How to Deal with MSIX Packages in SCCM Task Sequences

Written by Alex Marin · September 9th, 2020

Introduction

MSIX packages are installed by default per-user, and the option to provision per-machine MSIX applications is possible through SCCM - which is not yet available in Task Sequences.

However, SCCM Task Sequences are a reliable way to ensure the set up of baseline configurations.

Baseline configurations are applications, group policies, security settings, OS patches, etc., that define various aspects of how a device works and behaves.

When dealing with existing computer devices in a company, managed infrastructures are essential. They provide an array of options including applications, GPO's and the possibility to keep a baseline configuration.

To achieve compliance, the first thing a computer needs is an operating system installed and configured properly to match company standards.

Here's where SCCM (now known as MECM - Microsoft Endpoint Configuration Manager) comes into play with Task Sequences. Task sequences are a series of customizable tasks or sequencing steps to deploy an OS image to any target computer and make it ready to use.

One of these steps includes the installation of applications, so that once a user signs in on a machine, he can have access to all the configurations and applications needed.

In this article, we will be going into some alternative ways to implement MSIX packages in Task Sequences and guarantee that your users have a baseline configuration.

Standard MSIs in Task Sequences

Installing MSI packages within a Task Sequence is nothing new. The standard rules include:

  • The application must have the “Allow this application to be installed from the Install Application Task sequence action without being deployed” option checked.
  • The deployment logon requirement must be set to “Whether or not a user is logged on”.
  • The deployment installation behavior must be set to “Install for system”.

The above rules tell SCCM that the application will be installed for all users, and that the installation can start even if a user is not logged on.

These rules are very important because, during a Task Sequence the user is not logged on, and the installation will be performed using the System account.

Once an application is correctly configured, when navigating to Task Sequences and selecting Add > Software > Install Application, the application should appear in the list.


MSIX in Task Sequence

Provisioning MSIX applications per-machine using SCCM is simple and convenient. Once an application is created in SCCM, go through the following steps:

  1. Navigate to "Deployment Types".
  2. Select the needed deployment type and click "Edit".
  3. Navigate to the "User Experience" tab.
  4. Check the “Provision this application for all users on the device” option.

If a user installs the application from the Software Center, it will be available for all the users in the machine.

Unlike MSI applications, MSIX deployment types do not offer the possibility to apply the rules mentioned above.

Remember, MSIX applications that are provisioned per-machine are not supported, so if you navigate to Task Sequences and try to add the MSIX application, it will not appear on the list.


How to Implement per-machine provisioned MSIX Packages in Task Sequences?

1. The Applications Model

For the applications model, the steps are almost identical to our “How to Provision and Remove MSIX Packages Per Machine article” .

Once an MSIX application is available, create a Powershell wrapper to install it.

The installation command line for a sample MSIX is:

Add-AppProvisionedPackage -online -packagepath "$PSScriptRoot\Sample App-x64.msix"-skiplicense

To know if an application is installed on the system, SCCM requires a detection method - either a registry key or a file.

To make things simpler, inside the Powershell wrapper, place another command to create a registry key:

New-ItemProperty -Path "HKLM:\Software\SampleApplication" -Name "IsInstalled" -Value ”Treue”  -PropertyType "String"

With the MSIX package and Powershell installation wrappers, create a standard application in SCCM. The installation command line should be:

Powershell.exe -executionpolicy bypass -file “Install.ps1”

NoteDon’t forget to apply the three rules mentioned above in the article for standard MSIs.

Once everything is set, the application should appear in Task Sequences and can be installed.


2. The Packages Model

The packages model can be even simpler to install MSIX packages during Task Sequences.

A more in-depth explanation on how to deploy an MSIX application using the Packages model can be found here.

All you need to do is create a Package, assign it a name, and point it to the source files.


When creating a program for the package, choose “Do not create a program”. The program will not be executed during the Task Sequence.

It’s only necessary to have a package that points and downloads the necessary MSIX files.


With the package now created and distributed, navigate to Task Sequences.

In the Task Sequence editor select Add > General > Run Command Line.


Check the Package checkmark and select the previously created MSIX package, then run the following command line:

Dism.exe /Online /Add-ProvisionedAppxPackage /PackagePath: “Sample MSIX Package Mod.msix” /SkipLicense

If you want to get more information about the DISM servicing options for appx/msix packages, it can be found here.

Conclusion

Although it’s not yet possible to natively assign MSIX packages in a task sequence using SCCM, it is still possible to do so. The two alternative ways presented above are both easy to implement.

NoteSomething to point out is that MSIX packages must be mandatorily digitally signed before installation.

If an MSIX is in the queue to be installed in a Task Sequence, the certificate used to sign the package should be installed prior to installing the needed MSIX package.

Comments: