How does IT sideload apps in Windows 10?

There are certain cases that make sense for IT to sideload LOB apps to prevent them from reaching the Microsoft Store. Here's how to successfully perform the process.

IT can sideload apps onto Windows 10 desktops to avoid putting them in the app store, but there are a few limitations in the process.

Many Windows 10 applications running on enterprise desktops are based on the Universal Windows Platform (UWP). As a result, they are available through the Microsoft Store.

IT teams can also submit UWP line-of-business (LOB) apps to the Microsoft Store to take advantage of the platform's ecosystem and to make those apps available outside of their organizations.

In some cases, however, IT wants to keep LOB apps exclusively within the organization. For example, the apps might still be under development, or they might carry out sensitive operations. In addition, IT might simply not want to go through the effort of adding apps to the Microsoft Store if there's no advantage in doing so.

In such cases, IT can sideload LOB apps onto managed Windows 10 desktops, using either PowerShell or the Deployment Image Servicing and Management (DISM) utility. DISM is a command-line tool for mounting and servicing Windows images that IT can deploy to multiple desktops.

How to sideload apps in Windows 10

Administrators can only sideload UWP app packages, not traditional Windows applications.

Administrators can only sideload UWP app packages, not traditional Windows applications. In addition, the Microsoft Store cannot sign or certify those apps, which means users cannot download them from the store. Plus, each sideloaded app must be cryptographically signed, and the Windows desktops must trust the signing certificate.

IT must also configure users' desktops to sideload apps in Windows 10. Individual users can enable sideloading on their own systems if permitted, but most organizations likely want to use Group Policy to configure domain-joined desktops in bulk. If IT pros use Group Policy, they should enable the policy setting 'Allow all trusted applications' to install and push it to their users. A computer does not have to be joined to a domain to support app sideloading, however.

After IT enables the desktops for sideloading, users or administrators can use PowerShell to add app packages to individual computers. PowerShell includes a set of cmdlets to work with UWP apps. For example, IT can use the add-appxpackage cmdlet to install a signed app package on a Windows desktop. PowerShell also provides cmdlets to remove and inventory UWP apps, as well as perform other UWP-related tasks.

Rather than add apps to individual computers, IT pros can use DISM to install the app packages on a Windows image. They can provision up to 24 LOB apps to an image, either before or after deploying the image. They should ensure users are logged off of their desktops before running the applicable DISM commands. IT pros can also use PowerShell to install apps on an image after they deploy it.

The ability to sideload apps in Windows 10 can be a useful tool for organizations, especially when developing and testing their own apps. Enabling desktops for sideloading can open those systems up to security risks if administrators don't carefully control what apps are installed and trusted, however. IT must take great care before deciding to sideload LOB applications.

Dig Deeper on Windows OS and management

Virtual Desktop