the private key

Next

clip_image055

 

Next

clip_image057

 

Set password. (You need to remember it when we create MSIX package with it, we will be asked for the pw)

Encryption AES256-SHA256

Next

clip_image059

 

Browse

clip_image061

 

Save it to a central location (I prefer together with source files you need to package)

clip_image063

 

Next

clip_image065

 

Finish

clip_image067

 

OK

clip_image069

Save the certificate to a central location. Could be wise to gather all your source and stuff you need for packaging.

 

You can delete the cert from your store now. As it is not needed.

clip_image071

 

Now that we package apps with that certificate, we will see this sign when executing it on a device trusting our CA:
clip_image073

 

And on a device that are not trusting our CA, you don’t get to install this package.

clip_image075

Summary

By now we know how to build a virtual environment for our app automation through MSIX.

We also know how to create a template in our PKI and export that certificate for use when we develop MSIX packages. This is the foundation of app automation.

Stay tuned for part 3 where we will start developing a simple package: Notepad++

Monday, February 15, 2021

MSIX Modern Packaging – Part 1

image

Introduction

If you are working with system management, you also come across applications that need to be mass deployed to your endpoints. Before that can happen the vendor either deliver unattended parameters to their installation process or they deliver another installation format like MSI or MSIX.

Every business can benefit from standardizing software deployment and here I will try to help you start doing that.

By going through these steps, you will have a basic setup to start building MSIX packages.

I recommend to read the fundamentals of MSIX which can be downloaded here. Tim Mangan, Bogdan Mitrache and Kevin Kaminski did an excellent job.

 

Requirements

  • Hyper-V
  • Minimum 8GB RAM
  • 50GB free HDD
  • 2GHZ processor

 

Setup your LAB

Install Hyper-V

Right click your StartMenu

clip_image002

 

Open PowerShell with admin rights

Paste this command to the PowerShell console

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

clip_image004

clip_image006

Restart if needed

 

Start Hyper-v

Right click your environment and click “Quick Create”

image

 

   

Choose MSIX Packaging Tool Environment

image

 

 

Create Virtual Machine

It will start download ~ 5.6 gb

clip_image012

 

Start your newly imported MSIX Packaging Tool Environment

clip_image014

 

Let the virtual machine configure and wait for OOBE to kick in. Make sure your hyper-v is connected to the internet and when you reach this screen choose Domain join instead:

clip_image016

 

Add a username and click next

clip_image018

 

Type a password and click next

clip_image020

 

Retype your password and click next

clip_image022

 

Go through the questions and click next (I’ll skip the next couple of questions)

clip_image024

 

Don’t use online speech recognition and click accept

clip_image026

 

Choose No and click Accept

clip_image028

 

If your virtual machine get lost, this feature isn’t going to help you click accept

clip_image030

 

Send required diagnostic data click accept

clip_image032

 

Say NO and click accept

clip_image034

 

Say NO and click accept

clip_image036

 

Say No and click accept

clip_image038

 

The virtual machine will logon and you will have all the resources you need to get started.

clip_image040

 

Start the packaging tool

clip_image042

 

Click yes

clip_image044

 

Accept

clip_image046

 

Open the application package. (we do that because we need to install MSIX packaging Tool Driver.)

clip_image048

 

Choose Create package on this computer

clip_image050

 

Now that we got the tool installed, we cancel the packaging process

clip_image052

 

Let’s configure the virtual machine for better and cleaner packages

Run commandline: Services.msc

Disable Windows Search

clip_image054

Disable Windows update

clip_image056

 

For better startup performance stop all unnecessary apps that start with windows

Start task Manager

clip_image058

 

Restart the virtual machine and log back into it.

Create snapshot

clip_image060

 

Give it a name and click yes

clip_image062

Summary

By now you should be familiar with your new packaging virtual machine. It is best practice to build packages on a clean machine where we can roll back and have a clean state every time we need to package.

Stay tuned for part 2 where I will cover how to obtain the certificate we will need for signing our applications.