Home
%3CLINGO-SUB%20id%3D%22lingo-sub-772386%22%20slang%3D%22en-US%22%3EImprovements%20for%20enterprises%20signing%20MSIX%20packages%20(Insider%20Preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772386%22%20slang%3D%22en-US%22%3E%3CP%3EMSIX%20requires%20packages%20to%20be%20signed%20in%20order%20to%20be%20deployed.%26nbsp%3B%20This%20helps%20us%20to%20offer%20integrity%20on%20the%20package%20being%20deployed%20and%20to%20ensure%20the%20contents%20being%20deployed%20are%20what%20was%20packaged%20from%20the%20developer%20or%20IT%20Pro.%26nbsp%3B%20While%20this%20is%20great%2C%20some%20customers%20found%20it%20problematic%20acquiring%20certificates%20within%20their%20enterprise.%26nbsp%3B%20We%20heard%20that%20from%20our%20customers%20loud%20and%20clear!%26nbsp%3B%20In%20an%20upcoming%20Windows%20release%20will%20improve%20the%20tooling%20to%20enable%20signing%20of%20MSIX%20packages%20from%20your%20Azure%20Active%20Directory%20tenant.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EHow%20does%20it%20work%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20with%20the%20Windows%20Insider%20SDK%2018945%20we%20will%20have%20changes%20and%20additions%20to%20signtool.exe.%26nbsp%3B%20These%20changes%20will%20allow%20signtool%20to%20interact%20with%20Device%20Guard%20Signing%20to%20remotely%20sign%20packages%20specific%20to%20your%20Azure%20AD%20tenant.%26nbsp%3B%20A%20user%20can%20be%20enabled%20with%20signing%20permissions%20and%20can%20then%20auth%20with%20their%20Azure%20AD%20identity%20and%20sign%20their%20packages.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EHow%20do%20I%20enable%20this%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20sign%20packages%20there%20are%20a%20few%20steps%20required%20to%20setup%20your%20Azure%20AD%20users%20and%20environment%2C%20its%20a%20onetime%20setup.%26nbsp%3B%20You%20will%20also%20need%20an%20updated%20SDK%20(version%2018945%20or%20later)%20for%20signtool%20and%20some%20additional%20files%20to%20interact%20with%20the%20signing%20service.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20deploy%20packages%20you%20will%20need%20to%20deploy%20an%20intermediate%20certificate%20to%20your%20devices%20so%20the%20will%20trust%20the%20apps%20being%20signed.%26nbsp%3B%20You%20download%20this%20certificate%20from%20the%20Microsoft%20Store%20for%20Business%20portal.%26nbsp%3B%20You%20can%20easily%20deploy%20this%20certificate%20with%20System%20Center%20Configuration%20Manager%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcertificates-configure%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Intune%3C%2FA%3E%2C%20via%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fpkiclient%2Fimport-certificate%3Fview%3Dwin10-ps%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Escripting%3C%2FA%3Eor%20most%20management%20products%20to%20your%20devices%20root%20store.%26nbsp%3B%20The%20certificate%20is%20specific%20to%20your%20Azure%20AD%20tenant%20so%20it%20won't%20enable%20other%20enterprises%20apps%20to%20be%20deployed.%26nbsp%3B%20If%20your%20users%20are%20working%20across%20multiple%20Azure%20AD%20environments%20then%20just%20add%20the%20certificate%20for%20each%20tenant%20to%20enable%20the%20apps%20to%20install.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFull%20setup%20instructions%20here%3A%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackage%2Fsigning-package-device-guard-signing%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fmsix%2Fpackage%2Fsigning-package-device-guard-signing%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%20Insider%20SDK%20(need%20to%20register%20as%20an%20insider%20if%20you%20are%20not%20already)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsoftware-download%2FwindowsinsiderpreviewSDK%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsoftware-download%2FwindowsinsiderpreviewSDK%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20curious%20about%20it%3F%26nbsp%3B%20Check%20out%20a%20demo%20here%3A%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fjvintzel%2Fstatus%2F1151636054232850432%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftwitter.com%2Fjvintzel%2Fstatus%2F1151636054232850432%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20your%20feedback.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJohn%20Vintzel%20(%3CA%20href%3D%22http%3A%2F%2Fwww.twitter.com%2Fjvintzel%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40jvintzel%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3EPM%20Lead%2C%20MSIX%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-772386%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20an%20upcoming%20Windows%20release%20will%20improve%20the%20tooling%20to%20enable%20signing%20of%20MSIX%20packages%20from%20your%20Azure%20Active%20Directory%20tenant.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887050%22%20slang%3D%22en-US%22%3ERe%3A%20Improvements%20for%20enterprises%20signing%20MSIX%20packages%20(Insider%20Preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887050%22%20slang%3D%22en-US%22%3E%3CP%3ELooks%20like%20a%20great%20option.%20I've%20been%20testing%20this%20but%20no%20luck%20so%20far%2C%20installed%20the%20latest%20version%20of%20the%20SDK%20(10.0.18985.0).%20Signtool%20keep%20trowing%20this%20error%3A%3CBR%20%2F%3ESignTool%20Error%3A%20This%20file%20format%20cannot%20be%20signed%20because%20it%20is%20not%20recognized.%3C%2FP%3E%3CP%3EAny%20idea%20why%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888491%22%20slang%3D%22en-US%22%3ERe%3A%20Improvements%20for%20enterprises%20signing%20MSIX%20packages%20(Insider%20Preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888491%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20able%20to%20share%20the%20file%20and%20message%20me%20a%20link%20to%20look%20into%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-889483%22%20slang%3D%22en-US%22%3ERe%3A%20Improvements%20for%20enterprises%20signing%20MSIX%20packages%20(Insider%20Preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-889483%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20John%2C%20I've%20sent%20you%20a%20PM%20with%20a%20link%20to%20OneDrive.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

MSIX requires packages to be signed in order to be deployed.  This helps us to offer integrity on the package being deployed and to ensure the contents being deployed are what was packaged from the developer or IT Pro.  While this is great, some customers found it problematic acquiring certificates within their enterprise.  We heard that from our customers loud and clear!  In an upcoming Windows release will improve the tooling to enable signing of MSIX packages from your Azure Active Directory tenant.  

 

How does it work?

 

Starting with the Windows Insider SDK 18945 we will have changes and additions to signtool.exe.  These changes will allow signtool to interact with Device Guard Signing to remotely sign packages specific to your Azure AD tenant.  A user can be enabled with signing permissions and can then auth with their Azure AD identity and sign their packages.

 

How do I enable this?

 

To sign packages there are a few steps required to setup your Azure AD users and environment, its a onetime setup.  You will also need an updated SDK (version 18945 or later) for signtool and some additional files to interact with the signing service.

 

To deploy packages you will need to deploy an intermediate certificate to your devices so the will trust the apps being signed.  You download this certificate from the Microsoft Store for Business portal.  You can easily deploy this certificate with System Center Configuration Manager, Microsoft Intune, via scripting or most management products to your devices root store.  The certificate is specific to your Azure AD tenant so it won't enable other enterprises apps to be deployed.  If your users are working across multiple Azure AD environments then just add the certificate for each tenant to enable the apps to install.

 

Full setup instructions here:  https://docs.microsoft.com/en-us/windows/msix/package/signing-package-device-guard-signing

 

Windows Insider SDK (need to register as an insider if you are not already): https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewSDK

 

Just curious about it?  Check out a demo here:  https://twitter.com/jvintzel/status/1151636054232850432

 

Let us know your feedback.

 

John Vintzel (@jvintzel)

PM Lead, MSIX

 

 

 

 

 

3 Comments
Regular Visitor

Looks like a great option. I've been testing this but no luck so far, installed the latest version of the SDK (10.0.18985.0). Signtool keep trowing this error:
SignTool Error: This file format cannot be signed because it is not recognized.

Any idea why?

Microsoft

Are you able to share the file and message me a link to look into it?

Regular Visitor

Hi John, I've sent you a PM with a link to OneDrive.