Try It Out: Sideload Windows Store Apps
By now, you are familiar with Windows Store apps. There are some pretty cool ones available in the store, and publishers are adding more every week. A great thing about Windows Store apps is they are super simple to install (and uninstall). But what about line of business (LOB) apps? You probably do not want to publish them through the Windows Store since that would make them publically available.
Instead, you can sideload LOB apps. Sideloading simply means installing a Windows Store app without publishing it in and downloading it from the store. You install it directly.
There is some mythology around sideloading apps, possibly because many IT pros have yet to experience it firsthand. In reality, the process is simple; it is nothing more difficult than running a few commands in Windows PowerShell. There are a few requirements that you have to set up in advance, but those too are rather easy.
Here is the thing: The problem with seeing and doing this firsthand is that you need to get your hands on an app that you can sideload. You cannot sideload an app you purchase from the Windows Store, and you might not be fortunate enough to have developers available who are working on them. So to get started, we are going to show you how to quickly and easily build your own app for testing purposes
Set Up the Virtual Machines
To experience sideloading for yourself, you are going to need some virtual machines (VMs). We might as well get this part out of the way right up front. Here are the two VMs you will need:
- Client computer. You will need a client computer running Windows 8 Enterprise. You must join it to the domain. Make sure you install Windows 8 Enterprise on the client, as this is also required for sideloading Windows Store apps (unless you use a sideloading product key, which we talk about later). For this article, we named this contoso-pc.
- Domain controller. Joining a computer that is running Windows 8 Enterprise to an Active Directory Domain Services (AD DS) domain automatically enables sideloading. To keep things simple, we used Windows Server 2012, named the server contoso-dc, and created two demo accounts: Mark and Peter.
If you are like most IT pros, you probably already have a test environment set up and running. As long as it has the previous two items, you can use it to experience sideloading Windows Store apps. Otherwise, you can use Client Hyper-V in Windows 8 to quickly set up a test environment. Download the evaluation media from
TechNet Downloads. Starting from scratch, we set up the environment in under an hour.
Create a Windows Store App
As we mentioned, Windows Store apps that you can sideload are not just floating around. We do not recommend downloading apps from untrusted sources, either, so the best alternative is to build one. It turns out that this is far easier to do than you would expect.
Use Visual Studio Express 2012 for Windows 8, which you can download from the
Microsoft Download Center. We downloaded the ISO file, VS2012_WINEXP_enu.iso, instead of the web installer. (Install it on a computer other than contoso-pc to keep that VM pristine for testing purposes.) The first time you run Visual Studio Express 2012 for Windows 8, it will ask you to register online so that you can get a product key. This product key gives you a 30 day evaluation period—enough for our purposes.
After registering and entering your product key, Visual Studio Express 2012 for Windows 8 will also ask you to get a developer license. A developer license makes it easy to install and test Windows Store apps on your computers. (Developer licenses are temporary, expiring in 30 days.) Review the text you see on the Developer License dialog box to understand what information it is going to share with Microsoft, and then click I Agree to download and install the developer license. Of course, you will have to sign in by using your Microsoft account credentials.
So now we get to the nuts and bolts of creating a sample app for sideloading. Turns out that creating the sample app just might be easier (and certainly is quicker) than installing Visual Studio Express 2012 for Windows 8. The simplest way is to just create a blank app, which you can add to later if you want:
- On the File menu, click New Project.
- In the Name box, type a name for your app (e.g., MySample).
- Click OK.
You now have a Windows Store app. Easy, right? Right now, your app does nothing more than display “Content goes here” on the screen. You get extra credit for changing the text to the ubiquitous “Hello World!” (Hint: Edit the file named Default.html.) If you want to go all out and see what it is like to build a Windows Store app, take a look at
Now you just need to create your app package:
- On the Store menu, click Create App Packages.
- On the Create Your Packages page of the Create App Packages wizard, click No and click Next. This allows you to create a Windows Store app without registering to submit it to the store.
- On the Select and Configure Packages page, shown in Figure 1, note the path in which it’s going to create the app package, and click Create.
Figure 1. Creating a Sample Windows Store App
- Click OK.
That is it. You have a Windows Store app that you can now use to test sideloading. We told you it was easy. Grab the AppPackages folder from the path you noted earlier, and copy it to the VM running Windows 8 Enterprise. Among the files in this folder, it contains a self-signed root certificate and the APPX file, which is the actual app package.
Install the Root Certificate
In the real world, if you were deploying an actual LOB app, the developer would sign it with a certificate that is chained to a trusted root certificate. However, since we are just testing an app that is using a self-signed certificate, you need to install the root certificate on the client VM, contoso-pc:
- Log onto contoso-pc using an account with local administrator privileges.
- Make sure you have copied the AppPackages folder to the VM running Windows 8 Enterprise. You copied this folder from the computer running Visual Studio Express 2012 for Windows 8.
- In the AppPackages folder, find the certificate (e.g., MySample_22.214.171.124_AnyCPU_Debug.cer), right-click it, and click Install Certificate to start the Certificate Import Wizard.
- On the Welcome to the Certificate Import Wizard page, click Local Machine and click Next.
- On the Certificate Store page, click Place all certificates in the following store, click Browse, click Trusted Root Certification Authorities, click OK, and then click Next.
- Click Finish.
- Confirm that the import was successful, and then click OK.
Again, you would not have to complete this step in a production environment. You only have to do it here because we used a self-signed certificate. The remainder of this article accurately reflects what it is like to sideload a Windows Store app in a production environment, however, as we mentioned in the introduction, you will find that it is really easy to do.
Verify the Requirements
There are a small number of requirements computers must meet to sideload Windows Store apps on them. We will start with computers running Windows 8 Enterprise:
- The computer running Windows 8 Enterprise must be joined to the domain.
- You must enable the “Allow all trusted apps to install” Group Policy setting.
- The app must be signed by a \ certificate that is chained to a trusted root certificate.
In many cases, the only thing you will have to do is enable the policy setting. Your computers running Windows 8 Enterprise are already joined to the domain, and your developers will sign the app. For Windows RT devices and computers running Windows 8 Pro—or computers running Windows 8 Enterprise that are not domain joined—you have one more option: Installing a sideloading product activation key on the device. More on that later.
Since you have already joined contoso-pc to the domain, you just need to enable the policy setting. Create a new Group Policy Object (GPO) and enable “Allow all trusted apps to install.” This policy setting is under Computer Configuration\Policies\Administrative Templates\Windows Components\App Package Deployment. For this article, we named our GPO “App Sideloading Policy.” Do not forget to refresh Group Policy on contoso-pc by running Gpudpate.exe.
The last requirement is to verify that the app is signed by using a certificate chained to a trusted root certificate. In this case, you know it is. But double-checking is easy enough. On contoso-pc, do the following to verify that the package is properly signed:
- In Windows Explorer, right-click the Windows Store app package file (e.g., MySample_126.96.36.199_AnyCPU_Debug.appx), and click Properties.
- On the Digital Signatures tab, click the signature, and then click Details.
- On the General tab, verify that you see “This digital signature is OK” at the top of the tab. Figure 2 shows you what this should look like.
Figure 2. Checking the Package’s Digital Signature
- Close all open windows.
With that, all the requirements are met. The computer is running Windows 8 Enterprise and is joined to the domain. The Group Policy setting named “Allow all trusted apps to install” is enabled, and the package file is properly signed. Even though it seems like you have done a lot of work to get to this point, all you really have to do in most cases is to make sure that you enable the policy setting. Now for the fun part: sideloading the app for a user.
Sideload the App for a User
As promised when we started this article, sideloading the sample app is no more difficult than running a few commands in Windows PowerShell. In fact, the first command should not really count, as it just imports the AppX module into Windows PowerShell. Here are the steps to complete on contoso-pc:
- Log onto contoso-pc using one of your test accounts, because you cannot run the sample app by using the built-in local or domain Administrator account. You can use a standard user account.
- On the Start screen, type PowerShell and press Enter.
- At the Windows PowerShell prompt, run the following commands, where SampleApp is the path and name of the package file you created (e.g., MySample_188.8.131.52_AnyCPU_Debug.appx):
- Monitor the installation, and close the Windows PowerShell window after it finishes.
All that is left to do now is launch the app. On the Start screen, click its tile. You will find it on the far right side of the Start screen. You can also type the app’s name, and click the tile. For example, we named our app MySample. On the Start screen, we just type MySample, and then click the MySample tile. Of course, there is not much to the app, but you have successfully sideloaded it, and sideloading other Windows Store apps works the same way.
In this example, you sideloaded the app for the current user account. If another user were to log onto the computer, the app would not be available to them. You can sideload an app for all users by using the Deployment Image Servicing and Management (DISM) tool, and we are going to do that in the next section. Before moving on, however, you need to uninstall the app. On the Start screen, simply right-click the sample app and click Uninstall in the app commands at the bottom of the screen. Confirm that you want to uninstall the app by clicking Uninstall again, and then you are ready to provision the app for all users who share the computer.
Sideload the App for All Users
DISM is a command-line tool that you can use to service a Windows image—online or offline. (If you are not familiar with DISM, see
Deployment Image Servicing and Management Technical Reference.) You can use DISM to provision a Windows Store app in an online Windows image for all users who share the computer. To do that, you use the Add-ProvisionedAppxPackage option:
- Log onto contoso-pc using an account with administrative privileges on the computer. You must use an administrator account here, because you are provisioning an app in the image.
- On the Start screen, type PowerShell and press Ctrl + Shift + Enter.
- On the User Account Control dialog box, click Yes.
- At the Windows PowerShell prompt, run the following command, where SampleApp is the path and file name of the package file you created (e.g., MySample_184.108.40.206_AnyCPU_Debug.appx):
DISM /Online /Add-ProvisionedAppxPackage /PackagePath:“SampleApp” /skiplicense
- Monitor the installation, and close the Windows PowerShell window after it finishes.
To test this example, you need to log onto to the computer using one of your test accounts. You cannot run the app by using the built-in local or domain Administrator account. In this case, we logged on to the computer as Mark. Then, on the Start screen, click the app to run it. (If you do not see the app on the Start screen, type the app’s name to find it, and then click the app’s tile.) After verifying that the app works for the current user account, log onto the computer using a different test account and run the app. Because you used DISM to provision the app in the image, it is available to both accounts.
Use a Sideloading Product Key
Earlier in this article, we listed the requirements for sideloading Windows Store apps. The computer must be running Windows 8 Enterprise. It must be joined to the domain, and you must enable the policy setting “Allow all trusted apps to install.” This is great if in a typical enterprise scenario where you use the Enterprise editions and join computers to the domain. What about increasingly common Bring Your Own Device (BYOD) scenarios, where Windows RT devices and computers running Windows 8 Pro are more common; and devices are not always joined to the domain?
You can enable sideloading for these additional scenarios by installing a sideloading product key on the computers. For more information about sideloading product activation keys, see
Microsoft Volume Licensing. Additionally, the article
How to Add and Remove Apps describes how to use the Windows Software Licensing Management Tool (Slmgr.vbs) to add and activate the sideloading product key.
We hope that experiencing how to sideload Windows Store apps firsthand showed you how simple the process really is. You enable sideloading on computers running Windows 8 Enterprise by simply joining them to the domain and enabling the “Allow all trusted apps to install” policy setting. You can enable app sideloading in the scenarios that Table 1 describes by using a sideloading product key. To sideload an app for an individual user, you use the add-appxpackage cmdlet in Windows PowerShell, and to provision an app for all users, you use the Add-ProvisionedAppxPackage DISM option.
Figure 3. Sideloading Requirements
Keep in mind as you move forward that both methods are fundamental. You will not use them all that often. Instead, you can rely on your deployment tools to run these commands for you. For example, System Center 2012 Configuration Manager SP1 includes native support for sideloading Windows Store apps (see
Planning to Deploy Windows 8 Apps in Configuration Manager.) Similar support is coming in a future version of Windows Intune. Likewise, the latest version of the
Microsoft Deployment Toolkit 2012 includes support for installing Windows Store apps during operating system deployment.
Are you interested in learning more about sideloading Windows Store apps? See
How to Add and Remove Apps.