Forum Discussion

stewartgscott's avatar
stewartgscott
Copper Contributor
Sep 30, 2024

AVD and the new Windows App - CA policy

Hi.

 

Short backgroud: We've been using AVD for several years.

 

We have a CA policy that essentially blocks access to cloud services when access originates from native windows application.

 

When we started using AVD a while back of course we added to this CA policy and "excluded " AVD client apps. In other words, AVD client apps (on Windows devices is exclued , thus the policy is not assigned, thus users can connect to AVD using the thier windows desktop AVD client app.

 

Now - with the new Windows App we are testig it and stuck.   We thought to simply add to this CA policy the additional AVD clients app id's as per msft windows app documentation for Windows App.

 

But, on Windows devices, using the new Windows App, the CA policy doesn't seem to recognize it as excluded (therefore the user is blocked as per this CA policy). nb: the new windows app on macOS works fine and the CA policy recognized the native windows app client as excluded and allows access...so we know the policy is bahaving as expected.  But - not when using the windows app on an windows device os device. )

 

What app i missing in my CA policy (in our case, on the excluded list of cloud apps) ?

 

Currently i have :

 

Microsoft Remote Desktop

a4a365df-50f1-4397-bc59-1a1564b8bb9c

 

Windows Cloud Login

270efc09-cd0d-444b-a71f-39af4910ec45

 

Windows Virtual Desktop

5a0aa725-4958-4b0c-80a9-34562e23f3b7

 

Windows Virtual Desktop

9cdead84-a844-4324-93f2-b2e6bb768d07

 

Windows Virtual Desktop Client

fa4345a4-a730-4230-84a8-7d9651b86739

 

Many thanks

    • stewartgscott's avatar
      stewartgscott
      Copper Contributor
      Hi and thanks for the link.
      We have already had these three app-id's as a part of our CA policies that to expressly identify AVD access. We've always had these three.

      However it seems we can not determine what the appid(s) are to add to our CA policies that expressly identify the new Microsoft Windows App (https://learn.microsoft.com/en-us/windows-app/overview) . THis is MSFT's evolution of the client side app to connect to AVD.
      Looking at some articles, along with the id's in the article you provided we have added two. But neither of them, in the CA policy identify and evaluate the client app . THe two we added are Microsoft Remote Desktop
      a4a365df-50f1-4397-bc59-1a1564b8bb9c
      Windows Cloud Login
      270efc09-cd0d-444b-a71f-39af4910ec45

      But during signon/access. these are not evaluating the windows client side app as the new Windows App, thus the CA policies are not applied (e.g. to enforce MFA, to allow this windows native app (ie this new Windows App )

Resources