This post will step through the deployment of Windows 10 Universal Windows Platform Apps (.APPX) using Microsoft Intune. These are the high-level steps:

1. Create a test app (with Visual Studio)
2. Upload the APPX bundle (Intune Standalone console)
3. Deploy the cert chain to Windows 10 devices (only if you are using self-signed cert or internal PKI)
4. Deploy the APP to a device group
5. Pat yourself on the back

Step 1 – Create a Test App with Visual Studio

If you focus on Infrastructure and Device Management as a day job, Developing Windows 10 Apps may be unfamiliar ground, and likely not in your job description. I’m going to cover it briefly here though because its handy for testing and troubleshooting purposes and it’s also super easy.

For this step your going to need a copy of Visual Studio installed, you can get a trial version from here. If you just want to test out the Intune Deployment part, skip this step and download my sample app attached to this post.

Launch Visual Studio, Start > New Project and choose the UWP App template to start with (UWP Apps can be written in C#, C++ and Javascript). In my example I’m choosing this template: Javascript>Windows>Univeral> WinJS App (Universal Windows)

Give your project a name and click OK

Choose the Target version and minimum supported version of Windows 10 that this will app is going to be deployed to.

Add any artistic customisations you like to index.html and your sample UWP app is done!

Now the last thing to do is sign the app so that it can be distributed and allowed to run on Windows. You can do this a few ways:

Option 1: Use Visual Studio to issue a self-signed certificate and sign the app with that. (If you do this you also need to remember to deploy the self-signed certificate to the Trusted Root Certificate Authority of the devices where the app will be installed)

Option 2: Sign the App with a code-signing certificate issued from your internal PKI (If you do this you need to deploy the Root CA from your internal PKI to the Trusted Root Certificate Authority store in the way)

Option 3: Purchase a Code-Signing certificate from a vendor. (This is the preferred option as no extra steps are needed at deployment time. The cert chain will already be valid)

*If you are using option 1 or 2, You are going to need an additional step during deployment time – You will need to deploy the Root CA certificate if you signed the APP with an internal code signing certificate or deploy the Self-Signed certificate to the Devices where deploying the app.

For this post, I’m using Option 1 (Self-Signed) as I don’t have a code-signing certificate or PKI.

Select Package.appxmanifest from the Solution Explorer, then Packaging. Select Choose Certificate and select Create a Test Certificate. Provide a publisher name and password for the .pfx then Ok.

When you have finalized your app, Select Project > Store >Create App Package

On the Create your packages screen, select No (As you don’t have a Developer account and we will be distributing the app with Intune as an APPX package, not though the Windows Store).

Choose and output location and change Select Neutral architecture and Release under Solution configuration

Because we chose “Release” version, the next screen will prompt you to run through some app validation tests. You can just close this if your just creating a dodgey sample app).

Step 2 – Upload the APPX bundle (Intune Standalone Mode)

Head to the intune portal and sign in (Manage.microsoft.com)

Select Apps and Add Apps to download and run the Intune Software Publishing Tools

Walk through the Intune Software Publisher Wizard.

1. Add Software
   
2. Next
   
3. Choose Software Installer, Windows appx package (*.appx.*.appxbundle) and Browse to the Appx bundle exported from Step 1.
   
4. Fill in any optional information and add an icon
   
5. Next
   
6. Close
   

Return to the Intune portal, Go to Apps, Apps, then Select the uploaded Windows App to view app information.

Step 3 – Deploy the Root CA to your Windows 10 clients (Only if you are using a self-signed Certificate or internal PKI issued cert)

If you created the appx package with a self-signed certificate (or a code-signing certificate that came from your internal PKI) you have one bonus step. You need to get that Root CA Certificate into the Trusted Certificate store on the Windows 10 devices where you are installing the app. Rather than showing you how to manually copy it and import it, I’ll step you through deploying this with Intune.

In the Intune portal (Manage.microsoft.com) go to Policy and Add Policy

Select Windows > Trusted Certificate Profile (Windows 8.1 and later)

Enter some basic details for the Certificate Deployment, Select the Root CA Certificate from the Visual Studio Output folder (%username%documentsVisual Studio 2015<project name><app name>appPackages<appname>appname.cer on the machine where the appx was generated).

After you click Save Policy, You will be prompted to deploy the policy now. Click Yes and then choose a sensible device collection.

Step 4 – Deploy the App as a required install

In the Intune console, Go to Apps, Apps, Select your APP from list and then select Manage Deployment

Deploy to an appropriate Device group as a Required Install

(Note: In some cases, an appx package may have a dependency on frameworks in the form of .appx bundles to work at all. It is important to upload and deploy these for app to work properly (in the same way described above). With Intune Standalone, there is currently to way configure dependencies so that the UWP app doesn’t attempt installation until the dependency package is installed so you will need to consider and plan for this. For more details around possible work arounds see this post: https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2015/04/02/deploying-appx-package-to-windows-phone-via-microsoft-intune-failes-with-0x0-or-0x87d103e8/)

Step 5 – Pat yourself on the back

So the hard work is done. It’s time to make sure you have the app installed.

Log onto an Intune-enrolled Windows 10 machine

Go to Settings > Accounts > Access Work or School. Select your workplace > Info and Sync now to force an Intune policy sync.

After a successful Sync. Check that the certificate deployed successfully (run Certlm.msc, then go to Trusted Root Certification Authorities)

Check that the App is successfully installed and works:

If it didn’t work…

If it didn’t work, you should definitely not be patting yourself on the back yet. Use these logs to work out what the problem is:

Check Event Logs:

If the appx is not deploying properly, the clue will likely lie in one of these logs:

(Local) > Applications and Services Logs > Microsoft > Windows> AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational.

(Local) > Applications and Services Logs > Microsoft > Windows> AppXDeployment-Server > Microsoft-Windows-AppXDeploymentServer/Operational.

If there is nothing useful in the appx logs, check the Windows MDM log to ensure policy updates have been received from intune:

(Local) > Applications and Services Logs > Microsoft > Windows> DeviceManagement-Enterprise-Diagnostics-Provider > Admin

Check Intune console:

The Intune portal will also highlight any issues with the app deployment. In the case below there is an error 0x800B0109: Certificate chain led to untrusted root certificate.

If you see this, It is likely that the Root CA cert (Step 3) has not been deployed successfully – go to certlm.msc as above and verify.

Quick note on SideLoading:

The process of installing UWP apps in this way is called “Sideloading”. If you are familiar with SideLoading in previous OS’s you may have noticed that there are no steps above to enable Side-loading on the Windows 10 device. That’s because it gets automatically enabled on the device when enrolled in Management (intune). You don’t need to push out any settings to configure it.