FLexxBlog: Automating MSIX Packaging With PowerShell

Automating MSIX Packaging With PowerShell

by | Mar 23, 2022 | Blog, FlexxWorkspaces, PowerShell

Part 1 – Creating the Packaging Environment (via PowerShell)


Microsoft’s combined replacement for MSI installation packages and App-V application virtualization is, or rather will eventually be, MSIX. There are a plethora of articles on the topic of MSIX out there so I will not go into details here in order to keep this article, and subsequent ones, focus on the topic in hand which is how to create and deploy applications via MSIX packages via scripts.

This is the first of a series of posts that cover the lifecycle of MSIX packaged apps from creating an MSIX packaging environment, through to creating MSIX packages of applications, such as Google Chrome, and to deploying them through mechanisms such as MSIX App Attach. All through the goodness of Windows PowerShell.

Installing the Packaging Tool

If you are familiar with sequencing/packaging applications for App-V, the manual process is very similar for MSIX and you will need the MSIX Packaging Tool which is available from the Microsoft Store. Great, but what if I want to package and deploy on Server 2019, where there is no Windows Store? When I was researching an automated/scripted way to provision the packaging machine I stumbled across this web site which generates URLs for download of the packages, from microsoft.com, which can be subsequently installed using Add-AppxPackage. A quick bit of web debugging (F12 to get developer tools up to see the requests) and I figured out how to use their API to get download links for specific packages and, naturally, I wrote a PowerShell script that utilises it which is available for download here. This allows the MSIX packaging tool to be downloaded and installed on Server 2019 – details on MSIX support on Server 2019 can be found here.

To download the 64 bit installation package with this script, use this command line:

& ‘.\Get Store Downloads.ps1’ -packageFamilyName Microsoft.MsixPackagingTool_8wekyb3d8bbwe -downloadFolder C:\store-apps -excludeRegex ‘_arm__|_x86__|_arm64__’

Where the package will be saved to the c:\store-apps folder which will be created if it does not already exist. The script can be run with -verbose if you want to see more detail of what is being done, excluded, etc. Note that the package family name will not change as the “_8wekyb3d8bbwe” on the end of the string is a hash of the vendor so appears in most AppX packages from Microsoft.

The script outputs objects to the pipeline for what it has downloaded so that these can be used in a script to get the file name(s) of the downloaded packages that need to be installed:

Alternatively the package can be manually installed thus:

Add-AppxPackage -Path “C:\store-apps\Microsoft.MsixPackagingTool_2022.110.441.0_neutral_~_8wekyb3d8bbwe.msixbundle” -Confirm:$false -ForceUpdateFromAnyVersion -InstallAllResources

As with the App-V sequencing tool, it is strongly recommended that it is installed into a clean virtual machine which can be rebuilt (automatically) or restored from snapshot once an application has been packaged.

Note that the version numbering in the msixbundle file may be different since that will change with newer versions although the parameters to the script to download it will not.

Be aware that the MSIX packaging tool will not be shown in the (legacy) Programs and Features control panel applet (appwiz.cpl) but it will appear in Apps & Features

Packaging Tool Driver Installation

The MSIX packaging tool uses a device driver to determine what has been installed during the packaging. This can be installed during the packaging but it is usually a slow process so it is best to install it once, in your base image. When running the GUI for the packaging tool, it will check for the presence of the driver and install it if it is not already present. Note that installation of the driver, whether by the GUI or script, utilises the Windows Update service and as such the installation will fail if the service is disabled.

The driver is installed by using the Deployment Image Servicing and Management tool (dism) which can be achieved with the following PowerShell, run elevated, where the first dism command finds the MSIX driver, in case its name has changed, and the second dism installs it where the Selec-String cmdlet has used a regular expression (regex) with a matching group to isolate the driver name that needs to be passed to the dism /add-capability command.

dism /online /Get-Capabilities | Select-String -pattern ‘(\bmsix\.PackagingTool\.Driver\b.*$)’ |Select-Object -ExpandProperty Matches|Select-Object -ExpandProperty Value| ForEach-Object { dism /online /add-capability /capabilityname:$_ }

There are also PowerShell cmdlets for working with Windows capabilities in the “Dism” PowerShell module.

Code Signing Certificate

MSIX packages should be signed with a valid, not expired, code signing certificate and to this end, I chose to install the certificate into the certificate store on the packaging machine which obviates the need to pass the certificate password in plain text to signtool.exe, which is included with the MSIX packaging tool, when the MSIX package is signed (which will be covered in the next post).

The import of this certificate to the correct store can be scripted using Import-PfxCertificate and observe how I use a PSCredential object from Get-Credential to avoid passing a plain text password on the command line which is something I avoid at all cost for security reasons.

The argument to -Password is of a Secure String type and can be stored in a local file via Export-Clixml of a PScredential object and later assigned to a variable via Import-Clixml and that used for the certificate import like this:

Note that the password stored in the output file can only be decrypted/used by the user that created the PScredential object on the same machine. Here is an example showing a local admin user on the same machine trying to retrieve the password previously stored by a different user:


In this article, we have seen how a machine can be prepared for packaging of applications in MSIX format and specifically how this can be automated. Couple this with the automated building of a fresh packaging virtual machine, such as through Azure ARM templates, or using a hypervisor’s native ability to produce revertible snapshots, we have a solid base we can use for packaging applications.

The next post in this series will show how we can package applications into MSIX via a flexible, automated process requiring no manual intervention.

Download Script

Guy Leech


Guy has been working with products from Citrix, Microsoft, and others for over 25 years during which time he has worked for software vendors, Citrix partners, start-ups, and most recently, himself. Having been a software developer, he specializes in using PowerShell for not just automation in the EUC space but also for troubleshooting, producing many scripts which he shares via GitHub and Twitter, along with tips ’n’ tricks, and also presents at many events/conferences. He is currently a Microsoft MVP, VMware vExpert, Citrix CTP, and Parallels Very Important Parallels Professional (VIPP) and invented and wrote the product that is now Ivanti Application Control, a desktop-oriented security tool.

Hybrid Initiatives

» Desktop as a Service

» Internet Explorer

» Education

» Healthcare

» Financial and Insurance Services

» Manufacturing

» Public Sector

Flexxible IT | Simplify Citrix with FlexxDesktop DaaS

FlexxDesktop + Internet Explorer →


» FlexxDesktop Essentials

» FlexxWorkspaces

Why Flexxible

Flexxible IT | Simplify Citrix with FlexxDesktop DaaS

Flexxible + Citrix →


Resource Center

Flexxible IT | Blog

Read More →



About Us


» Citrix

» Kyndryl



Kyndryl + Flexxible IT | Digital Workplace Services

Flexxible + Kyndryl →