Troubleshooting Windows app package deployment on Windows 8 with ConfigMgr 2012

This week I was planning on doing a post about deploying a Windows app package (.appx) on Windows 8, until I saw that Keith Mayer already just posted a Step-by-Step for that. As that post is, from a ConfigMgr perspective, already very complete, I changed, from my original plan, to troubleshooting the deployment of a Windows app package (.appx) on Windows 8. The deployment of a Windows app package (.appx) on Windows 8 requires two specific settings and in this post I will describe those settings and the errors that will appear when these settings are forgotten.

Import the root certificate as a Trusted Root Certification Authority

The first setting is that the app package has to be signed with a certificate chain that can be validated by the local computer. In other words the root certificate has to be trusted by the local computer. When this is not configured correctly, both, the AppDiscovery.log and the AppEnforce.log, will show error 800B0109. The nice thing is that the AppEnforce.log will also implicate what the problem is, see this log snippet (followed by a picture of the complete error in the log):

In-line script returned error output: Add-AppxPackage : Deployment failed with HRESULT: 0x800B0109, A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109) error 0x800B0109: The root certificate of the signature in the app package must be trusted.

AppEnfo800B0109

TrusRootCertPoli

The easiest way to correctly import the root certificate for all computers is by using Group Policies. To configure this follow the next steps:

  • Open the Group Policy Management Editor and navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies.
  • Right-click Trusted Root Certification Authorities, select Import… and the Certificate Import Wizard will show.
    • On the Welcome page, click Next.
    • On the File to Import page, Browse to the certificate and click Next.
    • On the Certificate Store page, click Next.
    • On the Completion page, click Finish.

Allow all trusted apps to install

The second setting is that the local computer is allowed to install trusted app packages that do not originate from the Windows Store. When this is not configured correctly, both, the AppDiscovery.log and the AppEnforce.log, will show error 80073CFF. The nice thing is again that the AppEnforce.log will implicate what the problem is, even though it’s a bit more cryptic this time, see this log snippet (followed by a picture of the complete error in the log):

In-line script returned error output: Add-AppxPackage : Deployment failed with HRESULT: 0x80073CFF, To install this application you need either a Windows developer license or a sideloading-enabled system. (Exception from HRESULT: 0x80073CFF) Deployment of package bc25cdcc-f901-4f91-91a7-55a74a247376_1.0.0.0_neutral__tbz3402trp7yy failed because no valid license or sideloading policy could be applied. A developer license (http://go.microsoft.com/fwlink/?LinkId=233074) or enterprise sideloading configuration (http://go.microsoft.com/fwlink/?LinkId=231020) may be required.

AppEnfo80073CFF

AppPackDeplPoli

Also for allowing all trusted apps to install, the easiest way to correctly configure that for all computers is by using Group Policies. To configure this follow the next steps:

  • Open the Group Policy Management Editor and navigate to Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ App Package Deployment.
  • Double-click Allow all trusted apps to install, select Enabled and click OK.

Note: Before the app package is a trusted app package, the (root) certificate, that is used for signing the app package, has to be trusted.

Share

1 thought on “Troubleshooting Windows app package deployment on Windows 8 with ConfigMgr 2012

Leave a Comment