Sideloading Windows Apps

We recently finished development of a Windows modern app and the client wanted to first test the app on several devices prior to making it fully available. Unfortunately, the Windows Store is a bit of a mess when we want to have limited/private distribution of an application. Unlike the Windows Phone Store which has this concept of a beta app (which was one of the features I had worked on!), if an app is published on the Windows Store, it is made available to everyone which isn't exactly wat we want...

What is Sideloading?

Due to a multitude of reasons (e.g. security), only modern apps that are delivered through the Windows Store are permitted to run on a machine. For development, testing, and enterprise scenarios, we can use a technique called sideloading to install and run apps that are not signed by the Windows Store.

Developer Sideloading

If you've been developing your app in Visual Studio, you've likely already dev sideloaded your app.

When to use:

Only use it for development and testing as it requires constant renewal of the developer license

Requirements:

  • Microsoft Account (MSA) or Registered Windows Developer Account
  • Visual Studio or (on the target machine) Powershell
  • Target machine OS is one of: Windows 8, Windows 8.1, Windows RT

How:

  1. Create app package

    • Using Visual Studio, follow the 'Create App Packages' wizard.

    • Full MSDN walkthrough can be found here.
  2. Deploy Package
    • Distribute the output location folder that was produced in the previous step to all target machines
    • Execute the Add-AppDevPackage.ps1 script
    • The script will attempt to obtain and install a developer license. You can use either your Microsoft Account or a Windows Developer Account to do so. The license has a finite window of validity; license obtained using:
      • Microsoft Account must be renewed every 30 days
      • Windows Developer Account must be renewed every 90 days1

Enterprise Sideloading

The world of enterprise is a little more complex and depends on the licensing agreement that is in place.

When to use:

If you are looking for a long-term solution or you are working on a line of business (LOB) app, this is likely your best bet.

Requirements:

  • Powershell on target machine
  • Target machine OS is one of: Windows 8, Windows 8.1, Windows RT

How:

  1. Create app package (see above)
  2. App Signing

    • The certificate used to sign the application must be a trusted CA on the device. This can be accomplished in one of two ways: (1) signing the app with a certificate rooted to a CA that is already trusted on the device or (2) adding the the certificate that was used to sign the app in the device's trust root cert store.
    • To add a certificate to the cert store:

      string certPath =  Path.GetFullPath("<CERTIFICATE_USED_TO_SIGN_APP>.cer");
      var certificate = new X509Certificate2(certPath);
      var store = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser);
      store.Open(OpenFlags.ReadWrite);
      
      
      var installCert = store.Certificates.Cast<X509Certificate2>().All(cert => cert.SerialNumber != certificate.SerialNumber);
      if (installCert)
      {
          store.Add(certificate);
      }
      
      
      store.Close();
      
  3. Group Policy setting - Allow all trusted applications to install

    • Manually
      1. Open Group Policy Management Editor
      2. Enable Allow all trusted apps to install
    • Programmatically

      • Create a reg file and execute it using regedit.
      • GroupPolicy.reg:

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]
        "AllowAllTrustedApps"=dword:00000001
        
      • C#:

        var process = Process.Start("regedit.exe","/s "+ Path.GetFullPath("GroupPolicy.reg"));
        process.WaitForExit();
        
  4. Sideloading Product Activation Key

    • The sideloading key is a special type of volume licensing key assigned to a specific device and is necessary according to the table below2:
    • The cost of a sideloading key will vary depending on the licensing agreement. Refer to Windows 8.1 Licensing Guide for details.
    • Activate sideloading key3:

      slgmgr /ipk <sideloading product key>
      slgmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e
      
  5. Deploy Package

    • We can deploy the package using a variety of methods, each has its own pros/cons: Microsoft Deployment Toolkit, Windows InTune, System Center 2012 Configuration Manager. This post is only going to cover Microsoft Deployment Toolkit.
    • Using powershell, execute add-appxpackage:

      add-appxpackage -Path <Path to appxbundle> -DependencyPath <Path to dependency package>
      

Footnotes: