Tuesday, April 03, 2012

Do corporations/businesses need to use the Windows Store to deploy internal LOB Win8 Metro Style apps? Nope (as long as the machines are joined to a domain). Here's the sideloading guide...

Microsoft UK Faculty Connection - Installing enterprise metro apps without using Microsoft Store


Over the past few days I have had a few questions re how does a University go about installing Enterprise apps onto Windows 8 machines without having to setup Microsoft LiveIDs on each of the machines,


However if you are an Enterprise looking to get Metro applications onto your employees/students or lab Windows 8 desktops then you will likely want to do it more directly.

Which is where “sideloading” fits in.

Microsoft Technet has detailed documentation on Windows 8 Sideloading to add and remove line-of-business (LOB) Metro style apps

In brief:

  • App must be cryptographically signed
  • App can only be installed on a computer that trusts the signing certificate
  • Group Policy must have the Allow all trusted applications to install setting.
  • Computer must be domain joined to run the app (not needed for install)

At which point installing an app is as simple as

add-appxpackage C:\app1.appx

Additionally you can also remove apps via this process

Remove-appxpackage C:\app1.apx


TechNet Library - Windows 8 Consumer Preview - Install, Deploy, and Migrate to Windows 8 - How to Add and Remove Apps

Published: February 29, 2012

Updated: February 29, 2012

Applies To: Windows 8

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

You can add line-of-business (LOB) Metro style apps to a Windows® image by using Windows PowerShell® or the Deployment Image Servicing and Management (DISM) platform. LOB applications do not have to be certified or installed through the Windows Store, but they must be signed with a certificate that is chained to a trusted root certificate. To install Metro style apps that are not part of your business line, you must use the Windows Store.

The Dism.exe and Windows PowerShell commands only add, inventory, and remove Metro style apps, you cannot use them to install traditional applications that can only be run on the desktop.

App Signing Requirements

You can install Metro style line-of-business (LOB) apps for Windows that are not store-signed. LOB apps must be cryptographically signed and can only be installed on a computer that trusts the signing certificate.

For more information about how to sign an app and using certificates, see App Packaging Tools.

Windows® 8 Sideloading Requirements

You can add LOB apps on the following versions of Windows when the Allow all trusted applications to install Group Policy setting is enabled:

  • Windows® 8 Consumer Preview
  • Windows Server® 8

You can run sideloaded LOB apps on these versions of Windows only when the computer is joined to an Active Directory domain.

You must set a Group Policy to allow LOB apps to be installed. The computer does not have to be joined to a domain to install provisioned LOB apps. However, the apps will not run until the computer meets this sideloading requirement.

Set Group Policy for sideloading
  1. Open the Group Policy editor. For example, on a computer that is running Windows 8, click Search, click Settings, type Edit Group Policy, and then select the Edit Group Policy setting.

  2. Click Computer Configuration, click Administrative Templates, click System, and then double-click the Allow all trusted applications to install setting.

Add Apps

You can install a signed .appx package on a per-user basis by using the add-appxpackage PowerShell cmdlet.

  • Add a LOB app to a user account
  • Add a LOB app to a Windows image

Inventory Apps

You can list the modern LOB apps installed in on offline or online Windows image and get additional information about the packages.

  • List LOB Apps per user account
  • List provisioned LOB apps in a Windows image

Remove Apps

You can remove individual instances of an app, or remove the provisioning setting of an app.

  • Remove LOB apps per user account
  • Remove provisioned LOB apps in a Windows image


The "You can run sideloaded LOB apps on these versions of Windows only when the computer is joined to an Active Directory domain." requirement is interesting. I guess that makes sense in that this is for businesses, etc where 99.999% will be part of AD domains (even small ones, like with Small Business Server...). This kind of sideloading isn't meant for home/house/family usage. And of course this also means you'll need a SKU that supports domain joining (Professional and greater? Something to watch for when the official SKU's are announced.)

I can see they are trying to walk a tightrope here, where they want to allow businesses enough room to Metro their apps, but without opening every door to everyone and invalidate the security and WinStore deployment story.

No comments: