Improve Windows Enterprise Application Deployment Reliability and Security using MSIX
Last year, Microsoft announced a new open source packaging format called MSIX at its Windows Developer Day. MSIX replaces Windows Installer (MSI) and the APPX packaging format previously used for Store apps. Microsoft says that MSIX is ‘a complete containerization solution and it inherits all the great features in UWP and most importantly, it applies to all Win32, WPF, Windows Forms, and UWP applications.’
MSIX isn’t entirely new as it uses elements from Windows Installer (MSI) while providing modern features of the Universal Windows Platform (UWP), like robust updating, a managed security model with flexible capabilities, containerization, support for the Microsoft Store, enterprise management, and custom distribution models. MSIX support debuted in Windows 10 version 1809 and enterprise support was later added in versions 1709 and 1803.
Why Ditch Legacy Windows Installer Technologies?
Windows has never provided a robust package manager like those available for Linux. At least not until now. Windows Installer is used to package most legacy win32 apps, but it is not as reliable or secure as the technology used for Microsoft Store apps, which get more reliable delivery methods and containerization to improve security and operating system reliability. Switching to MSIX makes it easier for enterprises to keep their apps up-to-date, reduces cost of ownership, and improves security and reliability.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Microsoft says that MSIX provides a more reliable install experience with a success rate of 99.96% and that uninstall is 100% guaranteed. I don’t know how many times I’ve come across legacy applications that refuse to uninstall and we all know that without the isolation that containerization gives apps from each other and the underlying OS, Windows rot degrades OS performance over time and applications can interfere with each other. Furthermore, MSIX is more efficient than MSI with significant speed improvements and efficient use of network bandwidth, only downloading what has changed. Disk footprint is also reduced as Windows manages shared files across apps to remove duplicate files.
Because of the way MSIX is designed, packages can be distributed from any source, including the Microsoft Store; and deployed on any supported edition of Windows, counting Windows 7 and Windows 8.1, but more on that later. Deployment is supported in Microsoft Intune and System Center Configuration Manager (SCCM), plus there is PowerShell support for managing MSIX apps. If you already use third-party software for application packaging, most of the big names already support MSIX, including Flexera, Advanced Installer, and InstallAware. And just like MSI before it, enterprises can use application control, like AppLocker and Windows Defender Application Control (Device Guard), to block MSIX apps in Windows.
Latest Investments in MSIX
Microsoft is aiming to release updates for MSIX every three months, with as many of the features being OS-version independent as possible. Some of the features Microsoft has added this year include support for applications that require restarts during installation, conversion on remote machines, and an improved management experience in the MSIX Packaging Tool.
The October Insider Preview release of the packaging tool brings a preview for integration with Device Guard signing, a feature that gives organizations a single place where they can sign catalog files and code integrity policies. While the MSIX Packaging Tool provides other methods for signing packages, like an enterprise certification authority (CA) and third-party CAs, Device Guard signing makes it easier for developers to quickly sign apps without needing to pay for third-party certificates or request a certificate from IT.
MSIX Core Supports Windows 7 and Windows Server
MSIX was primarily designed for Windows 10 but Microsoft understands that to increase adoption in the enterprise, MSIX packages need to work on other versions of Windows. So, to that end, Microsoft is porting some of MSIX’s features back to Windows 7, Windows 8.1, Windows Server 2008, 2012, and 2016 versions. Just like MSIX, Core is open source and available on GitHub.
As MSIX Core is not built-in to down-level versions of Windows, Microsoft will make Core available as an MSI file so that it can be distributed using existing management systems, like SCCM. It’s also worth noting that because Windows 7 doesn’t have the containerization technology that’s built-in to Windows 10, when you install an MSIX package, it installs much like an existing MSI. Microsoft plans to ship MSIX Core before the end of 2019.
New MSIX Features in 2020 and Beyond
In the coming year, Microsoft is planning to improve MSIX with support for installing system services, although that will require Windows 10 version 2004 (20H1). And despite that MSIX already has built-in technology to distribute updates to applications with only the file information that has changed to optimize use of network bandwidth, Microsoft is planning to go one step further and add support for Windows 10 Delivery Optimization, the peer-to-peer networking feature that Windows Update uses to reduce the bandwidth for downloading cumulative and feature updates.
Finally, Microsoft is adding a feature called MSIX app attach that will allow applications to share one container along with the ability to group applications together so that they can be deployed at the same time, like what is available today with App-V connection groups. MSIX app attach will require Windows 10 version 2004.