Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Intune can deploy MSIX-packaged apps to managed Windows devices silently; no user interaction required at install time. This guide covers the full deployment workflow, including code signing, certificate trust distribution, app creation, assignment, and troubleshooting.
Prerequisites
Before deploying an MSIX app through Intune, make sure you have:
- An MSIX package built and ready to deploy
- A Microsoft Intune subscription (included in Microsoft 365 E3/E5, Enterprise Mobility + Security)
- Microsoft Entra ID groups that represent the target users or devices
- A code signing certificate (see Code signing requirements)
Code signing requirements
Every MSIX package deployed via Intune must be signed. Windows will not install an unsigned MSIX package, even when deployed through MDM.
You have two options for signing certificates:
Option 1: Self-signed certificate (no cost, for internal/managed devices only)
A self-signed certificate can sign your MSIX package at no cost, but the certificate must be trusted on every target device. Intune can distribute this trust automatically via a Trusted Certificate configuration profile.
This option is suitable when all target devices are Intune-managed and the app will never be distributed outside your organization.
Option 2: Azure Artifact Signing (formerly Trusted Signing) (recommended for most scenarios)
Azure Artifact Signing (formerly Trusted Signing) provides a CA-trusted certificate with no hardware token required. Certificates integrate directly with CI/CD pipelines (GitHub Actions, Azure Pipelines). For current pricing, see the Azure Artifact Signing pricing page.
Since the certificate is CA-trusted, Windows devices trust it automatically: no additional Intune configuration profiles needed. This is the lower-friction option for most enterprise scenarios.
For guidance on signing your MSIX package, see Sign an app package using SignTool.
Option A: Deploy with a self-signed certificate
If you're using a self-signed certificate, complete these steps before creating the LOB app. If using Azure Artifact Signing, skip to Option B.
Step 1: Create and export your self-signed certificate
On your build machine, create a self-signed certificate and export it:
# Create a self-signed code signing certificate
$cert = New-SelfSignedCertificate `
-Subject "CN=MyCompany, O=MyCompany, C=US" `
-Type CodeSigningCert `
-CertStoreLocation Cert:\CurrentUser\My `
-HashAlgorithm SHA256
# Export the public key (.cer) for Intune distribution — no password required
Export-Certificate -Cert $cert -FilePath "MyCompanyCert.cer"
Step 2: Sign your MSIX package
Sign using the certificate from your local certificate store — no PFX or password needed on the build machine:
# Sign using the certificate thumbprint
signtool sign /fd SHA256 /sha1 $cert.Thumbprint "MyApp.msix"
Tip
If you need to sign on a different machine (for example in a CI/CD pipeline), export the PFX using Export-PfxCertificate and store the password as a pipeline secret variable — never hard-code it in a script or commit it to source control.
Step 3: Create a Trusted Certificate profile in Intune
This profile pushes your certificate's public key to target devices so Windows trusts the self-signed signature.
- In the Intune admin center, go to Devices > Configuration > Create policy
- Select Windows 10 and later as platform, Templates as profile type, then Trusted certificate
- Upload the
.cerfile you exported in Step 1 - Set Destination store to Local Computer - Trusted People
- Assign the profile to the same device or user groups that will receive the app
- Select Create — Intune sends a push notification to active, online devices; they typically check in and receive the certificate within a few minutes. The background sync interval is 8 hours for devices that miss the notification.
Important
Deploy the Trusted Certificate profile before or at the same time as the LOB app. If the app reaches the device before the certificate is trusted, installation will fail.
Option B: Deploy with Azure Artifact Signing (formerly Trusted Signing)
If you're using Azure Artifact Signing (formerly Trusted Signing), the certificate is already trusted by Windows. No Trusted Certificate profile is needed in Intune.
Sign your MSIX package using the azure/trusted-signing-action GitHub Actions task or the equivalent Azure Pipelines integration, or by following the local signing guidance in the Azure Artifact Signing (formerly Trusted Signing) documentation.
Create a Line-of-Business app in Intune
- In the Intune admin center, go to Apps > All apps > Add
- Under App type, select Line-of-business app, then select Select
- Under App package file, upload your signed
.msix(or.msixbundle) file - Intune reads the package metadata automatically — review the populated Name, Publisher, and App version fields
- Complete the remaining required fields:
- Description — what the app does
- Publisher — your organization name (pre-populated from the package)
- App install context — select Device for machine-wide install (recommended), or User for per-user install
- Select Next to configure Scope tags if your organization uses them, then Next again
- On the Assignments page, assign the app:
- Required — app is installed silently with no user prompt
- Available for enrolled devices — app appears in Company Portal for optional install
- Uninstall — removes the app from targeted devices
- Select Next, review your settings, then select Create
Intune queues the deployment. Devices receive and install the app during the next Intune sync cycle.
Note
MSIX apps installed via Intune as Required install silently in the device context. Users do not see a UAC prompt or installation wizard.
Verify installation
To confirm the app deployed successfully:
- In the Intune admin center, go to Apps > All apps and select your app
- Select Device install status or User install status to see per-device results
- Look for Installed status. Common non-installed states:
| Status | Meaning |
|---|---|
| Not applicable | Device is not in the assigned group |
| Pending | Deployment queued; device hasn't synced yet |
| Failed | Installation error — see error code in details |
| Not installed | App not yet received or install deferred |
For failed installations, note the error code shown and see Troubleshooting below.
Update management
When you publish a new version of your app, upload the updated MSIX package to the same app entry:
- Go to Apps > All apps, select your app
- Select Properties > Edit next to App information
- Under App package file, upload the new
.msixfile - Save the changes — Intune detects the version change and pushes the update to assigned devices on next sync
Note
Intune uses the version number in the MSIX manifest to detect updates. Make sure you increment the version number in your .appxmanifest before building each release.
Troubleshooting
Signature or certificate trust failure
If using a self-signed certificate, MSIX installation fails silently if the signing certificate isn't trusted on the device. To diagnose:
- In the Intune admin center, go to the device's Configuration profiles and verify the Trusted Certificate profile shows Succeeded
- On the device, open certlm.msc and verify the signing certificate appears in Local Computer > Trusted People
- If the profile is still Pending, trigger a manual sync (see App stuck in "Pending")
0x80073CF3 — Package failed update, dependency, or conflict validation
This error indicates ERROR_INSTALL_PACKAGE_DOWNGRADE — a newer version of the package is already installed on the device. Check:
- The version in the uploaded MSIX is higher than the version currently installed on target devices
- If needed, uninstall the existing package from the device before retrying the deployment
- For additional causes (dependency conflicts, framework mismatch), see MSIX deployment troubleshooting
0x80073CF0 — Package could not be opened
The MSIX package could not be opened during install (ERROR_INSTALL_OPEN_PACKAGE_FAILED). Check:
- The package file was uploaded completely and is not corrupted
- The MSIX is valid — test by opening it locally before uploading
- Re-upload the package if the upload may have been interrupted, then retry the assignment
0x80070005 — Access denied
Indicates insufficient permissions (E_ACCESSDENIED). Verify that the deployment account and target device have the required access, and confirm the app and any required certificate profiles are assigned correctly. A context mismatch (app assigned as User install but the package requires machine-wide install) can also cause this — switch to Device install context if so. For additional causes and remediation steps, see MSIX deployment troubleshooting.
App stuck in "Pending"
- Trigger a manual Intune sync: on the device, go to Settings > Accounts > Access work or school > select your account > Info > Sync
- Or from the Intune admin center, go to Devices > select the device > Sync
Checking installation logs on the device
For deeper diagnostics, check two log sources:
Intune Management Extension log — tracks LOB app download and deployment activity:
%ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log
AppxDeployment-Server event log — tracks the MSIX installation itself:
- Open Event Viewer
- Go to Applications and Services Logs > Microsoft > Windows > AppxDeployment-Server
- Filter for Error events and look for entries matching your package family name
Or from PowerShell:
Get-AppxLog | Where-Object { $_.Message -match "MyApp" } | Select-Object TimeCreated, Message
Search both log sources for your app name or package family name to find the relevant installation attempt.