Events
May 19, 6 PM - May 23, 12 AM
Calling all developers, creators, and AI innovators to join us in Seattle @Microsoft Build May 19-22.
Register todaySideload line of business (LOB) apps
Sideloading apps is when you install apps that aren't from an official source, such as the Microsoft Store. Your organization can create its own apps, including line-of-business (LOB) apps. When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps.
To allow these apps to run on your Windows devices, you might have to enable sideloading.
Important
When you enable sideloading, you allow installing and running apps from outside the Microsoft Store. This action might increase security risks to the device and your data. Sideloaded apps need to be signed with a certificate that the device trusts.
Windows devices with sideloading enabled. You can enable it with a group policy or a mobile device management (MDM) provider like Microsoft Intune. You can also use the Settings app to manually turn on sideloading.
A trusted certificate that you assign to your app. Import the security certificate to the local device. This certificate allows the device to trust the app.
An app package that you sign with the same certificate.
Tip
Unlike in earlier versions, with Windows 10/11:
- License keys aren't required.
- Devices don't have to be joined to a domain.
You can sideload apps on managed or unmanaged devices.
A managed device typically means your organization owns it and applies policies based on business requirements. You manage it with on-premises group policy or a mobile device management (MDM) provider like Microsoft Intune. On managed devices, you can create a policy that turns on sideloading, and then assign this policy to targeted devices.
An unmanaged device means your organization doesn't manage it. These devices are typically personal devices that users own. Users can manually turn on sideloading with the Settings app.
If you're working on your own device, or if devices are unmanaged, use the Settings app. The experience differs between Windows 11 and Windows 10.
Note
If sideloading is blocked by an organizational policy, then users can't even manually enable sideloading.
Open the Settings app.
Go to System and select For developers.
Turn on the Developer mode setting.
Review the notice, and select Yes to continue.
Tip
If you don't see the setting in this location on your version of Windows, use the Find a setting option. Search for developer mode to quickly jump to its location.
Open the Settings app.
Go to Update & Security and select For developers.
Turn on the option to Sideload apps.
Review the notice, and select Yes to continue.
If you use group policy, use the following policies to enable or prevent sideloading apps:
Path: Computer Configuration\Administrative Templates\Windows Components\App Package Deployment
- Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
- Allow all trusted apps to install
By default, the OS might set these policies to Not configured, which means app sideloading is turned off. If you set these policies to Enabled, then users can sideload apps.
When you use Microsoft Intune, you can enable sideloading apps on managed devices. For more information, see the following articles:
- Sign line-of-business apps so they can be deployed to Windows devices with Intune
- App Store device settings to allow or restrict features using Intune
Other MDM servers can implement similar behaviors using the ApplicationManagement policy CSP.
This step installs the app certificate to the local device. Installing the certificate creates the trust between the app and the device.
Open the Properties for the app package.
Go to the Digital Signatures tab.
Select the certificate, and select Details to open the digital signature details window.
Select View Certificate to open the certificate window.
Select Install Certificate to launch the certificate import wizard.
On the Certificate Import Wizard, select Local Machine. This action might require an administrator to elevate.
Continue the process to import the certificate into the Trusted Root Certification Authorities store.
Note
There are other methods to install and manage certificates on devices. For example, with group policy or a provisioning package.
After you enable sideloading and import the certificate, there are multiple methods you can use to install the app on devices.
Manually open the
.msixor.appxpackage in Windows Explorer.Distribute an MSIX app over the network with a web-based app installer. For more information, see Install Windows apps from a web page.
Use the Windows PowerShell
Add-AppxPackagecmdlet. For more information, see Add-AppxPackage.
Learn about the private app repository in Windows 11 with the Company Portal and Microsoft Intune.
For more information on sideloading, see the following articles on Windows app development:
Additional resources
Training
Module
Provide apps to users - Training
In this module, you will learn about traditional app-deployment methods, as well as methods that you can use to help to automate app deployment.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.