Distribute enterprise apps to Windows devices

To add an enterprise app to the Hexnode app inventory:

1. Log in to your Hexnode portal.
2. Navigate to Apps.
3. Select +Add Apps > Enterprise App.
4. Choose the platform as Windows.
5. Provide the App Name.
6. You can either upload with:
   • MSI file: Click on Choose the MSI File and select a file from the system.

   Or

   • MSIX file: Click on Choose the MSIX File and select a file from the system.

   Or

   • EXE file: Click on Choose the EXE File and select a file from the system.

   Or

   • From Manifest URL: Enter the URL to the app and its version. Note that only apps with the .msi extension are supported for installation.
   Notes:

   • Upon successfully uploading an MSI file to the Hexnode app inventory, the App version and Installer identifier will be extracted automatically from the package.
     
   • Using From Manifest URL will parse the app identifier and version after the MSI app is installed on the device.

7. Select an app category or input a new category by clicking on the + button.
8. Provide a description for the application and click Add to upload the file.
9. App Version: Specify the app version for MSIX/EXE files.
10. SHA-256 Checksum: Hexnode uses the SHA-256 checksum to ensure that the apps are not corrupted while uploading them to the portal and deploying them to devices. Provide the SHA-256 checksum(hash) of the file to verify the file integrity before distribution. If left blank, Hexnode UEM will skip the file verification.
11. If it’s an MSI file, specify the device location where the MSI file should be installed. For example, C:\Program Files.
    Notes:

    • Deployment of apps added to the Hexnode app inventory via From Manifest URL without the SHA-256 Checksum will fail on devices without the Hexnode agent app installed.
    • Only Windows 11 support MSI app installation on devices without the Hexnode agent app.
    • The location for app installation depends on the MSI build unless the installation path is specified here.
    • The install location for some applications may be app-specific. As a result, specifying a different installation path will have no effect.
    • If the app has been previously installed, and later uninstalled from the device, the app will reinstall at the initial location even if a different installation path is provided.

12. While uploading the MSI/MSIX/EXE file, you can check the Notify admin via email once app upload succeeds/fails option to receive the email notifications on the app upload status.
13. For MSIX and EXE files, you must define success criteria, with at least one being mandatory while uploading the file. As for MSI files, success criteria must be configured after uploading the file to the Hexnode app inventory.
    

    Success Criteria

    Disclaimer:

    • The success criteria being configured in Hexnode to determine the app installation status are entirely at the administrator’s discretion. If incorrect values or conditions are set, it could result in issues detecting the app deployment status.
    • The installation behavior depends also on the app package. It’s recommended to validate the app deployment behaviour before executing the action in bulk.

    Defining a success criterion for installation allows administrators to validate specific app parameters after installation and detect inconsistencies. Success criteria include parameters such as app identifiers, registry paths, and app paths, which confirm whether an app is correctly installed. If the set criteria are met, the app is considered successfully installed, even if discrepancies exist in the enterprise file. Administrators can verify this directly from the console.

    The Required Apps policy in Hexnode ensures that a specified application remains installed on the device. It periodically checks for the app’s presence and reinstalls it if found missing.

    For instance, in the case of MSI apps, the policy relies on the app identifier and version—both extracted from the MSI file and the installed app—to determine if the policy association is successful. If a mismatch is detected between these values, the policy redeploys the app, even if it is already installed. A faulty MSI file may cause the installed app to have an identifier or version different from what was extracted during upload, leading to unnecessary redeployments. In such cases, defining a success criterion helps prevent unnecessary reinstallation by confirming the app’s presence based on alternative parameters.

    Different success criteria:

    1. App Identifiers: Add one or multiple app/installer identifiers (product codes), separated by a semicolon (;). Once the enterprise app is installed, Hexnode verifies if the installed application contains the specified app identifier. In case of a mismatch, the success criterion will fail.

       For example:

       The App Identifier may be a string of numbers, or a name provided by the app publisher, such as {3456C7D8-2345-6789-ABCD-EFG12345678} or Mozilla Firefox.

       Note:

       
       The App Identifier can be fetched using any of the following two ways. First, install the specified app manually on a Windows device.

       1. If the chosen Windows device is enrolled in Hexnode, navigate to Manage > Devices > select the specific device. In the Applications tab, search for the specific app and you can find the corresponding App Identifier there.
       2. When an app is installed at the system level, its app identifier resides in the HKLM registry. Conversely, when an app is installed at the user level, its app identifier can be found in the HKCU registry. The app identifier can be fetched from the registry editor using the following methods:
          1. If both the system and app are 64 bits, then search for SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall in the registry editor on the Windows device.
          2. If the system is 64-bit and the app is 32-bit, then search for SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall in the registry editor on the Windows device.
          3. If the system is a 32-bit system, then search for SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
             in the registry editor on the Windows device.

    2. Registry Path: This option allows you to define the path of a registry key to be checked on the target device. This can be any registry key created when the app is successfully installed. If the key does not match, the success criteria will fail.

       There are two components to configure in this option:

       1. Registry Root: This is the top-level directory in the Windows Registry, such as HKLM (HKEY_LOCAL_MACHINE), HKCU (HKEY_CURRENT_USER), HKCR (HKEY_CLASSES_ROOT), HKCC (HKEY_CURRENT_CONFIG), and HKU (HKEY_USERS).
       2. Subkey: This is the specific path within the registry root, such as \SOFTWARE\MyCompany\MyApplication.

       For example:

       In the case of Firefox, the registry key related to the app is ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox’.

       From the registry root dropdown, choose HKLM and enter the subkey ‘SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox‘.

    3. Install Path: This option can be used to confirm the app’s installation on the device by checking for a specific file present on the target device. The file’s location is indicated in the Path field, which should contain the path of any file created upon successful app installation.

       For example:

       In the case of Mozilla Firefox, the path of the file is most likely to be in the following format:

       C:\Program Files\Mozilla Firefox\firefox.exe

Later, the administrators can select one of these parameters to assign it as the success criteria when deploying an enterprise app to the devices.

Note:


For MSI apps, if no success criterion is specified, the extracted Installer identifier (while uploading) will be used as the default success criterion after defining it as the App identifier parameter.

14. For MSIX and EXE apps, Hexnode allows you to configure uninstallation settings during the file upload to the Hexnode app inventory.
    

    Uninstallation settings

    You must configure at least one of the following options:

    1. App Identifier: Enter the app identifier.
       • Note that the app identifier cannot be modified or configured from the Required Apps policy.
    2. 
       File Path: Provide the exact file path (e.g., C:\Program Files\Hexnode UEM\uninstall\helper.exe).
       • If the app requires specific uninstallation commands, check Add uninstallation commands and provide the necessary parameters.
    3. User Scope: Choose whether the scope applies to All user accounts or the Current user account.

    

15. Click Add to upload the file.

Defining Success Criteria for MSI files

For MSI files, the validation criteria can only be defined after uploading them to the Hexnode app inventory. You can also edit them from the inventory if needed. The success criteria can be selected during app deployment only if they have already been defined in the Hexnode app inventory.

1. Log in to your Hexnode UEM portal.
2. Navigate to Apps.
3. Select the desired MSI file.
4. At the bottom, you will find the following parameters to edit:
   
   1. App Identifiers: Add one or multiple app/installer identifiers (product codes), separated by a semicolon (;). Once the enterprise app is installed, Hexnode verifies if the installed application contains the specified app identifier. In case of a mismatch, the success criterion will fail.

      For example:

      The App Identifier may be a string of numbers, or a name provided by the app publisher, such as {3456C7D8-2345-6789-ABCD-EFG12345678} or Mozilla Firefox.

      Note:

      
      The App Identifier can be fetched using any of the following two ways. First, install the specified app manually on a Windows device.

      1. If the chosen Windows device is enrolled in Hexnode, navigate to Manage > Devices > select the specific device. In the Applications tab, search for the specific app and you can find the corresponding App Identifier there.
      2. When an app is installed at the system level, its app identifier resides in the HKLM registry. Conversely, when an app is installed at the user level, its app identifier can be found in the HKCU registry. The app identifier can be fetched from the registry editor using the following methods:
         1. If both the system and app are 64 bits, then search for SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall in the registry editor on the Windows device.
         2. If the system is 64-bit and the app is 32-bit, then search for SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall in the registry editor on the Windows device.
         3. If the system is a 32-bit system, then search for SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            in the registry editor on the Windows device.

   2. Registry Path: This option allows you to define the path of a registry key to be checked on the target device. This can be any registry key created when the app is successfully installed. If the key does not match, the success criteria will fail.

      There are two components to configure in this option:

      1. Registry Root: This is the top-level directory in the Windows Registry, such as HKLM (HKEY_LOCAL_MACHINE), HKCU (HKEY_CURRENT_USER), HKCR (HKEY_CLASSES_ROOT), HKCC (HKEY_CURRENT_CONFIG), and HKU (HKEY_USERS).
      2. Subkey: This is the specific path within the registry root, such as \SOFTWARE\MyCompany\MyApplication.

      For example:

      In the case of Firefox, the registry key related to the app is ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox’.

      From the registry root dropdown, choose HKLM and enter the subkey ‘SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox‘.

   3. Install Path: This option can be used to confirm the app’s installation on the device by checking for a specific file present on the target device. The file’s location is indicated in the Path field, which should contain the path of any file created upon successful app installation.

      For example:

      In the case of Mozilla Firefox, the path of the file is most likely to be in the following format:

      C:\Program Files\Mozilla Firefox\firefox.exe

Later, the administrators can select one of these parameters to assign it as the success criteria when deploying an enterprise app to the devices.

Note:


For MSI apps, if no success criterion is specified, the extracted Installer identifier (while uploading) will be used as the default success criterion after defining it as the App identifier parameter.

5. Once done, click Save.

Updating Success Criteria and Uninstallation settings for MSIX/EXE files

For MSIX/EXE files, the validation criteria can be modified later after uploading the file by following these steps:

1. Log in to your Hexnode UEM portal.
2. Navigate to Apps.
3. Select the desired MSIX/EXE file.
4. Click on the gear icon at the top right of the App details dialog box and select Edit.
5. You will now be able to edit the Success Criteria and Uninstallation settings at the bottom.
6. Click Save to apply the changes.

The apps added to the app inventory can be distributed to the devices using the remote action or Required Apps policy.

Install apps via Actions

1. Navigate to Manage > Devices.
2. Click on the device.
3. On the device summary page, click Actions > Install Application.
4. Select the app.
5. Click Configure to specify the installation settings.
6. Click Install.

Install apps via Policy

1. Navigate to Policies.
2. Create a new policy with the New Policy button or select an existing policy.
3. From Windows > App Management, select Required Apps.
4. Click on Configure and +Add button to either add an app or a group of apps from the app inventory.
5. Select the required app(s) and click Configure under Custom Installation to set up installation and uninstallation settings.
   

   Installation Settings

   For enterprise apps, Hexnode enables you to configure various app installation settings during deployment via the Required Apps policy and the Install Application remote action. And installation settings vary depending on the type of app being deployed:

   Installation settings	Description
   Enable logging (Available for MSI apps only)	This setting helps specify the MSI app’s default logging mode. Ticking this option enables the logging service, and the Windows Installer records the errors and events into logs on the specified log path of the device. The diagnostic data contained in the logs helps the user to troubleshoot in case the installation fails.
   Log path (Available for MSI apps only)	Specify a custom path for the output log file. You can provide the complete path of a folder along with the desired file name and format. C:\Hexnode\Logs\MSI Logs\.log is set as the default log path. Notes: If the provided log path does not exist on the device, Hexnode will create a folder at the specified path and generate the output file there. If the provided log path is invalid (say, the drive doesn’t exist on the device, or the admin entering invalid data in the input field), the app installation will fail.
   Install silently (Available for EXE apps only)	The administrator can install apps silently on Windows devices with the help of this option. By default, this option is enabled, and it allows the installation of applications without prompting the user. If unchecked, the user will get a pop-up to allow the app installation manually. If the user selects the Not Now option from the installation pop-up, then the app installation message will appear under the Notifications section of the Hexnode UEM app. Users can grant permission for installing the app from in case they selected the Not Now option. This app installation prompt will appear under the Notifications section of the Hexnode UEM app only if the administrator checks the Retry if the installation fails option while configuring the app installation settings. Note: Only applications that support silent installation, consisting of the command-line parameter “/s” (case-sensitive) inside the EXE package will be installed silently. Hexnode has already configured the command-line parameter “/s” (case-sensitive) by default to initiate silent app installation on Windows devices (when the Install silently option is selected). If the application has silent installation command-line parameters other than “/s“, it is recommended to specify it in the Specify the parameters field under Add Installation commands option. If the administrator doesn’t set up the command-line parameter correctly in the Specify the parameters field, the application installation action will fail. The silent app installation process may take a couple of minutes, depending on the app size and network connectivity.
   Install app at system level (Available for EXE apps only)	Install app at system level: Installing an app at the system level refers to making the app available to all users of a computer, rather than just one user. By default, this option is checked. Unchecking this option will lead to the app installation at the currently logged-in user level only. Note: Some EXE app packages may not support system-level installation and can only be installed at the user level. For such apps, uncheck this option to install the app at the user level. Selecting the Install app at system level option for an application that supports user-level installation or vice versa will result in the failure of the app installation action.
   Force device restart after app installation (Available for MSI, MSIX, and EXE apps)	Upon successful installation, the system restarts automatically when this option is selected. Notes: While the device is in kiosk mode, you must add the Hexnode UEM App (present in C:\Hexnode\Hexnode UEM\Current\HexnodeUEM.exe) as the kiosk application to enforce this setting.
   Installation timeout (minutes) (Available for MSI, MSIX, and EXE apps)	If the app installation process does not complete within the specified time duration, it will be forcefully terminated. The minimum and maximum time duration is 10 and 60 minutes respectively. Notes: The configured timeout period considers only the app installation process that begins after the MSI installer file has been deployed from the Hexnode UEM server.
   Add command-line parameters (Available for MSI apps only)	You can specify additional parameters by ticking this option while distributing the MSI/EXE app to the device. These command-line parameters help you modify the installation process and other related operations on the device.
   Add Installation commands (Available for EXE apps only)	Admins can specify installation parameters by checking this option. These command-line parameters help admins modify the installation process and other related operations on the device. Note: All the command-line arguments are dependent on the EXE packaging. Hence, specify the arguments accordingly. When you include one or more parameters, separate them using space. For example, /s /norestart. As you add more parameters, make sure they do not conflict with each other. Adding conflicting parameters may lead to unintended behavior on the device.
   Change app version (Available for MSI apps only)	Select the app version you wish to install on your device. All uploaded versions of the app are displayed with their respective version numbers.The version marked as Latest is the most recent version. Notes: If you have selected Latest version, a newly added version in the Hexnode app inventory will be automatically changed on the Required Apps policy, ultimately updating the app on the device.
   Success Criteria (Available for MSI, MSIX, and EXE apps)	You can choose one of the validation criteria defined during the enterprise app upload to the Hexnode app inventory here. The installed application must meet the selected criterion for the installation action to be successful. The three available options are: App exists: This option uses the App identifiers parameter as the success criterion. Path exists: This option uses the Install path as the success criterion. It can be edited or updated directly from the Installation Settings. Registry exists: This option uses the Registry path as the success criterion. Note: Administrators cannot define success criteria during app deployment. To set success criteria, navigate to the Apps tab, select the desired application, and define or edit the necessary parameters as mentioned earlier. After app deployment, administrators can verify the success criteria status from the Action History tab of the device in the Hexnode portal. Select the app status corresponding to the initiated action to view detailed information.
   Retry if the installation fails (Available for MSI and EXE apps only)	This option allows the app installation process to automatically re-attempt if the initial installation attempt fails. The number of tries can be selected from the Maximum number of retries option. The minimum and maximum number of retries are 1 and 5 times, respectively. This option is available only when deploying the app using the Install Application remote action.
   Retry (Available for MSI and EXE apps only)	Administrators can specify when to retry the app installation process. The available options are: immediately after 1 minute after 2 minutes after 5 minutes after 10 minutes after 15 minutes after 30 minutes after 60 minutes This option is available only when deploying the app using the Install Application remote action.

   Notes:

   • During the app distribution via Install Application action or Required Apps policy, the app installation proceeds silently on the device. It may take a couple of minutes, depending on the app size and network connectivity.
   • The installed apps will be accessible to all users on the device. All users will be able to use and even uninstall the apps if necessary.

   

   Uninstallation settings

   You must configure at least one of the following options:

   1. App Identifier: Enter the app identifier.
      • Note that the app identifier cannot be modified or configured from the Required Apps policy.
   2. 
      File Path: Provide the exact file path (e.g., C:\Program Files\Hexnode UEM\uninstall\helper.exe).
      • If the app requires specific uninstallation commands, check Add uninstallation commands and provide the necessary parameters.
   3. User Scope: Choose whether the scope applies to All user accounts or the Current user account.

   

6. Click Done when finished.
7. For MSIX/EXE apps, configuring the installation and uninstallation settings is mandatory before adding them to Required Apps. These settings can later be edited after adding them.
   Note:

   • Uninstallation settings are only available for MSIX/EXE apps.
   • Configuring the correct Uninstallation Settings is necessary when deploying EXE and MSIX files as required apps if the “Remove apps from the device on policy removal” option is selected. Otherwise, the app will not uninstall after policy removal.

8. Click Save.
9. Next, associate the policy with the target devices by navigating to the Policy Targets tab.
10. Select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
11. Click on Save.

For MSI apps deployed via the Required Apps policy, deleting the deployed version from the Hexnode app inventory removes it from both the device and the policy. Note that the associated policy gets replaced with the latest available app version.