Forum Discussion
MSIX app attach Azure portal integration public preview
MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.
Previously, you had to use PowerShell scripts to enable MSIX app attach. MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.
Draft troubleshooting guide for MSIX app attach is available here.
Overview and requirements
Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.
The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:
- Host pool in Windows Virtual Desktop with at least one active session host
- Host pool in the validation environment
- MSIX packaged application expanded into an MSIX image
- MSIX image is uploaded to file share
- The file share is accessible for all session hosts in the host pool
- When using a digital certificate that is not sourced from a CA please follow instructions here on each VM in the host pool
This video walks through the MSIX app attach UI.
Deploy WVD (Windows Virtual Desktop) host pool
The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.
MSIX application
MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.
Prepare MSIX image
MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.
If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:
|
Application name |
URL |
|
Chrome as MSIX image |
|
|
Chrome in an MSIX package |
|
|
Microsoft Edge Dev v89 as MSIX image |
|
|
Microsoft Edge Dev v89 as MSIX package |
|
|
Microsoft Edge Dev v87 as MSIX image |
|
|
Microsoft Edge Dev v87 as MSIX image |
|
|
PowerBI as MSIX image |
https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5
Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice |
|
PowerBI as MSIX package |
|
|
WVDMigration as MSIX image (test different cert type) |
https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc
|
|
WVDMigrationBAD as MSIX image (bad packaging format) |
|
|
Microsoft Edge Dev v87 as MSIX image (expired cert) |
https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E
|
|
Notepad++ as MSIX image (missing cert test) |
https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea
|
If you are using your own application, you will need to install the certificate used to sign the MSIX package.
Install certificates
If you are using the provided MSIX applications, there are two certs:
- For Chome, Edge, and Power Bi: WVDContosoAppAttach.
- For WVDMigration*, WVDMigrationFabrikam
Configure a file share
All session hosts need access to the file share with MSIX app attach packages. This Tech Community blog covers the process.
Configure MSIX app attach via Azure portal
Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home
In the search bar type Windows Virtual Desktop and click on the service.
Select a host pool where MSIX applications are to be delivered.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click + Add. This will open the Add MSIX package blade.
MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.
MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.
Package applications – list of MSIX applications available in an MSIX package.
Display name – Optional display name to be presented in the interface.
Version – MSIX package version automatically delivered from parsing the package.
Registration type
On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.
Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.
State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.
Click Save.
Publish MSIX application to an application group
In the WVD resource provider navigate to the Application groups blade.
Select an application group.
Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.
Select the Applications blade. The Applications grid will display all currently added applications.
Click + Add to open the Add application blade.
Application source
- For desktop app groups the only source for applications is an MSIX package.
- For remote app group, there are three sources of applications.
- Start menu
- App path
- MSIX package
MSIX package – display list of packages added to the host pool.
Display name – Optional display name to be presented in the Applications interface.
Description – Short description.
Note the options below are only applicable to remote application groups.
- Icon path
- Icon index
- Show in web feed
Click Save.
Assign users to app group
Select app group.
Select Assignments
To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.
Select the users you want to have access to the apps. You can select single or multiple users and user groups.
Select Save.
It will take five minutes before the user can access the application.
Change MSIX package state
Via the Applications grid
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to have their state change and click the Change state button.
Via update package
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the State via the Inactive/Active button as desired and click Save.
Change MSIX package registration type
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.
Remove MSIX package
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to be removed click the Remove button.
Removing MSIX application
Navigate to the host pool and select Application groups.
Select the application group from which the MSIX application is to be removed.
From the application group blade select Applications.
Select the desired application and click Remove.
240 Replies
Thanks for the article Stefan Georgiev. We are seeing an issue where the VHD file doesn't mount to the host.
- Have 2 different host pools each with one active session host (2004 on one, 20H1 on other)
- Host pools are in validation mode
- File share is Azure Files with AD DS enabled and is accessible to VM in the host pools as well as for users (read-only permissions)
- Installed WVDContosoAppAttach certificate to session host > Local Computer > Trusted people.
- Have added two MSIX packages, one that I built, the other the Google Chrome one from the article
- Added the applications to the app group and confirmed assignments are set correctly
- One host is running 2004 and the other is running 20H1
The apps do not show up on the hosts. The VHD files do not mount and I don't see any logs in the event viewer related to Microsoft.RDInfra.AppAttach.
Any idea on where to look next for troubleshooting it?
- Try this https://github.com/stgeorgi/msixappattach/tree/master/event_viewer_filter in the same github there are few other troubleshooting docs
- Same here. I gave up, will come back and try again after the holidays. Hoping for a WVD MSIX log file reference for Christmas 😁
Stefan Georgiev I wonder what could be wrong in my environment with on-prem AD? I've successfully been able to add Chrome and Edge Dev sample MSIX packages to host pool as well as Remote App application group. However they do not appear on Windows nor web client although apps that I've added from Start menu appear ok. I've also used PowerShell scripts from https://docs.microsoft.com/en-us/azure/virtual-desktop/app-attach to successfully attach Chrome and verified that it appears as mounted volume and app works when started from Start. I've also implemented Log analytics and WVDFeeds on Workspace Logs shows # RDPTotal equivalent to # icons displayed on client(s). RDPFail and IconFail remain as zero. I noticed on your video that you specified icon path for the app. Is it required? In my environment (with session hosts provisioned into North Europe region) I've got exactly same situation as Jantu123 i.e. two session hosts with different WVD agent versions. However, I've shutdown the host with older WVD agent i.e. trying to get this working with 1.0.2743.1300.
I found the following event in Event Viewer\Applications and Services Logs\RemoteDesktopServices:Source: Microsoft.RDInfra.Messaging.DefaultMessenger
Event ID: 0
...
[] Dispatched message '{"MessageId":"7b3447a4-0647-4ef0-934d-e47dbcd1bdd7","Type":0,"Request":{"MethodName":"ExtractMsixDataAsync","Arguments":{"Path":"\\\\<storageaccount>.file.core.windows.net\\<fileshare>\\MSIX\\GoogleChrome_68.46.66.0_x64__74vyvr5aw93s6.vhdx","Validate":true,"Limit":0,"Skip":0},"Headers":{"x-ms-correlation-id":"ddb1a956-f301-4d52-9776-2dba84031d02","x-ms-activity-context":"False","ms-wvd-activity-hint":"ms-wvd-ep:2bd6cc7b-7764-4e53-90bc-b7a1a502e5bc","x-ms-lamport-ts":"477077490"}},"Response":null}'
There is also similar event for Edge Dev. Also, there appears the same event as in Jantu123 i.e "MSIX packages have been properly staged". I couldn't find any errors or warnings in that log that seemed linked to app attach.
I found events for MSIX app attaching Chrome with PowerShell on Microsoft-Windows-AppXDeploymentServer/Operational. However, couldn't find any events for EdgeDev which I haven't attached with PowerShell. Should WVD app attached apps write events to this log if they are working?
When are you going to whitelist next batch? I'm waiting to evaluate my other environment with Azure AD DS. Initially, I didn't have RP registered but now I've got two separate host pools waiting...
- Icon path is not required.
You can take a look at event viewer using this custom view https://github.com/stgeorgi/msixappattach/tree/master/event_viewer_filter
Few other things to check version of agent (2743), version of bootloader (1.0.3), package is set to active and has been assigned in a destkop application group and published to users.
What is the WVD agent minimum version that support MSIX app attach? For whatever reason newly provisioned session hosts in validation host pool have older WVD agent (1.0.2548.6500) than before (1.0.2743.1300). See more details in picture that I posted in previous post.
Are there any recommendations which Region to select while creating wvd components (workspace, host pool and Application groups) to ensure msix app attach works best possible way? I have tested east US and West US to store WVD metadata objects. My session hosts are provisioned to West Europe region.
Updated tuesday:
Noticed that if you try to use the session host with old WVD agent when adding MSIX packages, you will get Error: Object reference not set to an instance of an object.
Adding MSIX package succeeds if I start the other session host with newer WVD agent even though otherwise App Attach still don't work.I don't see any errors related to App Attach in the Event viewer. Everything looks good in Session host with newer WVD Agent but still don't see published Remoteapps...
- Jantu123 MSIX app attach in WVD is available only in the validation environment (aka 1.0.2743). Region is up to you. Works in all.
The null reference on the older version of the agent is expected
I registered two Subscriptions to test this feature. Received confirmation Mail but not sure which Subscription or if both Subscriptions were whitelisted. What is the symptom if Subscription is not whitelisted?
- I have WVD host pool with one Active session host.
- Host pool is in validation mode.
- File share where I uploaded MSIX Image is accessible to VMs in the host pool as well as for users (read-only permissions).
- Installed WVDContosoAppAttach certificate to session host > Local Computer > Trusted people.
- I have succesfully added the provided Chrome MSIX Image to the host pool. Verified on the session host disk management that Image is mounted.
- Published MSIX app to Remoteapp Application group only.
- For testing purposes I have also published from the Start menu Paint to the same Remoteapp Application group.
When refreshing Remote Desktop client, I initially see Both Paint from Start Menu as well as MSIX published app as expected. Paint can be successfully launched, MSIX app does not Work. Connection opens but Google chrome is not started.
If I go back and refresh again Remote Desktop client web feed, Published MSIX app vanishes leaving only published Paint from Start Menu. I repeatedly tested this behaviour last Time on Saturday.
This same issue occurs with both of My Subscriptions.
What could be the issue? Really frustrated that I cannot get this working…
IMG_Before.png shows the State immediatelly after First Time publishing chrome (20.27).
IMG_After.png shows the State after I refreshed the web feed three minutes Later (20.30) when MSIX chrome app vanished...
- Hi Jantu, I would feel the same way for the MSIX app not to appear and the start menu app to appear we are talking about app registration failing. Initially it seems to work but once our code sees that the app does not stage/register its missing from the feed. Can you pm me your host pool name and I will have an engineer look at this
Hi Stefan, I sent you PM with host pool information yesterday.
One additional interesting thing what I noticed that when I provisioned yesterday new Session host using default Windows 10 Enterprise 20H2 mult-session image to same host pool (validation enabled) just to rule out that something is wrong with my custom image, there was no logs related to MSIX App Attach. I have created custom View containing every entry from RemoteDesktopServices where Event source contains AppAttach.
Results seen from newly created Session host. Nothing related to AppAttach...
Results seen in previously created session host in same host pool
Update from monday:
Noticed that newly provisioned Session host WVD agent is older compared to one earlier provisioned in same validation host pool. 1.0.2743.1300 versus 1.0.2548.6500. Maybe this older WVD agent is missing MSIX App attach features... Any way to Force WVD agent update?
hello,
I still have this error The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: wvd-0, Error: Error accessing virtual disk at ≤\\http://disq.us/url?url=http%3A%2F%2Fstowvd.file.core.windows.net%3AbaMBd1fsU9jqGVMJMVBgv-L8_Rc&cuid=4572167\msix\bignotepadplusplus.vhd≥. (Code: 400)
As you can see, some stuffs are missing from the page ADD MSIX PACKAGE (we should see msix package, package application, display name....)
Same problem after recreating the hostpool on another region.
- This is a permissions issue. The VMs in your host pool cannot access the path. Are you using Azure File? (check https://techcommunity.microsoft.com/t5/windows-virtual-desktop/step-by-step-guide-on-computer-account-auth-for-azure-files/td-p/1855164) if not put MSIX images on a folder on your c: drive and share it to everyone if that does not work pm me 🙂
hello Stefan
I checked once again permissions for session host on both share (RBAC) and directory level (NTFS) but I still have this error : “...Error accessing virtual disk at…”
Note that Host and storage account are joined to an Azure ADDS (not classic ADDS)
-RBAC : my host has the role Storage File Data SMB Share Contributor on the Storage account
(it’s also a member of an Azure AD group with this role)
-NTFS level : my Host has -modify- on the storage account’ Share
Note that the host can access and mount this vhd \\stoxxx.file.core.windows.net\msix\GoogleChrome_68.46.66.0_x64__74vyvr5aw93s6.vhdx
I tried put the vhd on a local share and it works like a charm.
Please help me to find where is my mistake with Azure File permissions in the Azure ADDS scenario.
Best regards
biginquebec130 the other fields only appear after the session host can access vhdx. For me, the cure was to recheck/grant permissions for session host on both share (RBAC) and directory level (NTFS). I then cleared Kerberos tickets for the computer account (effectively skipping restarting it) with command klist purge -li 0x3e7. After that it worked 🙂
Works like a charm! Thanks! Is there any information about MSIX-App Attach going GA?
Thanks!
We are aiming for Q1...but quality must be met. I do want to ship sup par GA:)
Stefan Georgiev Hi, Is this GA schedule Calendar Year? Or is it Financial Year?
Stefan Georgiev I could not add any MSIX package or image. Tried to add network fileshare path, Azure file share path, file URL, etc. Keep getting the error:
tch0704 Use UNC naming format. Eg: \\tchfs.file.core.windows.net\wvdnewshare... etc
- This is an HTTPS path. Those are not supported. Must be an UNC path \\tchfs.file.core.*\wvdshare\*
Stefan Georgiev I have tried to add a package and after filling out the display name and clicking next, I am getting error as below
ActivityId: 35e6e4ff-4d9e-4168-8114-8a14888b97a1 Error: This functionality is not supported. It will be included in a future release.
Am I missing something.
- Your subscription is not whitelisted for the preview. Please feel in the form or PM me your sub ID.
rejincm I do not see your subscription having a request filed to enable the feature https://aka.ms/enablemsixappattach
- Do i also missing something? getting same error message as rejincm.
