Deploy a LOB “Modern” Windows 8 Application: Part 2

This is the second in a two-part series about deploying an in-house Windows 8 Modern application. The first part was an introduction to these new apps, the difference between these new apps and desktop apps, and sideloading an app vs. using AD. In this part of the series, we will build a sample app, I will illustrate how to sign it with a certificate, and finally how to deploy it using PowerShell and Configuration Manager 2012 SP1.

Before beginning this article, you will need Visual Studio Express 2012 for Windows 8 (available here: and the Windows Software Development Kit for Windows 8 (available here: To really understand the exercise, you should have a basic knowledge of Visual Studio.

Creating the Modern App

After you have Visual Studio Express for Windows 8 installed, launch the program. Select “New Project” under the Start column on the left. Select “JavaScript” from the left pane, then select “Blank App” from the middle pane. In the bottom on the window, give your app a Name and press OK.

When the solution loads, select the “Default.html” object from the solution explorer. This opens the object. Type in “Hello World” in the space that says “Content goes here”.

This is just a basic app that will display one line of text. Now we need to compile the app. To do this, go to the “Store” toolbar item, and select “Create App packages…”. Select “No” on the first screen (we do not want to upload this to the Windows Store), keep all of the defaults on the second screen, and click “Create”. The next screen will to appear will tell you where your application is stored.

Navigate to that location, and go into the folder. There is the appx file and the certificate that you need to deploy it.

Signing Your App

When you create your app, Visual Studio creates a certificate and signs the app with it. Most organizations should, however, have a code-signing certificate already. You can use this certificate to sign the app, so that you have a certificate from a CA instead of one that Visual Studio created on the fly. This certificate must be a code-signing certificate and be in a .pfx format. There are two ways to sign an app with a different certificate.

The first way is to change the certificate in Visual Studio. To do this, open the package.appxmanifest object in the Solution Explorer of Visual Studio and select the “Packaging” tab. In the middle of the screen is a Publisher option.

To change the certificate, click on the “Choose Certificate” button.

Next, click on Configure Certificate, and either add yours from your certificate store, or from a file. Next, click OK, then recreate the package using the steps above. Now your app is signed with a company certificate instead of a test certificate.

The second way to sign a certificate with a company certificate is to use signtool.exe. This tool comes with the Windows Software Development Kit for Windows 8. You can find this tool in “C:\Program Files (x86)\Windows Kits\8.0\bin\x86” (or Program Files if you are running a 32-bit OS). Open a command prompt in this folder by holding SHIFT and right-clicking in the window and selecting “Open command windows here”. This opens a command prompt from your current location. In the command prompt, type:

signtool.exe sign /f /p

Here’s an example:

signtool.exe sign /f C:\mycert.pfx /p Abc12345 C:\App3.appx

Deploying your App’s Certificate

Before deploying your app, the certificate that was used to sign it must be in the Trusted Root Certification Authorities certificate store. You can deploy the certificate using group policy or with the certificate manager.

To deploy the certificate using group policy, open your GPO and navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities. Right-click and select “Import” and go through the wizard. On your client machines, run “gpupdate /force” to update group policy prior to testing your app.

To import your certificate using the certificate manager, go to Start>Run and type mmc. This brings up an empty Microsoft Management Console. In the File menu, select “Add/Remove Snap-in”. From this window, select “Certificates”, and then click Add in the middle of the window. Select “Computer account” from the pop-up. Now click OK to add the snap-in to the empty MMC.

You must add the snap-in in this fashion to add a certificate at the computer level. If you open Run and just type certmgr.mmc, it launches the certificate manager for the current user, and not the computer.

After you have your snap-in, right-click on Certificates (under Trusted Root Certification Authorities), select “All Tasks”, and then “Import”. Run through the wizard to add your certificate to the store.

Deploying your App

The first way to install a Modern app on Windows 8 is to use PowerShell. It is a very simple command:



Add-AppxPackage C:\app3.appx

Using this method installs the app for the logged-on user. To install the app for the entire machine, run this command:

Add-AppxProvisionPackage -online -folderpath


Add-AppxProvisionPackage -online -folderpath C:\app3.appx

To deploy it with Configuration Manager 2012 SP1, navigate to the “Software Library” node of the console. Expand “Application Management”, then Applications. Click “Create Application” for the ribbon. In the drop-down box, select “Windows app package (.appx file)”.

Browse to the location of the appx file, then click “Next”. Note that you must copy the entire package directory from your computer to your file share. The app must have access to the “Dependencies” directory. Go through the rest of the wizard to set up a name for your app and to configure it. Now the app will deploy just like any other application. It, however, can only be deployed to users. It CANNOT be deployed to devices. When these apps install from Software Center, they install on a per-user basis, and not per machine. If you deploy them from a task sequence during imaging, they will install for the machine.


These app types are coming, so system administrators need to be aware of them. There are still several issues with Modern apps that Microsoft needs to work out, but these apps are the way of the future. Two issues are only deploying them to the machine during imaging and how the tiles show up. I hope this series of articles increased your understanding of these apps and how they work.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.