P0: Surface code signing requirements at the packaging distribution decision point (#6650)

GrantMeStrength · Copilot · web-flow · commit 7c0b06112d6a · 2026-04-17T09:44:25.000-07:00
* P0: Add code signing info to packaging scenario table

Surface the key cost/signing difference at the distribution decision point:
- Microsoft Store: code signing included free
- Enterprise sideload: self-signed cert + Intune trust, or Azure Trusted Signing
- ISV direct download: CA-trusted cert required; Azure Trusted Signing recommended
- Add TIP callout directing devs to Azure Trusted Signing for non-Store paths

This ensures any developer reading the packaging overview — or getting an
AI-generated answer citing this page — gets accurate information about
signing requirements before choosing a distribution path.

Relates to ADO #570426

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;

* Address Copilot feedback on code signing scenario table

- Enterprise row: broaden cert trust guidance to 'Intune, Group Policy, or Configuration Manager'
- Enterprise/ISV rows: standardize Azure Trusted Signing links to /azure/trusted-signing/
- TIP: rephrase to avoid inaccurate 'no additional cost' claim; remove hardcoded price,
  link to Azure Trusted Signing pricing page instead

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;

---------

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/hub/apps/package-and-deploy/packaging/index.md b/hub/apps/package-and-deploy/packaging/index.md
@@ -82,11 +82,14 @@ Before you commit to unpackaged, check the [features table above](#features-that
 
 | Scenario | Recommended model | Details |
 |---|---|---|
-| **Indie developer publishing to the Microsoft Store** | Packaged (MSIX) | The Store requires MSIX. WinUI 3 apps are packaged by default — no changes needed. → [Distribute your packaged app](../../distribute-through-store/how-to-distribute-your-win32-app-through-microsoft-store.md) |
-| **Enterprise app deployed via Intune or Configuration Manager** | Packaged, or external location for existing installers | New apps should use MSIX. Existing apps with their own installer can use packaging with external location. → [Deploy packaged apps](../../windows-app-sdk/deploy-packaged-apps.md) |
-| **ISV shipping a direct download with own installer** | Packaging with external location | Register a lightweight identity package alongside your existing installer. Users see no change; you get Windows features. → [Grant package identity](../../desktop/modernize/grant-identity-to-nonpackaged-apps-overview.md) |
+| **Indie developer publishing to the Microsoft Store** | Packaged (MSIX) | The Store requires MSIX. WinUI 3 apps are packaged by default — no changes needed. **Code signing is handled free by the Store.** → [Distribute your packaged app](../../distribute-through-store/how-to-distribute-your-win32-app-through-microsoft-store.md) |
+| **Enterprise app deployed via Intune or Configuration Manager** | Packaged, or external location for existing installers | New apps should use MSIX. Existing apps with their own installer can use packaging with external location. **Code signing:** use a self-signed cert (trusted via Intune, Group Policy, or Configuration Manager) or [Azure Trusted Signing](/azure/trusted-signing/). → [Deploy packaged apps](../../windows-app-sdk/deploy-packaged-apps.md) |
+| **ISV shipping a direct download with own installer** | Packaging with external location | Register a lightweight identity package alongside your existing installer. **Code signing:** a CA-trusted certificate is required for non-Store distribution. [Azure Trusted Signing](/azure/trusted-signing/) is the recommended lower-cost option. → [Grant package identity](../../desktop/modernize/grant-identity-to-nonpackaged-apps-overview.md) |
 | **Internal tool or developer utility** | Unpackaged | Simplest to build and deploy. The Windows App SDK works via NuGet, but some features won't be available. |
 
+> [!TIP]
+> **Not sure about code signing costs?** Publishing through the Microsoft Store means you don't need to separately obtain or manage a certificate for end-user trust. For other distribution paths, your signing approach depends on deployment context — enterprise environments can trust a self-signed certificate through device management, while broader non-Store distribution typically requires a CA-trusted code signing solution. [Azure Trusted Signing](/azure/trusted-signing/) is Microsoft's recommended option (see [pricing](https://azure.microsoft.com/pricing/details/trusted-signing/)), with no hardware token required.
+
 ## Framework-dependent vs self-contained deployment
 
 Separately from packaging model, apps using the Windows App SDK choose how to carry their runtime dependencies:
