Sideloading Store Apps to Windows 8.1 Devices


The term sideloading refers to the installation of Store Apps by an IT Administrator on a Windows device. Typically, the App in question is a line of business (LOB)application that is internal to the company. Therefore, the company (maybe your customer if you are and ISV) will want to make it available only to its employees rather than making it publically accessible Windows Store. This is not to say that there are no LOB Store Apps published in the Windows Store. Have a look at the SAP client Apps, for example.

There a three aspects that you may have to deal with when considering LOB sideloading: licensing requirements, technical requirements and management of sideloaded apps. You will want to understand all of them to understand if there is additional cost,  how plan for the best way to enable your devices for sideloading or what are your options for handling new App version updates. Let´s have a look then.

1. Sideloading Licensing Requirements

Sideloading functionality is available “out of the box” for Windows 8.1 Professional and Windows 8.1 Enterprise but only if they are domain-joined. The addition of the Professional edition is new and has been announced as recently as April 2014:

[1] Building the Mobile Workplace with Windows and Windows Phone

"Easier Deployment – Delivering Windows 8.1 Update via Windows Update allows businesses to deploy updates with increased predictability. And, to help businesses develop and deploy modern apps for their workforce, we are enabling sideloading for any domain-joined Windows Pro PC or tablet"

The Windows 8.1 Professional, Windows 8.1 Enterprise that are not domain-joined and the Windows 8.1 RT edition (that cannot be domain-joined) still can be enabled for sideloading but will require a sideloading key that has to be installed and activated on the device. It is a multiple activation key (MAK) and you can obtain it from the reseller.

[2] Volume Licensing reference guide Windows 8.1 and Windows RT 8.1

page 12 and further has a full detail in section “Windows 8.1 Enterprise Sideloading”.

Typically, the sideloading activation key will have to be acquired by to owner of the operating system license. So how much it is going to cost? Well, the thing to check is if you have existing volume licensing Enterprise Agreement with Microsoft. The licensing guide mentioned above lists all of the programs that include them free of charge as of 1 May. If you are in a qualifying licensing program, just contact your reseller who will make the keys available to you.

If you do not have a qualifying volume licensing program then you can purchase from a reseller unlimited number of sideloading activation keys for approx. $100 through the Open contract as also mentioned by [1]. The best thing is to contact the reseller that you normally work with to check out all these options for your particular case.

PartNumber

PartDesc

4UN-00005

WinSideloadingRights SNGL OLP NL Qlfd

So in summary, if you are dealing with devices that will not be in domain and you want to install LOB Store App you will need the sideloading activation key. Before you attempt the installation, however, the devices will have to be prepared by your IT pro, so read on.

2. Technical Requirements for Sideloading

There are three technical requirements that have to be met by the device before you attempt to install Store App on it regardless if you are doing it manually, via Powershell scripts or via Mobile Device Management system such as Windows Intune. You will find them explained in

[3] Configure PCs for Sideloading Requirements

but here they are summarized and I illustrate them with screenshots taken on Windows 8.1 Professional with Update 1 that is not domain joined and therefore requires all the steps.

1. Enable the Windows Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.

If you are dealing with domain joined device you get this key set via group policy Allow all trusted applications to install. If you are preparing a device that will not domain joined you will most likely find out that the Appx in not present in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows. In that case: a) create a New Key named Appx b) right click the Appx node you just created and select New-> DWORD (32-Bit) Value, assign it a Name AllowAllTrustedApps c)right click the DWORD you just created and select Modify and type 1 in the Value Data. You should have an entry as per figure below:

. AllowAllTrustedApps

Figure 1. AllowAllTrustedApps Windows Registry Key2. Ensure that the

2. Ensure that the code signing certificate has been issued by a trusted certification authority.

All Store App packages are signed with a code signing certificate. If the developer uses an Authenticode code signing certificate that has been purchased from common certificate authority (e.g.: Symantec, VeriSign) then you do not need to take an action because the root certificates for these authorities are already present in the Local Machine\Trusted Root Certification Authority certificate store. However, if the application package has been signed with the certificate emitted by customers own Certification Authority or the developer used the self-signed certificate generated by Visual Studio then you will have to make sure the root certificate is present in the Trusted Root Certification Authority store.

You can locate the code signing certificate in Visual Studio solution by looking up the application manifest as shown in the figure below

SigningCert

Figure 2. Application Manifest with code signing certificate

Configure Certificate button allows developer to pick existing code signing certificate from the certificate store a file or get Visual Studio to generate a self signed certificate. If you click the View Full Certificate button you can get the full certification path, copy the certificate to a file, etc. When the Store App is packaged (using the Store->Create App Packages option) the code signing certificate will also be available in the AppPackages solution subfolder. So if you are using self-signed certificate you could just pick it up together with the .appxbundle that contains the application package and take both to your target machine.

On the device that you want to configure simply double click the self signed certificate (.cer) file, select Install Certificate and then in the Certificate import Wizard select Local Machine as the Store Location instead of Current User that will be selected. In the next step select Place all certificates in the following store and browse for the Trusted Root Certification Authorities store to get it installed.

Should you install incorrectly then on Windows 8.1 with Update 1 you will get explicit error message (on Windows 8 you may get more cryptic error HRESULT: 0x80073CFF) as per figure below:

NoCertificateError

Figure 3. Lack of root certificate error

If all is well the command will complete silently and you should be able to locate the application installed. For domain joined machines you would be able to run the app at this stage, however, for cases that require sideloading key you will see the message App can´t open as in the figure below

AppCantOpen

Figure 4. App can´t open message

This is because we are missing the step 3 described below.

3.  Install and Activate the sideloading key on the devices that require it (as described it in previous section).

There are two commands that we have to execute exactly as described in the “To activate a sideloading product key” section of the sideloading requirements: one to install the key and the second to activate it. You need Administrator privilege to execute these commands as per figures below:

SideloadingKeyInstallation

Figure 5. Installation of the sideloading key

Note that the key you type here is the sideloading key that you have purchased from your reseller.

SideloadingKeyActivation

Figure 6. Activation of the key.

In this second step the string supplied (ec67814b….) is always the same because it is a guid that identifies the sideloading feature that we are enabling. If you are unsure if the device has already the sideloading key activated you can check it with command slmgr / dlv that will display the license information. Then scan it for the section with Name: APPXLOB-Client add-on and ensure that the line License Status is showing Licensed.

With all these steps concluded you can install and launch the Store Application successfully.

I should mention for completeness that in development environment you do not require sideloading key. The store apps can run thanks to the Developer License. This license is temporal and periodically will expire. If you are putting in production the machine that was perhaps previously a test machine you can check if it has developer license installed (Get-WindowsDeveloperLicense) and remove it (Unregister-WindowsDeveloperLicense) before configuring production sideloading key using the powershell commands documented in

[4] Windows Developer License Cmdlets in Windows PowerShell

3. Application Management

The licensing requirements and the technical requirements mentioned in the two previous sections have to always be met regardless of the actual method you choose for installing the applications. You have already seen that you can install the application using the Add-AppxPackage command. The command will take an application package (.appx) or the newer application bundle (.appxbundle) as an argument. You can use the Remove-AppxPackage to remove the application.

However, most customers will require more sophisticated solution to manage the application. They will want to assign specific LOB Apps to users in certain groups (Finance, HR) and will want to have a mechanism to install the new versions of the applications even for users with no access to domain.

Windows Intune offers a complete Mobile Device Management solution. It can help not only manage the applications but also (in case of Windows RT) activate the sideloading keys and install root certificates on devices that user enroll for management. Also Windows Intune integrates with System Center Configuration Manager that many customers already have deployed.

The end user has access to the Company Portal application that lists the applications that the Administrator made available in Windows Intune. The Company Portal is essentially a Store App that communicates with the Windows Intune tenant.

You can view two videos that show Windows Intune capabilities with respect to App sideloading:

[5] The Deployment Sessions – 006 Sideloading to Windows RT from Windows Intune

[6] The Deployment Sessions – 005 Sideloading to RT with Configuration Manager 2012 and Intune

Also you can see the commercial information in

[7] Windows Intune Purchasing and Support Guide

The alternative to Windows Intune is to build this capability yourself. This could be as basic as the network share containing the scripts or a more complex application equivalent to the Company Store communicating with your package repository of choice (Azure Storage / SharePoint, etc.) but you would need to decide if the development effort would be worth it.

Comments (14)

  1. JamieAkers says:

    Not wishing to spoil the fun, but really why would I as an Admin go through with this?  I can deploy standard Windows Desktop apps without needing to go through any of this fun.

  2. morcinimhotmailcom says:

    Hi Jamie,

    Most of the complexity is due to licensing but this is being gradually relaxed, i.e. since May on the domain capable devices sideloading is a built-in feature. The registry key and certificate are security mechanisms. They allow you to decide if you permit this type of Apps on devices and if so which publishers your company trusts.

    Store Apps are designed for the Windows Store i.e. the model is any developer can publish and distribute the apps which is a reason why there are more control mechanisms that show up in deployment scenarios in the intranet.

    Michal

  3. dead3eef says:

    Thanks for the clarification. On the face it all sounds excellent. In practice everything falls down. I have contacted our reseller. They didn't know anything about the part number. They contacted their Microsoft Account Manager. They also didn't know anything about the Sideloading activation key.

    Honestly, I really don't understand the idea behind this. All I want to do is install our own application that we wrote on another machine. In addition we do not want our app on the Store for reasons that it's so bespoke that it's really only for our clients. And only after training can you use the application properly in a safe scenario. This scenario is common for ISVs whose clients are not on domain and an internet connection is not easily accessible.

    I appreciate this is fairly new, however it has been 2/3 months now since the announcement.

    Please can you shed more light on why I can't seem to get hold of Sideloading key for my reseller nor any of our other reseller contacts?????

  4. Ryan S Thiele says:

    I feel they should just have an option in the windows store to hide the app from the listing. We get the URL for the app, give it to the client. Problem solved. All security would be left to the developer through credentials, a passkey, etc…

    Companies will not shell out dough for keys if they bought Pro/RT editions, or if they happen to have Enterprise and do not have it connected to the domain. For example, I work for a company that have many independently owned franchises – all of them have their own domain. With all this complexity, the franchises would have to hire an IT team to manage one app meant to run on tablet for workers in the field, and keep in mind that updates happen every month or several times a month. I just can't see doing this for every tablet they buy. Not to mention that they just shell out a lot of money for the tablet, but now they must find a way to put Professional edition on it, and buy another key to run the app. Their solution – not use the app; which is not good news fro the IT department.

    I don't see why this is so complicated. We can leave the "Side loading" option there for the companies that have green to burn.

  5. dead3eef says:

    Companies with multiple domains is another important scenario.

    I'd like to add that we already have 6 Premium MSDN licenses and 2 Ultimate. I'm sure this should class as an Open Value agreement. But it's not easy to find out if that gives us a sideloading key for free as the blog post states.

    In addition, we've invested heavily in MS technologies over the years. And we now need to buy a token $100 key for some reason unknown at this time. Even when we adhere to the instructions, the key is nowhere to be found.

    I do appreciate that it's gone from $30/device to a flat fee which is so much better. But still…

  6. morcinimhotmailcom says:

    @dead3eef – If the machine is joined to domain then you do not need sideloading key. So you can skip the step 3 in section 2. In the other cases you need to purchase the key. I think the idea to make the key a part of the partner MSDN benefit is interesting but currently you would still buy the sideloading keys from your reseller.

    I hope we will be able to simplify things for the ISVs even further.

  7. dead3eef says:

    Thanks for the response Michal.

    My reseller and their MS account manager don't know about the keys at this moment in time. I'm wondering if this information is going to take a while to filter through MS and also over the Atlantic to the UK, I have tried some other resellers with the same results.

    Seeing as you're in the loop, I would like to know if this is the case or whether I can buy a key today? If I can then I will continue looking for someone who has it in stock. But would like to know for certain rather than waiting to hear back from my reseller.

    Anyway, thanks for your time in helping.

  8. Luke Tepid says:

    This is horrendous.  We currently have a senior developer on-site trying to install our LOB app on a customer's Nokia tablet, and failing.  Our app uses Windows Notification, and we were unable to buy a code-signing cert compatible with the CN assigned by MS.  We are forced to use a self-signed cert.  The installation procedure was practiced and refined on a Surface Pro (after wiping to factory settings).  And the Nokia is giving us errors such as "You need to acquire a developer's license" and "You need to install the signing certificate".

    WTF Microsoft?

  9. Paul Hardy says:

    I agree with the other commenters, these are still crazy hoops to jump through to load YOUR OWN app on your own tablet with your purchased OS! Even getting the sideloading key is a pita. Called and was transferred to 5 different depts. at MS, only to be told I need to speak to a reseller.  Then he had to do research on what the sideloading even was. I finally got the key for $100 w/ 30 activations. I currently need about 50, so I asked for an increase of 100 so I wouldn't have to worry about it for awhile. So, with the specified key info, I sent the request only to be told that I need to purchase additional licenses. Here it is…

    Hello Paul,

    This is in response to your email regarding additional MAK activations for Windows Sideloading Rights.

    Thank you for your reply and we apologize for the inconvenience. Please be advised that the increase in number of activations for Windows Sideloading Rights is only eligible for Enterprise and Select agreements. Since you have an Open license, we can only provide you the number of activations based on the number of license that you are entitled for.

    You may want to contact your reseller to purchase additional licenses for Windows Sideloading Rights.

    If we may be of further assistance, please respond to this message. Thank you for contacting Microsoft.

    Sharyl

    MAK Support Team

    MAKAdd@microsoft.com

    Good luck to the rest of you, I'm still trying.

  10. Noemata says:

    Today I made my third attempt to purchase a key and hit a dead end.  Last time I tried was about 6 months ago.  Given the amount of negative commentary that abounds, the task of resolving what's important must be near impossible.  So we end up with what we have now, a quagmire of frustration and inaction.  I wish I could make some happy posts for a change.

  11. Kevin says:

    As a developer I can say that we still need a simple and reasonable answer to this.

    It is quite embarrassing even just having to explain this mess to customers that just want custom (non store) applications installed, something that we have been doing with click-once (etc) for years for desktop apps.

    There is no way to explain it to them that does not sound like it is a step backwards, adding complexity for no good reason.

  12. Antonio Gallo says:

    oh my… i tried with symtantec certificate and generating the AETX file and nothing worked (phone), then i tried this for desktop and didn't worked too… oh microsoft nightmare is hunting me again :-/

  13. Balu says:

    I have a question, assume that i have a product key and installed in windows 8.1 desktop and created the file.

    If i copy the file in to my mobile and intall..will it install in any windows 8.1 mobile phone. When i tried with developer lisence i have registed my windows mobile.

    Any idea how to install windows8.1 app with out register the mobile?

    Thanks in advance

  14. Joseph Fradley says:

    Hello Michal,

    Thank you for the detailed blog (that's coming on 2 years old now). Can you confirm that someone running:

    Windows 8.1 Embedded Industry Pro without a domain still needs an activation key to enable sideloading?

    Also, completely different question is there a geeral way to troubleshoot (and get more detail) when an app displays 'This app can't open' error box'?

    Thank you