Sideload line of business (LOB) apps
Sideloading apps is when you install apps that aren't from an official source, such as the Microsoft Store. Your organization can create its own apps, including line-of-business (LOB) apps. When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps.
To allow these apps to run on your Windows devices, you might have to enable sideloading.
Important
When you enable sideloading, you allow installing and running apps from outside the Microsoft Store. This action might increase security risks to the device and your data. Sideloaded apps need to be signed with a certificate that the device trusts.
Prerequisites
Windows devices with sideloading enabled. You can enable it with a group policy or a mobile device management (MDM) provider like Microsoft Intune. You can also use the Settings app to manually turn on sideloading.
A trusted certificate that you assign to your app. Import the security certificate to the local device. This certificate allows the device to trust the app.
An app package that you sign with the same certificate.
Tip
Unlike in earlier versions, with Windows 10/11:
- License keys aren't required.
- Devices don't have to be joined to a domain.
Step 1: Turn on sideloading
You can sideload apps on managed or unmanaged devices.
A managed device typically means your organization owns it and applies policies based on business requirements. You manage it with on-premises group policy or a mobile device management (MDM) provider like Microsoft Intune. On managed devices, you can create a policy that turns on sideloading, and then assign this policy to targeted devices.
An unmanaged device means your organization doesn't manage it. These devices are typically personal devices that users own. Users can manually turn on sideloading with the Settings app.
User interface
If you're working on your own device, or if devices are unmanaged, use the Settings app. The experience differs between Windows 11 and Windows 10.
Note
If sideloading is blocked by an organizational policy, then users can't even manually enable sideloading.
Windows 11 setting
Open the Settings app.
Go to System and select For developers.
Turn on the Developer mode setting.
Review the notice, and select Yes to continue.
Tip
If you don't see the setting in this location on your version of Windows, use the Find a setting option. Search for developer mode to quickly jump to its location.
Windows 10 setting
Open the Settings app.
Go to Update & Security and select For developers.
Turn on the option to Sideload apps.
Review the notice, and select Yes to continue.
Group policy
If you use group policy, use the following policies to enable or prevent sideloading apps:
Path: Computer Configuration\Administrative Templates\Windows Components\App Package Deployment
- Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
- Allow all trusted apps to install
By default, the OS might set these policies to Not configured, which means app sideloading is turned off. If you set these policies to Enabled, then users can sideload apps.
MDM
When you use Microsoft Intune, you can enable sideloading apps on managed devices. For more information, see the following articles:
- Sign line-of-business apps so they can be deployed to Windows devices with Intune
- App Store device settings to allow or restrict features using Intune
Other MDM servers can implement similar behaviors using the ApplicationManagement policy CSP.
Step 2: Import the security certificate
This step installs the app certificate to the local device. Installing the certificate creates the trust between the app and the device.
Open the Properties for the app package.
Go to the Digital Signatures tab.
Select the certificate, and select Details to open the digital signature details window.
Select View Certificate to open the certificate window.
Select Install Certificate to launch the certificate import wizard.
On the Certificate Import Wizard, select Local Machine. This action might require an administrator to elevate.
Continue the process to import the certificate into the Trusted Root Certification Authorities store.
Note
There are other methods to install and manage certificates on devices. For example, with group policy or a provisioning package.
Step 3: Install the app
After you enable sideloading and import the certificate, there are multiple methods you can use to install the app on devices.
Manually open the
.msix
or.appx
package in Windows Explorer.Distribute an MSIX app over the network with a web-based app installer. For more information, see Install Windows apps from a web page.
Use the Windows PowerShell
Add-AppxPackage
cmdlet. For more information, see Add-AppxPackage.
Next steps
Learn about the private app repository in Windows 11 with the Company Portal and Microsoft Intune.
For more information on sideloading, see the following articles on Windows app development: