Forum Discussion
MicrosoftMSIX app attach Azure portal integration public preview
MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.
Previously, you had to use PowerShell scripts to enable MSIX app attach. MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.
Draft troubleshooting guide for MSIX app attach is available here.
Overview and requirements
Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.
The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:
- Host pool in Windows Virtual Desktop with at least one active session host
- Host pool in the validation environment
- MSIX packaged application expanded into an MSIX image
- MSIX image is uploaded to file share
- The file share is accessible for all session hosts in the host pool
- When using a digital certificate that is not sourced from a CA please follow instructions here on each VM in the host pool
This video walks through the MSIX app attach UI.
Deploy WVD (Windows Virtual Desktop) host pool
The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.
MSIX application
MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.
Prepare MSIX image
MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.
If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:
|
Application name |
URL |
|
Chrome as MSIX image |
|
|
Chrome in an MSIX package |
|
|
Microsoft Edge Dev v89 as MSIX image |
|
|
Microsoft Edge Dev v89 as MSIX package |
|
|
Microsoft Edge Dev v87 as MSIX image |
|
|
Microsoft Edge Dev v87 as MSIX image |
|
|
PowerBI as MSIX image |
https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5
Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice |
|
PowerBI as MSIX package |
|
|
WVDMigration as MSIX image (test different cert type) |
https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc
|
|
WVDMigrationBAD as MSIX image (bad packaging format) |
|
|
Microsoft Edge Dev v87 as MSIX image (expired cert) |
https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E
|
|
Notepad++ as MSIX image (missing cert test) |
https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea
|
If you are using your own application, you will need to install the certificate used to sign the MSIX package.
Install certificates
If you are using the provided MSIX applications, there are two certs:
- For Chome, Edge, and Power Bi: WVDContosoAppAttach.
- For WVDMigration*, WVDMigrationFabrikam
Configure a file share
All session hosts need access to the file share with MSIX app attach packages. This Tech Community blog covers the process.
Configure MSIX app attach via Azure portal
Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home
In the search bar type Windows Virtual Desktop and click on the service.
Select a host pool where MSIX applications are to be delivered.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click + Add. This will open the Add MSIX package blade.
MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.
MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.
Package applications – list of MSIX applications available in an MSIX package.
Display name – Optional display name to be presented in the interface.
Version – MSIX package version automatically delivered from parsing the package.
Registration type
On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.
Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.
State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.
Click Save.
Publish MSIX application to an application group
In the WVD resource provider navigate to the Application groups blade.
Select an application group.
Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.
Select the Applications blade. The Applications grid will display all currently added applications.
Click + Add to open the Add application blade.
Application source
- For desktop app groups the only source for applications is an MSIX package.
- For remote app group, there are three sources of applications.
- Start menu
- App path
- MSIX package
MSIX package – display list of packages added to the host pool.
Display name – Optional display name to be presented in the Applications interface.
Description – Short description.
Note the options below are only applicable to remote application groups.
- Icon path
- Icon index
- Show in web feed
Click Save.
Assign users to app group
Select app group.
Select Assignments
To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.
Select the users you want to have access to the apps. You can select single or multiple users and user groups.
Select Save.
It will take five minutes before the user can access the application.
Change MSIX package state
Via the Applications grid
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to have their state change and click the Change state button.
Via update package
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the State via the Inactive/Active button as desired and click Save.
Change MSIX package registration type
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.
Remove MSIX package
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to be removed click the Remove button.
Removing MSIX application
Navigate to the host pool and select Application groups.
Select the application group from which the MSIX application is to be removed.
From the application group blade select Applications.
Select the desired application and click Remove.
Works like a charm! Thanks! Is there any information about MSIX-App Attach going GA?
Thanks!
Stefan GeorgievWe are aiming for Q1...but quality must be met. I do want to ship sup par GA:)
Akane_SaitoStefan Georgiev Hi, Is this GA schedule Calendar Year? Or is it Financial Year?
What is the WVD agent minimum version that support MSIX app attach? For whatever reason newly provisioned session hosts in validation host pool have older WVD agent (1.0.2548.6500) than before (1.0.2743.1300). See more details in picture that I posted in previous post.
Are there any recommendations which Region to select while creating wvd components (workspace, host pool and Application groups) to ensure msix app attach works best possible way? I have tested east US and West US to store WVD metadata objects. My session hosts are provisioned to West Europe region.
Updated tuesday:
Noticed that if you try to use the session host with old WVD agent when adding MSIX packages, you will get Error: Object reference not set to an instance of an object.
Adding MSIX package succeeds if I start the other session host with newer WVD agent even though otherwise App Attach still don't work.I don't see any errors related to App Attach in the Event viewer. Everything looks good in Session host with newer WVD Agent but still don't see published Remoteapps...
- Stefan GeorgievJantu123 MSIX app attach in WVD is available only in the validation environment (aka 1.0.2743). Region is up to you. Works in all.
The null reference on the older version of the agent is expected
Maybe some assistance from me (got it working). Please check following:
- Try to deploy a "local" share through a server
- Enable validation hostpool
- Install the Certificate on all VMs in the hostpool you want to deploy the App (Cert -> Trusted People)
- Install the Hyper-V role / Hyper-V powershell ( Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All) on all VMs in the hostpool
- Add the package in the hostpool (pay attention: only the UNC path is accepeted: \\fileserver\Example\ExampleApp.vhd)
- Wait about 2-3 minutes before connecting to the host. It takes some time till the settings are published to the hosts in the hostpool and the app is visible
Thanks for the effort!
- Try to deploy a "local" share through a server
--> I stayed with NetApp Files. The share is readable for everyone, so no permission problems can persist, and I have the profile in the same place, so the share is proven to be working.
- Enable validation hostpool
--> I do only have validation host pools.
- Install the Certificate on all VMs in the hostpool you want to deploy the App (Cert -> Trusted People)
--> Done from the first moment.
- Install the Hyper-V role / Hyper-V powershell ( Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All) on all VMs in the hostpool
--> That was missing, thanks for the hint! However, nothing changed when I switched the Hyper-V features on, even not after a few minutes and a few reboots. I tried also switch Inactive/Active the added MSIX applications, hoping it helps to "trigger" the mount of VHDs, but nothing.
- Add the package in the hostpool (pay attention: only the UNC path is accepeted: \\fileserver\Example\ExampleApp.vhd)
--> That is OK, there is no other way to succeed, the portal is checking thorougly the package before adding.
- Wait about 2-3 minutes before connecting to the host. It takes some time till the settings are published to the hosts in the hostpool and the app is visible.
--> Yeah, I did, as mentioned, also rebooted the VM a few times.
I do really appreciate your helpfulness, despite of the result.- TomHicklingHyper-v is only required to get the new-vhd command and hyper-v service required to create new vhd(x) that are part of the expansion process of getting the msix expanded to a vhd file. This is not a requirement for the mounting to a session host. What version of the WVD agent is installed?
- Stefan Georgievon the last bullet point it takes up to 5 min. our checking interval for changes is 5 min right now. during the preview we are evaluating if we need to make it shorter.
Stefan Georgiev Don't know what is changed, but for me it is working right now. Have to say, i have the VHD on my Domain controller C: share, but it's loaded in the MSIX preview. I am going to test it also from the Azure Files shares.
ejbakker and StephanK, Stefan Georgiev contacted me yesterday and informed that they did some magic on their side and fixed the bug and it should start working Today.
I can also confirm on my side that it is now fixed.
- I just confirmed it is working on our side as well. Thank you for your hard work on this everyone!
So tried a few of your scenarios,
no problem uploading and creating the MSIX in the portal it works like a charm, however i'm not able to see the app, I can se the VHD gets mounted, but the app does not register?
I have tried with your provided sample, and with some I created my self and from a third source.
This is logged
AppAttachServiceImpl - AppAttachRegisterAsync: Failed to get packages to register: Microsoft.RDInfra.Shared.Common.RestError.RestException: WVD_50002: ≤S-1-5-21-1166188620-3132992566-3953684836-1111≥ not found. ---> Microsoft.RDInfra.Shared.Common.RestError.InnerRestException: WVD_50002: ≤S-1-5-21-1166188620-3132992566-3953684836-1111≥ not found.
--- End of inner exception stack trace ---
at Microsoft.RDInfra.Messaging.MessageUtils.SetOperationResultAndEnsureSuccessStatusCode(ResponseMessage response, IMonitoringOperation operation, ILogger logger) in S:\src\Shared\Microsoft.RDInfra.Messaging\src\Microsoft.RDInfra.Messaging\MessageUtils.cs:line 109
at Microsoft.RDInfra.RDAgent.WebSocket.Broker.<SendRequestAndWaitResponseAsync>d__26`2.MoveNext() in S:\src\Shared\AgentInterfaces\src\Microsoft.RDInfra.RDAgent.WebSocket\Broker.cs:line 209
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AgentBrokerCommunication.Interfaces.IBrokerExtensions.<CallRequiredInterfaceAsync>d__3`2.MoveNext() in S:\src\Shared\SharedMessaging\src\AgentBrokerCommunicationInterfaces\IBroker.cs:line 0
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AppAttach.AgentAppAttachPackageListServiceImpl.<GetAppAttachPackagesToRegister>d__6.MoveNext() in S:\src\RDAgent\src\Service\AppAttach\AgentAppAttachPackageListServiceImpl.cs:line 60
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AppAttach.AppAttachServiceImpl.<AppAttachRegisterAsync>d__28.MoveNext() in S:\src\RDAgent\src\Service\AppAttach\AppAttachServiceImpl.cs:line 597Furthermore I am pretty sure it has screwed up my FSlogix setup too, i'm unable to attach the upd at log on, un less i delete it and let it create a new... ?!? how weird is that? (frxtray screen dump attached)
What am I overlooking ?
Stefan Georgiev I have tried to add a package and after filling out the display name and clicking next, I am getting error as below
ActivityId: 35e6e4ff-4d9e-4168-8114-8a14888b97a1 Error: This functionality is not supported. It will be included in a future release.
Am I missing something.
- Stefan Georgiev
rejincm We are hitting an error with the Azure whitelisting process that is blocking your sub, We are trying to do a fix tomorrow (well already today 12/18).
- Stefan Georgievrejincm This has been fixed
- chadhamilton37
Stefan Georgiev I am getting the same error as rejincm
@Stefan Georgiev, We are also getting the same error, and we have got confirmation from you that access to MSIX app attach access in WVD granted. Guessing it is a bigger issue as others are seeing also. Thanks
rejincm Same error and also Powershell doesn't work, with the same error message.
- Stefan Georgiev
Robert Folkers Hi Robert, the underlying problem is in the way feature flags are handled in Azure. Fastest fix is to get a different sub enabled (we figured out how not to hit the bug), if you do not have a different sub you may like the fact we a re trying to kick of a deployment tomorrow that is going to fix the issue.
Stefan Georgiev I could not add any MSIX package or image. Tried to add network fileshare path, Azure file share path, file URL, etc. Keep getting the error:
- TomHickling
tch0704 The path needs to be entered in UNC format i.e. \\server\share\folder\file.vhd
- Dear Tom,
I already tried with "\\wvd-dc\appshare\...vhd" but still didn't work. Thanks.
I got the "No MSIX packages could be retrieved from the image path" error. Error type is "aap contains untrusted signature". I am trying to use the chome msix package provided. I can't do anything with the CRT certificate on github, it says invalid. Please advice Stefan Georgiev Thank you.
- TomHickling
You can go back up a level at https://github.com/stgeorgi/msixappattach/find/master . Then install into Local Computer > Trusted People
grobersoI used the chrome and edge vhdx's and WVD said there were no packages in the vhdx. I do have Az Files joined to the Domain.- Stefan Georgiev
groberso do you have the actual error displayed by the portal?
hello,
I still have this error The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: wvd-0, Error: Error accessing virtual disk at ≤\\stox.file.core.windows.net\msix\bignotepadplusplus.vhd≥. (Code: 400)
As you can see, some stuffs are missing from the page ADD MSIX PACKAGE (we should see msix package, package application, display name....)
Same problem after recreating the hostpool on another region.
biginquebec130 the other fields only appear after the session host can access vhdx. For me, the cure was to recheck/grant permissions for session host on both share (RBAC) and directory level (NTFS). I then cleared Kerberos tickets for the computer account (effectively skipping restarting it) with command klist purge -li 0x3e7. After that it worked 🙂
- Stefan GeorgievThis is a permissions issue. The VMs in your host pool cannot access the path. Are you using Azure File? (check https://techcommunity.microsoft.com/t5/windows-virtual-desktop/step-by-step-guide-on-computer-account-auth-for-azure-files/td-p/1855164) if not put MSIX images on a folder on your c: drive and share it to everyone if that does not work pm me 🙂
hello Stefan
I checked once again permissions for session host on both share (RBAC) and directory level (NTFS) but I still have this error : “...Error accessing virtual disk at…”
Note that Host and storage account are joined to an Azure ADDS (not classic ADDS)
-RBAC : my host has the role Storage File Data SMB Share Contributor on the Storage account
(it’s also a member of an Azure AD group with this role)
-NTFS level : my Host has -modify- on the storage account’ Share
Note that the host can access and mount this vhd \\stoxxx.file.core.windows.net\msix\GoogleChrome_68.46.66.0_x64__74vyvr5aw93s6.vhdx
I tried put the vhd on a local share and it works like a charm.
Please help me to find where is my mistake with Azure File permissions in the Azure ADDS scenario.
Best regards
I registered two Subscriptions to test this feature. Received confirmation Mail but not sure which Subscription or if both Subscriptions were whitelisted. What is the symptom if Subscription is not whitelisted?
- I have WVD host pool with one Active session host.
- Host pool is in validation mode.
- File share where I uploaded MSIX Image is accessible to VMs in the host pool as well as for users (read-only permissions).
- Installed WVDContosoAppAttach certificate to session host > Local Computer > Trusted people.
- I have succesfully added the provided Chrome MSIX Image to the host pool. Verified on the session host disk management that Image is mounted.
- Published MSIX app to Remoteapp Application group only.
- For testing purposes I have also published from the Start menu Paint to the same Remoteapp Application group.
When refreshing Remote Desktop client, I initially see Both Paint from Start Menu as well as MSIX published app as expected. Paint can be successfully launched, MSIX app does not Work. Connection opens but Google chrome is not started.
If I go back and refresh again Remote Desktop client web feed, Published MSIX app vanishes leaving only published Paint from Start Menu. I repeatedly tested this behaviour last Time on Saturday.
This same issue occurs with both of My Subscriptions.
What could be the issue? Really frustrated that I cannot get this working…
IMG_Before.png shows the State immediatelly after First Time publishing chrome (20.27).
IMG_After.png shows the State after I refreshed the web feed three minutes Later (20.30) when MSIX chrome app vanished...
- Stefan GeorgievHi Jantu, I would feel the same way for the MSIX app not to appear and the start menu app to appear we are talking about app registration failing. Initially it seems to work but once our code sees that the app does not stage/register its missing from the feed. Can you pm me your host pool name and I will have an engineer look at this
Hi Stefan, I sent you PM with host pool information yesterday.
One additional interesting thing what I noticed that when I provisioned yesterday new Session host using default Windows 10 Enterprise 20H2 mult-session image to same host pool (validation enabled) just to rule out that something is wrong with my custom image, there was no logs related to MSIX App Attach. I have created custom View containing every entry from RemoteDesktopServices where Event source contains AppAttach.
Results seen from newly created Session host. Nothing related to AppAttach...
Results seen in previously created session host in same host pool
Update from monday:
Noticed that newly provisioned Session host WVD agent is older compared to one earlier provisioned in same validation host pool. 1.0.2743.1300 versus 1.0.2548.6500. Maybe this older WVD agent is missing MSIX App attach features... Any way to Force WVD agent update?
Stefan Georgiev I wonder what could be wrong in my environment with on-prem AD? I've successfully been able to add Chrome and Edge Dev sample MSIX packages to host pool as well as Remote App application group. However they do not appear on Windows nor web client although apps that I've added from Start menu appear ok. I've also used PowerShell scripts from Configure Windows Virtual Desktop MSIX app attach PowerShell scripts - Azure | Microsoft Docs to successfully attach Chrome and verified that it appears as mounted volume and app works when started from Start. I've also implemented Log analytics and WVDFeeds on Workspace Logs shows # RDPTotal equivalent to # icons displayed on client(s). RDPFail and IconFail remain as zero. I noticed on your video that you specified icon path for the app. Is it required? In my environment (with session hosts provisioned into North Europe region) I've got exactly same situation as Jantu123 i.e. two session hosts with different WVD agent versions. However, I've shutdown the host with older WVD agent i.e. trying to get this working with 1.0.2743.1300.
I found the following event in Event Viewer\Applications and Services Logs\RemoteDesktopServices:Source: Microsoft.RDInfra.Messaging.DefaultMessenger
Event ID: 0
...
[] Dispatched message '{"MessageId":"7b3447a4-0647-4ef0-934d-e47dbcd1bdd7","Type":0,"Request":{"MethodName":"ExtractMsixDataAsync","Arguments":{"Path":"\\\\<storageaccount>.file.core.windows.net\\<fileshare>\\MSIX\\GoogleChrome_68.46.66.0_x64__74vyvr5aw93s6.vhdx","Validate":true,"Limit":0,"Skip":0},"Headers":{"x-ms-correlation-id":"ddb1a956-f301-4d52-9776-2dba84031d02","x-ms-activity-context":"False","ms-wvd-activity-hint":"ms-wvd-ep:2bd6cc7b-7764-4e53-90bc-b7a1a502e5bc","x-ms-lamport-ts":"477077490"}},"Response":null}'
There is also similar event for Edge Dev. Also, there appears the same event as in Jantu123 i.e "MSIX packages have been properly staged". I couldn't find any errors or warnings in that log that seemed linked to app attach.
I found events for MSIX app attaching Chrome with PowerShell on Microsoft-Windows-AppXDeploymentServer/Operational. However, couldn't find any events for EdgeDev which I haven't attached with PowerShell. Should WVD app attached apps write events to this log if they are working?
When are you going to whitelist next batch? I'm waiting to evaluate my other environment with Azure AD DS. Initially, I didn't have RP registered but now I've got two separate host pools waiting...
- Stefan GeorgievIcon path is not required.
You can take a look at event viewer using this custom view https://github.com/stgeorgi/msixappattach/tree/master/event_viewer_filter
Few other things to check version of agent (2743), version of bootloader (1.0.3), package is set to active and has been assigned in a destkop application group and published to users.
