Downloading a Device Guard Signing Service version 2 Root Certificate for MSIX

Jóhannes Geir KristjánssonEndpoint Management5 Comments

Howdy y’all
In this post I will show you how to get the Device Guard Signing Service v2 root certificate.

Device Guard Signing Services v1 (DGSS) is being deprecated at the end of December 2020, so we need to migrate to DGSSv2, and it just so happens that the means to download the DGSSv2 root cert is a little bit more complex than the DGSSv1.

MSIX crash course

While MSIX is generally marketed as a replacement for MSI for developers, there are scenarios that can benefit systems administrators.

  • A means to install an app that has no silent installation
  • Capture installs of apps that require manual setup as part of the post install setup
  • MSIX apps are easy to uninstall, which is not always possible/reliable for some Win32 apps
  • MSIX apps are containerized, you can install multiple versions of the same app at the same time, for example: Office 2010 and M365A/O365 running at the same time
  • MSIX app attach for Windows Virtual Desktops
  • MSIX apps can be installed per user or provisioned for all users on a device

So what does this have to do with certificates?
The MSIX packaging format has a strict signing requirement. While you can always buy a code signing certificate, you can use a free DGSSv2 certificate from Microsoft.

If you want to know how MSIX apps are setup and deployed, check out Jake’s blog post on MSIX.

Registering the AzureAD app

First we need to setup an AzureAd Application, this is mostly covered in the official docs but it’s not very user friendly and when this post was written (31.10.2020), it was missing a crucial step.

For those of you who have done this sort of thing before, here is the quick overview:

  • Sign into AzureAd and start registering an app
  • Under Redirect URI, select “Public client (mobile & desktop)”. and set as the URI
  • In the API permissions, select the “Windows Store for Business API”, Delegated permissions and select user_impersonation
  • Go to the overview and copy the Application (client) ID, and head to the Get-DGSSv2RootCert part of this post

For those of you who have never done this before, here are the detailed steps with screenshots.

Sign into Azure AD and register a new application.

Give it a descriptive name.
Under Redirect URI, select “Public client (mobile & desktop)”, and set as the URI.

Once the app has been created, click on API permissions.
Add permissions.
Click on APIs my organization uses.
Search for “windows store”.
And click on it.

Click on Delegated permissions.
And select user_impresonation.

Click on Grant consent for… otherwise the app will not work.

Now head back to the application overview and copy the GUID that’s next to Application (client) ID, this is used in a script that is featured in this blog post.


Since for most people, downloading the root certificate is a one time operation, I elected to run this this in a windows sandbox. but that is 100% optional.

Paste the application GUID into the $AppID variable and you should be ready to go.

# This simple script is used to download the Device Guard Signing Service v2 Root Certificate

# please add your own App ID

# we need to add nuget as a package source first
Register-PackageSource -Name MyNuGet -Location -ProviderName NuGet -Confirm:$false -Force

# installing the package
Install-Package Microsoft.Acs.Dgss.Client -Source mynuget -Confirm:$false -Force -Verbose

# importing the module
Import-Module "C:\Program Files\PackageManagement\NuGet\Packages\Microsoft.Acs.Dgss.Client.1.0.11\PowerShell\Microsoft.Acs.Dgss.Client.dll"

# just for convenience
New-Item -Path c:\ -Name "DGCertv2" -ItemType Directory -Force

# downloading the cert to the folder specified above, this step is not instant, ive seen it take a while
Get-RootCertificate -PassThru -OutFile C:\DGCertv2\DGSSv2root.cer -AppId $AppID

# voila! the cert appears before your eyes
start C:\DGCertv2\

Congrats, you now have a Device Guard Signing Service v2 Root Certificate in your possession.

Now you can deploy the cert to your clients using your delivery mechanism of choice.

5 Comments on “Downloading a Device Guard Signing Service version 2 Root Certificate for MSIX”

  1. Hi,
    I’m new to this with MSIX and I have been trying to wrap my head around device guard signing.
    I’ve tried following another guide where they simply say to go to under manage -> settings -> devices and downloading the root certificate. Deploying it with Intune. Sign your msix in msix packaging tool with device guard v2. But I don’t get it to work, it still says the application is not trusted. But they never create any app registration either. Why isn’t that way working?

  2. Hey Jóhannes,

    Thank for the easy to follow steps. Please correct your PS script to ver 1.0.6 for the Microsoft.Acs.Dgss.Client, basically change the 4 to 6 in the path to the script in the import module, else it will error out.



  3. great write up, has at least got my app being signed. i would also add that the cert that is generated needs to be installed in the “Trusted Root Certificate Authorities” else the app will still show as “untrusted”

    The DGSS client version has changed again as of 28/07/2021 version is 1.0.11 for those wanting to see the latest version to update the above powershell browse to:

  4. Thank you.

    I keep getting this

    Install-Package : Package ‘Microsoft.Acs.Dgss.Client’ failed to be installed because: The process cannot access the file ‘C:\Program
    Files\PackageManagement\NuGet\Packages\Microsoft.Acs.Dgss.Client.1.0.11\PowerShell\Microsoft.Acs.Dgss.Client.dll’ because it is being used by another process.
    At line:1 char:1
    + Install-Package Microsoft.Acs.Dgss.Client -Source mynuget -Confirm:$f …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidResult: (Microsoft.Acs.Dgss.Client:String) [Install-Package], Exception
    + FullyQualifiedErrorId : Package ‘{0}’ failed to be installed because: {1},Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.