A View Inside My Head

Jason's Random Thoughts of Interest


Sideloading Windows 8.1 Apps

I have created several games for the Windows Store. The process of writing and submitting an app for publishing to the consumer-facing store is well-scripted, with Visual Studio taking care of packaging everything needed into one file, which is then uploaded using the developer portal website, and then finally signed and published by Microsoft’s back end systems.  Once published, the user discovers and installs the app using the Windows Store app on their own machine.

But, what about deploying Line Of Business (LOB) apps for enterprises, which are installed for use only within a corporation (and, thus, are not appropriate for hosting on the public consumer-facing store)?  For now, deploying an application to enterprise machines requires a process known as Sideloading. This can be thought of as the equivalent of manually running Setup.exe in order to install desktop applications, though the requirements and processes involved are different.

First, when building the appx, the developer will need to use a code-signing certificate that links to a trusted root CA since it will not be signed by the Windows Store. The preferred thing to do would be to purchase a code-signing certificate from a company already in the default list of trusted Third-Party Root Certification Authorities (such as DigiCert Assured ID Code Signing certificate).  It should also be possible to use a self-issued certificate that belongs to the enterprise, albeit with a bit of extra work to install root CA certificates onto all of the target machines.

To set the certificate from within the Visual Studio project, simply double-click on the package.appxmanifest file, navigate to the “Packaging” tab, and then click the “Choose Certificate” button.

Next, the user’s machine must have an appropriate operating system.  Side Loading is NOT permitted on the edition of Windows 8.1 that is targeted for home users (known simply as Windows 8.1).  So, this currently means that the user’s machine must be running Windows RT 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise, or Windows Server 2012.

Next, the machine must be configured to allow trusted apps to be installed.  This can be performed using the Group Policy Editor by setting “Allow all trusted apps to install” setting to “Enabled”:


Note: This Group Policy setting simply sets the following registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1

If the machine is running Windows 8.1 Enterprise, and is domain-joined, then it is all set to side-load applications.  Windows RT 8.1 and Windows 8.1 Pro machines must first perform a one-time activation of a Sideloading Product Key, which is acquired using volume licensing channels (sold in bulk, and costs roughly $30 per machine).

UPDATE: Microsoft will be allowing domain-connected 8.1 Pro machines to side-load applications just the same as 8.1 Enterprise. And, side loading product keys will be available for free from volume licensing, or for around $100 from Open License. You only need one product key per organization now, because they're unlimited.  See: http://blogs.windows.com/windows/b/springboard/archive/2014/04/03/windows-8-1-sideloading-enhancements.aspx

To install and activate the Sideloading Product Key on a machine, open a command prompt as Administrator, and then execute these commands:

  1. slmgr /ipk <unique 25-digit sideloading product key>
  2. slmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e

Finally, Windows Store apps are installed per user, so the following needs to be repeated for each user that will log onto a given machine (or automated using Microsoft System Center 2012 Configuration Manager):

  1. Open the Windows Powershell prompt (i.e., type Powershell on the Start Screen and select Windows Powershell from the search results).
  2. Execute the following:
    Add-AppxPackage "C:\path\yourapp.appx"
  3. Visual Studio may have packaged your .appx as an .appxbundle, so substitute that file instead.  As a tip, when copying a file path from Windows Explorer, hold the Shift key when right-clicking on a file, and you’ll have an extra menu item called “Copy as Path” that will include the directory and filename all as one string. This can be pasted into the Windows Powershell window using a right-click.
  4. If the appx has a dependency, such as the WinJS library, then you must include this as part of the Add-AppxPackage command:
    Add-AppxPackage "C:\path\yourapp.appx" -DependencyPath "C:\path\Dependencies\Microsoft.WinJS.2.0.appx"


What can go wrong?

In short, there are a lot of things that can go wrong when side loading apps on Windows 8.1 – probably too many to document in a simple blog post.  However, here’s a couple of cryptic things that we experienced when trying to deploy an app for the first time:

Application would not install.  Error message:

Deployment failed with HRESULT: 0x80073CF9, Install failed. Please contact your software vendor. Deployment Add operation on Package … failed with error 0x8007000D.

Diagnosis and fix: It was found that JavaScript libraries that were installed using NuGet were saved using a Windows 1252 encoding.  HTML/JS apps need to have their JavaScript files saved using a UTF-8 with BOM encoding so that the scripts can be precompiled. 

Note: If Visual Studio 2013 is installed on a machine, then the appx would sideload just fine (resulting in me repeating over and over “But, it works on my machine!”) Without Visual Studio installed, this very descriptive error was encountered when my client attempted to sideload the appx.

To correct this, open each .js file in the Visual Studio project, then choose the “Advanced Save Options” item in the File menu.  Change the Encoding to “Unicode (UTF-8 with signature) – Codepage 65001”, then click “OK”.  Save the file, then rebuild the project.


Note: Running the appx through Windows App Cert Kit (WACK) will also point this out, but in my case, I had updated a NuGet package and thought I could get away without running the WACK tests again since they had previously passed, and my app was working just the same with the new updates.


Application installed without error, but would not launch. Red X on live tile. Event Log:

/Applications and Services Logs/Microsoft/Windows/Apps/Microsoft-Windows-TWinUI/Operational

Activation of the app …!App for the Windows.Launch contract was blocked with error 0x80073CFC because its package is in state: Modified.

Diagnosis and fix: This is what you will find when Sideloading has not been activated, either because a Sideloading Product Key was not installed, or the Windows 8.1 Enterprise machine is not domain-joined. 

For testing purposes, a developer or outside organization may have Windows 8.1 Enterprise from MSDN installed, but not domain-joined.  You cannot obtain Sideloading Product Keys from MSDN, so in order to test sideloading, that machine will need to be joined to a domain.  What I did for my standalone development machine (running Windows 8.1 Enterprise) was to create my own Active Directory on a Windows Azure virtual machine, and then perform an offline domain join using djoin.exe (http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx).