MSIX app attach Azure portal integration public preview

Microsoft

MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.

 

Previously, you had to use PowerShell scripts to enable MSIX app attach.  MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.

 

Draft troubleshooting guide for MSIX app attach is available here.

Overview and requirements

 

Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.

 

The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:

  • Host pool in Windows Virtual Desktop with at least one active session host
  • Host pool in the validation environment
  • MSIX packaged application expanded into an MSIX image
  • MSIX image is uploaded to file share
  • The file share is accessible for all session hosts in the host pool
  • When using a digital certificate that is not sourced from a CA please follow instructions here on each VM in the host pool 

 

This video walks through the MSIX app attach UI.

 

Deploy WVD (Windows Virtual Desktop) host pool

 

The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.

rds1.png

 

MSIX application

 

MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.

 

Prepare MSIX image

 

MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.

 

If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:

 

Application name

URL

Chrome as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVMWy-sU8aiaStuxQ?e=AqwZ0D

Chrome in an MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVLPExhghP4iM8LRQ?e=wJHd9P

Microsoft Edge Dev v89 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVddlHiIoei4RdROQ?e=kwdvDq

Microsoft Edge Dev v89 as MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVczWWmEiUhv2IC3A?e=eBGL8B

Microsoft Edge Dev v87 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVbdz4gmTb7rqHoeg?e=6dEhj5

Microsoft Edge Dev v87 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVaArIPkiAg5XzusQ?e=ZthNbz

PowerBI as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5

 

Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice

PowerBI as MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVi5SXqDxAr6MBAKw?e=pm1c2q

WVDMigration as MSIX image (test different cert type)

https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc

 

WVDMigrationBAD as MSIX image (bad packaging format)

https://1drv.ms/u/s!Amut9BnVnw7mkOF6izJaA6rMxih_fQ?e=VU6Wbp

Microsoft Edge Dev v87 as MSIX image (expired cert)

https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E

 

Notepad++ as MSIX image (missing cert test)

https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea

 

If you are using your own application, you will need to install the certificate used to sign the MSIX package.

 

Install certificates

 

If you are using the provided MSIX applications, there are two certs:

 

Configure a file share

 

All session hosts need access to the file share with MSIX app attach packages.  This Tech Community blog covers the process.

 

Configure MSIX app attach via Azure portal

 

Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home

In the search bar type Windows Virtual Desktop and click on the service.

 

rds.png

 

Select a host pool where MSIX applications are to be delivered.

 

rds2.png

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click + Add. This will open the Add MSIX package blade.

 

rds3.png

 

MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.

MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.

Package applications – list of MSIX applications available in an MSIX package.

Display name – Optional display name to be presented in the interface.

Version – MSIX package version automatically delivered from parsing the package.

Registration type

On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.

 

Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.

State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.

Click Save.

 

Publish MSIX application to an application group

 

In the WVD resource provider navigate to the Application groups blade.

Select an application group.

 

Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.

 

Select the Applications blade. The Applications grid will display all currently added applications.

rds4.png

Click + Add to open the Add application blade.

Application source

  • For desktop app groups the only source for applications is an MSIX package.

rds5.png

 

  • For remote app group, there are three sources of applications.
    • Start menu
    • App path
    • MSIX package

 

MSIX package – display list of packages added to the host pool.

 

 

rds6.png

 

Display name – Optional display name to be presented in the Applications interface.

Description – Short description.

Note the options below are only applicable to remote application groups.

  • Icon path
  • Icon index 
  • Show in web feed

Click Save.

 

Assign users to app group

 

Select app group.

Select Assignments

To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.

Select the users you want to have access to the apps. You can select single or multiple users and user groups.

Select Save.

It will take five minutes before the user can access the application.

 

Change MSIX package state

 

Via the Applications grid

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Select one or multiple that need to have their state change and click the Change state button.

 

Via update package

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click on Package name in the MSIX packages grid this will open the blade to update the package.

Toggle the State via the Inactive/Active button as desired and click Save.

 

Change MSIX package registration type

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click on Package name in the MSIX packages grid this will open the blade to update the package.

Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.

 

Remove MSIX package

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Select one or multiple that need to be removed click the Remove button.

 

Removing MSIX application

 

Navigate to the host pool and select Application groups.

Select the application group from which the MSIX application is to be removed.

From the application group blade select Applications.

Select the desired application and click Remove.

240 Replies

@Stefan Georgiev  I have tried to add a package and after filling out the display name and clicking next, I am getting error as below

ActivityId: 35e6e4ff-4d9e-4168-8114-8a14888b97a1 Error: This functionality is not supported. It will be included in a future release. 

 

Am I missing something.

@Stefan Georgiev I am getting the same error as @rejincm

@Stefan Georgiev, We are also getting the same error, and we have got confirmation from you that access to MSIX app attach access in WVD granted.   Guessing it is a bigger issue as others are seeing also.  Thanks

 

@Stefan Georgiev  I could not add any MSIX package or image.  Tried to add network fileshare path, Azure file share path, file URL, etc.  Keep getting the error:clip1.png

I got the "No MSIX packages could be retrieved from the image path" error.  Error type is "aap contains untrusted signature".  I am trying to use the chome msix package provided.  I can't do anything with the CRT certificate on github, it says invalid.  Please advice @Stefan Georgiev  Thank you.

I used the chrome and edge vhdx's and WVD said there were no packages in the vhdx. I do have Az Files joined to the Domain.
Same here. Any feedback you can provide?

@tch0704 The path needs to be entered in UNC format i.e. \\server\share\folder\file.vhd

You can go back up a level at https://github.com/stgeorgi/msixappattach/find/master . Then install into Local Computer > Trusted People

I already tried this but got an error: The file is invalid for use as the following: Security Certificate.

@rejincm Same error and also Powershell doesn't work, with the same error message.

@rejincm We are hitting an error with the Azure whitelisting process that is blocking your sub, We are trying to do a fix tomorrow (well already today 12/18). 

@chadhamilton37 there is a bug we found in the whitelisting process. There is a fix and we are trying to deploy it...however we are racing against time as there is a change freeze starting 12/18 12:00. If you have a different sub I now how to enable the feature and circumvent the bug. 

@Robert_Hurd in short yes. All subs enabled between 12/14 and 12/15 are hitting a bug with the Azure whitelisting (feature flag process). The somewhat good news is that we have a fix that we are trying to deploy tomorrow. But, we are running against a change freeze deadline that starts tomorrow. So if you have a different sub we can enable that one an expedite your access to the feature.

@tch0704 we do not support HTTP/S paths must be an SMB resolvable path

@Robert Folkers Hi Robert, the underlying problem is in the way feature flags are handled in Azure. Fastest fix is to get a different sub enabled (we figured out how not to hit the bug), if you do not have a different sub you may like the fact we a re trying to kick of a deployment tomorrow that is going to fix the issue.

@Edmond Chou the error you are describing is due to the session host in your host pool not having the certificate added to trusted people. That is the same certificate that has been used to package the application.

This is due to a bug we found in the whitelisting. My dev is racing against time to deploy the fix tomorrow (before the change freeze takes effect). if you have another sub we can circumvent the bug and get it enabled.

@chadhamilton37 we are working to fix the bug. deployment for the fix is planned for 12/18 but there is no guarantee we can make it. The 100% fix is to enable a different sub under you Azure AD tenant.