🟡 Medium   ⏱ 5–30 min  Last verified: 04 June 2027
Affected versions: Windows Server 2016

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

MSIX deployment on Windows Server 2016 with Desktop Experience fails because AppLocker or a GPO blocks the publisher signature.

Environment & Reproduction

Reproduces when distributing line-of-business MSIX bundles to admin workstations governed by application allow-list policy.

Add-AppxPackage .App.msix

Root Cause Analysis

AppLocker default deny rules or Software Restriction Policies reject MSIX packages whose publisher hash is not whitelisted.

Quick Triage

Inspect AppLocker events and applied policy to confirm the rule blocking the install.

Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/Packaged app-Execution' -MaxEvents 20
Get-AppLockerPolicy -Effective -Xml

Step-by-Step Diagnosis

Run the MSIX in audit mode to identify which rule denies it.

Set-AppLockerPolicy -XmlPolicy audit.xml
Add-AppxPackage .App.msix
Illustrative mockup for windows-server-2016 — terminal_or_powershell
Diagnostic output for packaging/msix-gpo-blocked — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Author a publisher allow rule for the signed MSIX and re-deploy the policy.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

$pkg = Get-AppLockerFileInformation .App.msix
New-AppLockerPolicy -FileInformation $pkg -RuleType Publisher -User Everyone | Set-AppLockerPolicy -Merge
Illustrative mockup for windows-server-2016 — error_dialog
Resolution for packaging/msix-gpo-blocked — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Sideload through the Intune or SCCM channel where MSIX policies are pre-staged with correct publisher trust.

Add-AppxProvisionedPackage -Online -PackagePath .App.msix -SkipLicense

Verification & Acceptance Criteria

Get-AppxPackage shows the application installed and launches succeed under standard users.

Get-AppxPackage *App* | Select Name,Status

Rollback Plan

Remove the new publisher rule if it grants too broad access.

# Edit AppLocker XML and remove the rule, then reapply via GPO

Prevention & Hardening

Define MSIX publisher rules upfront and align them with code-signing certificates used by internal builds.

Get-AppLockerPolicy -Effective | Format-List

Related: SmartScreen Defender Application Control denials, Sideloading apps policy, and certificate chain validation failures.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn documentation for MSIX deployment, AppLocker rules, and Windows Defender Application Control.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.