Skip to content

Installation

This page covers the system requirements for ntkDeploy and the complete steps to install the application on a Windows machine using the signed MSIX package.

Prerequisites

  • Windows 10 (version 1903 or later) or Windows 11
  • PowerShell 5.1 or higher — available by default on all supported Windows versions
  • An administrator account on the machine (required to trust the signing certificate)
  • Network access to the UNC/SMB shares you intend to use as deployment targets
  • If deploying to a managed fleet: access to your GPO, Intune, or SCCM console to distribute the signing certificate

System Requirements

Requirement Minimum
Operating system Windows 10 1903 (Build 18362) or Windows 11
Architecture x64
Disk space ~200 MB for the application; additional space for local artifacts
RAM 512 MB available
Network SMB/UNC access to at least one deployment share
Administrator rights Required for certificate trust installation

Obtaining the Package

ntkDeploy is distributed as an MSIX package bundle. The bundle is produced by the build pipeline and contains three files:

File Purpose
ntk_deploy.msix The application package
ntkdeploy-dev.cer The public signing certificate — must be trusted before installation
install_msix_trust_and_app.ps1 Helper script that installs the certificate and the MSIX in one step

Obtain the latest release bundle from your internal distribution share or from the project's Releases page. Copy all three files to the same local or UNC directory before proceeding.

Installation Steps

Step 1 — Trust the signing certificate (administrator required)

Before the MSIX can be installed, the machine must trust the signing certificate. Skip this step only if your organization distributes the certificate via GPO/Intune/SCCM (see the Fleet-wide certificate distribution section below).

  1. Open PowerShell as Administrator (right-click → Run as administrator).
  2. Navigate to the directory containing the bundle files:
cd "C:\path\to\ntkdeploy-bundle"
  1. Run the helper installer script:
.\install_msix_trust_and_app.ps1

The script automatically: - Installs the .cer certificate into LocalMachine\Root and LocalMachine\TrustedPeople. - Installs the MSIX package using Add-AppxPackage.

If the .cer and .msix files are in the same directory as the script, they are discovered automatically. You can also pass explicit paths:

.\install_msix_trust_and_app.ps1 -CertificatePath "\\share\ntkdeploy-dev.cer" -MsixPath "\\share\ntk_deploy.msix"
  1. When the script prints MSIX installation complete, the application is installed.

Warning: The script must be run in an elevated (administrator) PowerShell session. If you see Run this script in an elevated PowerShell terminal, close the window and relaunch PowerShell as Administrator.

Step 2 — Verify the installation

  1. Open the Start menu and search for ntkDeploy.
  2. Click the application tile to launch it.
  3. The ntkDeploy window opens and the local SQLite database is initialised on first run. This typically takes a few seconds.

Local Organization Identity

If you plan to use Trading Partner Attributes (TPA), the connected Policy Manager maintains a singleton local-organization identity for the deployment. ntkDeploy reads that identity from the secure Policy Manager endpoints and displays it read-only in the TPA grant and trust workflows; ntkDeploy does not generate, persist, or edit the owner-org value itself.

On the Policy Manager host, first boot creates the local organization record in one of two ways:

  • If no seed is provided, Policy Manager generates a stable UUIDv4 orgId and a default display name.
  • If you set NTK_LOCAL_ORG_ID before the first Policy Manager boot, that value becomes the persisted orgId. NTK_LOCAL_ORG_DISPLAY_NAME can be set at the same time to seed the human-readable label.

Use NTK_LOCAL_ORG_ID only when you intentionally need the first persisted value to match an existing deployment, for example:

  • Restoring a deployment from backup into fresh infrastructure.
  • Migrating a legacy deployment whose existing grants already use a known issuerOrgId.
  • Intentionally pinning a human-readable, stable owner-org identifier before any grants are issued.

Set these variables on the Policy Manager service environment, not on the ntkDeploy workstation. After the local organization record exists, later env changes do not rewrite it; the persisted value remains authoritative.

Warning: Do not change the persisted orgId after TPA grants, trusts, or imports exist. issuerOrgId is part of the canonical signed grant payload, so changing the deployment orgId breaks every outstanding grant and invalidates partner-side bindings. For backup and restore, preserve the Policy Manager organizations record together with the TPA collections.

Fleet-wide Certificate Distribution (GPO / SCCM / Intune)

For managed environments where you need to install ntkDeploy on many machines, distribute the signing certificate centrally before running the MSIX installer on each endpoint.

1. Export the certificate

After running ./scripts/package_windows_msix.ps1 on the build machine, the public certificate is at:

windows/certs/ntkdeploy-dev.cer

2. Deploy via GPO

Use Group Policy to import ntkdeploy-dev.cer into Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers and Trusted Root Certification Authorities on all target machines.

3. Install the MSIX on trusted endpoints

Once the certificate is trusted machine-wide, run on each endpoint (no elevation required for the MSIX step if certificate is already in machine store):

Add-AppxPackage -Path "\\share\ntk_deploy.msix" -ForceUpdateFromAnyVersion

Or use the helper script from the share:

\\share\install_msix_trust_and_app.ps1

Note: For environments using a CA-issued code-signing certificate instead of a self-signed one, the certificate trust step is handled automatically by Windows and no manual distribution is required.

Upgrading

To upgrade to a newer version, obtain the new bundle and run the same installation steps. The -ForceUpdateFromAnyVersion flag used by Add-AppxPackage (and the helper script) allows downgrade and cross-channel updates.

All existing profile, device group, and audit log data stored in the local database is preserved across upgrades.

Uninstalling

To remove ntkDeploy, use Apps & features in Windows Settings or the following PowerShell command:

Get-AppxPackage *ntk_deploy* | Remove-AppxPackage

Note: Uninstalling the application does not remove the local SQLite database or artifact files. Delete the app data directory manually if a clean removal is required.

Next Steps

  • First Launch — Configure server endpoints, verify connectivity, and select your default environment.