• Article

Planning to Deploy Windows 8 Apps in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

Use the information in the following table to help you plan and prepare to deploy Windows 8 applications (apps) to System Center 2012 Configuration Manager SP1 clients in your organization.

Process

Reference

Review the available information about the basic concepts for application management in Configuration Manager.

For introductory information about application management, see Introduction to Application Management in Configuration Manager.

Review and implement the prerequisites to deploy applications in Configuration Manager.

For information about the prerequisites for application management, see Prerequisites for Application Management in Configuration Manager.

Configure and test the Application Catalog and Software Center to enable users to browse for and install software.

For information about how to configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuration Manager.

Review the two different available methods that you can use to deploy software to computers that run Windows 8:

  • Deploy the application by providing a link to the app in the Windows Store.

  • Deploy the app installation file (.appx file) to computers directly, bypassing the Windows Store. This process is sometimes called sideloading.

No additional information.

Review the requirements and recommendations to deploy Windows 8 apps to computers in the company. If you are deploying a line of business application, work with the application developers to ensure that the following requirements are met:

  • The technical compliance of the App has been validated to ensure that it provides a consistent Windows 8 application experience, that it meets the minimum technical requirements for an app, and that it will function correctly on future versions of Windows.

  • The app is signed by a certification authority (CA) that is trusted by the Windows 8 computers that will install the app. The publisher name in the package manifest file must match the publisher name in the certificate that signs the app.

    Note

    Microsoft recommends that all apps that are installed by deploying application installation files are signed by a certificate that is from a trusted certification authority. By default, Windows trusts many certification authorities without any additional configuration. If the signing certificate is from one of these trusted authorities, you do not need to deploy and manage additional certificates on Windows 8 computers that will install the Windows 8 app. You can also use your internal PKI to sign the app if computers trust the certification authority that issues the signing certificate.

    Visual Studio provides a self-signing test certificate that you can use to test apps internally. Microsoft recommends that you use these self-signed certificates for internal testing only and that you do not use them on production networks for enterprise deployment.

    Important

    When you import a Windows 8 app into Configuration Manager, no validation is done to ensure that the app is signed. Be sure to take the steps outlined in this topic to sign the application before you import it into Configuration Manager.

For information about how to validate the technical compliance of Windows 8 apps, see Testing your app with the Windows App Certification Kit in the Windows Dev Center.

For information about how to sign apps by using Microsoft Visual Studio, see Signing an app package (Windows Store apps) in the Windows Dev Center.

Configure Windows 8 computers to allow direct installation of Windows 8 apps. To do so, use group policy to configure the following sideloading registry settings:

Note

Client computers that run different versions of Windows 8 have different requirements for enabling the sideloading of apps. For more information about these requirements, see the section Windows 8 Sideloading Requirements in this topic.

  • On computers that run enterprise versions of Windows 8 Enterprise, use this registry setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1

  • On computers that run Windows 8 Professional, use this registry setting: HKEYLOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1

For more information about how to configure group policy preferences in order to configure registry settings, see your Windows documentation.

When you create an application of the type Windows app package (in the Windows Store), you must browse to a reference computer and select the application in order to create a link. Before you can do this, you must prepare the reference computer to receive Web Service Management (WS-Management) requests from the Configuration Manager console.

See Prepare the Reference Computer for Application Browsing in this topic.

Supplemental Procedures to Prepare to Deploy Windows 8 Apps

Use the following information when the steps in the preceding table require supplemental procedures.

Prepare the Reference Computer for Application Browsing

Perform the following procedure to configure an HTTPS connection between the computer that runs the Configuration Manager console and the reference computer, which is the Windows 8 computer that contains the Windows Store applications to be browsed.

To prepare the reference computer

  1. Ensure that the account you use to log on to the computer that runs the Configuration Manager console has Administrator permissions on both the computer running the console and on the reference computer.

  2. At a command prompt on the reference computer, enter the following command to create an HTTPS-based listener:

      winrm qc –Transport:HTTPS

  3. On the reference computer, enter the following command to allow Windows PowerShell to make remote connections to the computer:

      enable-psremoting

  4. On the reference computer, enter the following command to remove the HTTP-based listener that was enabled by the previous command:

      winrm delete winrm/config/Listener?Address=*+Transport=HTTP

  5. On the reference computer, configure a Windows Firewall inbound rule for port 5986, which is the default HTTPS port that will be used for communication.

Windows 8 Sideloading Requirements

Use the following table to understand when you must configure the sideloading keys in Windows 8 or Windows Server 2012 to enable the direct installation of applications:

Important

The Desktop Experience feature of Windows Server 2012 must be enabled if you want to install applications from the Windows Store.

Windows version

AllowAllTrustedApps registry key required?

Sign .appx file with trusted enterprise code signing certificate

Configuration Manager client

Enrolled with Microsoft Intune

Side loading key required?

Domain joined?

Side loading key required?

Domain joined?

Windows 8 Enterprise

Windows 8.1 Enterprise

Yes

Yes. Code signing certification authority is trusted on Windows 8 clients.

No

Yes

Yes

Not required

Windows 8 Professional

Windows 8.1 Professional

Yes

Yes. Code signing certification authority is trusted on Windows 8 clients.

Yes

Yes

Yes

Not required

Windows RT

Yes

Yes. Code signing certification authority is trusted on Windows 8 clients.

Not supported

No

Yes

No

Windows Server 2012

Yes

Yes. Code signing certification authority is trusted on Windows Server 2012 clients.

Does not support a sideloading key

Yes

Does not support a sideloading key

Yes

 

Note

Windows 8 Home versions do not support enterprise sideloading.