Create Windows applications in Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

In addition to the other Configuration Manager requirements and procedures for creating an application, also take the following considerations into account when you create and deploy applications for Windows devices.

General considerations

Configuration Manager supports the deployment of Windows app package (.appx) and app bundle (.appxbundle) formats for Windows 8.1 and Windows 10 devices.

Starting in version 1806, Configuration Manager also supports the new Windows 10 app package (.msix) and app bundle (.msixbundle) formats. The latest Windows Insider Preview builds currently support these new formats.

When you create an application in the Configuration Manager console, select the application installation file Type as Windows app package (*.appx, *.appxbundle, *.msix, *.msixbundle). For more information, see Create applications.


To take advantage of new Configuration Manager features, first update clients to the latest version. While new functionality appears in the Configuration Manager console when you update the site and console, the complete scenario isn't functional until the client version is also the latest.

Provision Windows app packages for all users on a device

Starting in version 1806, provision an application with a Windows app package for all users on the device. One common example of this scenario is provisioning an app from the Microsoft Store for Business and Education, like Minecraft: Education Edition, to all devices used by students in a school. Previously, Configuration Manager only supported installing these applications per user. After signing in to a new device, a student would have to wait to access an app. Now when the app is provisioned to the device for all users, they can be productive more quickly.


Be careful with installing, provisioning, and updating different versions of the same Windows app package on a device, which may cause unexpected results. This behavior may occur when using Configuration Manager to provision the app, but then allowing users to update the app from the Microsoft Store. For more information, see the next step guidance when you Manage apps from the Microsoft Store for Business.

When provisioning an offline licensed app, Configuration Manager doesn't allow Windows to automatically update it from the Microsoft Store.

Configuration Manager supports app provisioning on the following versions of Windows:

  • Install action: Windows 10, version 1607 and later
  • Uninstall action: Windows 10, version 1703 and later

To configure a Windows app deployment type for this feature, enable the option to Provision this application for all users on the device. For more information, see Create applications.


If you need to uninstall a provisioned application from devices to which users have already signed on, you need to create two uninstall deployments. Target the first uninstall deployment to a device collection that contains the devices. Target the second uninstall deployment to a user collection that contains the users who have already signed on to devices with the provisioned application. When uninstalling a provisioned app on a device, Windows currently doesn't uninstall that app for users as well.

Support for Universal Windows Platform (UWP) apps

Windows 10 devices don't require a sideloading key to install line-of-business apps. To enable sideloading on Windows, however, the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps must have a value of 1.

If you don't configure this registry key, Configuration Manager automatically sets this value to 1 the first time you deploy an app to the device. If you've set this value to 0, Configuration Manager can't automatically change the value, and your line-of-business app deployment fails.

Digitally sign UWP line-of-business apps. Use a code-signing certificate that's trusted on each device to which you deploy the app. Use certificates from your organization's PKI, or purchase a certificate from a third-party provider whose public root certificate is already trusted by Windows.

To sign mobile app packages, use the following table to determine the type of code-signing certificate to use:

Package Symantec Non-Symantec
Universal .appx packages on Windows 10 Mobile devices Yes Yes
.xap packages Yes No
.appx packages built for Windows Phone 8.1 to install on Windows 10 Mobile devices Yes No

Deploy Windows Installer apps to MDM-enrolled Windows 10 devices

The Windows Installer through MDM (*.msi) deployment type lets you create and deploy Windows Installer-based apps to MDM-enrolled devices running Windows 10.

When you use this deployment type, consider the following points:

  • Only upload a single file with the MSI extension.

  • Configuration Manager uses the file's product code and product version for app detection.

  • Windows uses the app's default restart behavior. Configuration Manager doesn't control the app restart behavior.

  • Per-user MSI packages are installed for a single user.

  • Per-machine MSI packages are installed for all users of the device.

  • Configuration Manager supports app updates. The MSI product code of each version must be the same.