Dec 14 2020 10:05 AM - edited Feb 23 2021 09:39 AM
MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.
Previously, you had to use PowerShell scripts to enable MSIX app attach. MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.
Draft troubleshooting guide for MSIX app attach is available here.
Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.
The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:
This video walks through the MSIX app attach UI.
The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.
MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.
MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.
If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:
Application name |
URL |
Chrome as MSIX image |
|
Chrome in an MSIX package |
|
Microsoft Edge Dev v89 as MSIX image |
|
Microsoft Edge Dev v89 as MSIX package |
|
Microsoft Edge Dev v87 as MSIX image |
|
Microsoft Edge Dev v87 as MSIX image |
|
PowerBI as MSIX image |
https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5
Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice |
PowerBI as MSIX package |
|
WVDMigration as MSIX image (test different cert type) |
https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc
|
WVDMigrationBAD as MSIX image (bad packaging format) |
|
Microsoft Edge Dev v87 as MSIX image (expired cert) |
https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E
|
Notepad++ as MSIX image (missing cert test) |
https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea
|
If you are using the provided MSIX applications, there are two certs:
All session hosts need access to the file share with MSIX app attach packages. This Tech Community blog covers the process.
Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home
In the search bar type Windows Virtual Desktop and click on the service.
Select a host pool where MSIX applications are to be delivered.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click + Add. This will open the Add MSIX package blade.
MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.
MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.
Package applications – list of MSIX applications available in an MSIX package.
Display name – Optional display name to be presented in the interface.
Version – MSIX package version automatically delivered from parsing the package.
Registration type
On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.
Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.
State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.
Click Save.
In the WVD resource provider navigate to the Application groups blade.
Select an application group.
Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.
Select the Applications blade. The Applications grid will display all currently added applications.
Click + Add to open the Add application blade.
Application source
MSIX package – display list of packages added to the host pool.
Display name – Optional display name to be presented in the Applications interface.
Description – Short description.
Note the options below are only applicable to remote application groups.
Click Save.
Select app group.
Select Assignments
To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.
Select the users you want to have access to the apps. You can select single or multiple users and user groups.
Select Save.
It will take five minutes before the user can access the application.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to have their state change and click the Change state button.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the State via the Inactive/Active button as desired and click Save.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to be removed click the Remove button.
Navigate to the host pool and select Application groups.
Select the application group from which the MSIX application is to be removed.
From the application group blade select Applications.
Select the desired application and click Remove.
Dec 18 2020 01:49 AM
@Edmond Chou Apologies, I do not recall putting cert on GitHub can you share the URL (the cert in the documentation is from my OneDrive)
Dec 18 2020 01:51 AM
@groberso do you have the actual error displayed by the portal?
Dec 18 2020 01:55 AM
Dec 18 2020 01:57 AM
Dec 18 2020 03:13 AM - edited Dec 18 2020 03:15 AM
Having strange test results...
Dec 18 2020 03:57 AM
@Jantu123 For point 2, Explorer is always launched if the applicaiton is not available for whatever reason. So it is possible that you have added an app and assigned it to an application group which presents the icons to the client, all before the session host has reported in and mounted the VHD(x) and registered the app
Dec 18 2020 04:28 AM
Thanks for the explanation. I have checked that in disk management, I see the MSIX .vhdx mounted while I have these issues.
However in last one hour I actually managed to start for a while the MSIX published as a Remoteapp but then maybe 30 minutes later launching the App again opened Explorer instead. I then closed the Remote Desktop Client and after restarting only MSIX RemoteApp icons vanished. No changes done on my side...
Wondering whether or not this appearing / disappearing MSIX RemoteApp icons in Remote Desktop Clients are related to this Azure whitelist flag.
Dec 18 2020 05:31 AM
Works like a charm! Thanks! Is there any information about MSIX-App Attach going GA?
Thanks!
Dec 18 2020 05:30 PM
hello,
I still have this error The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: wvd-0, Error: Error accessing virtual disk at ≤\\stox.file.core.windows.net\msix\bignotepadplusplus.vhd≥. (Code: 400)
As you can see, some stuffs are missing from the page ADD MSIX PACKAGE (we should see msix package, package application, display name....)
Same problem after recreating the hostpool on another region.
Dec 19 2020 10:03 AM
@biginquebec130 the other fields only appear after the session host can access vhdx. For me, the cure was to recheck/grant permissions for session host on both share (RBAC) and directory level (NTFS). I then cleared Kerberos tickets for the computer account (effectively skipping restarting it) with command klist purge -li 0x3e7. After that it worked 🙂
Dec 19 2020 11:53 AM
I registered two Subscriptions to test this feature. Received confirmation Mail but not sure which Subscription or if both Subscriptions were whitelisted. What is the symptom if Subscription is not whitelisted?
When refreshing Remote Desktop client, I initially see Both Paint from Start Menu as well as MSIX published app as expected. Paint can be successfully launched, MSIX app does not Work. Connection opens but Google chrome is not started.
If I go back and refresh again Remote Desktop client web feed, Published MSIX app vanishes leaving only published Paint from Start Menu. I repeatedly tested this behaviour last Time on Saturday.
This same issue occurs with both of My Subscriptions.
What could be the issue? Really frustrated that I cannot get this working…
IMG_Before.png shows the State immediatelly after First Time publishing chrome (20.27).
IMG_After.png shows the State after I refreshed the web feed three minutes Later (20.30) when MSIX chrome app vanished...
Dec 20 2020 01:31 AM
@Jantu123 I am assuming that when you say randomly visible remote apps you mean the feed. There is no good reason for RA to be gone from the feed after being published I really would like for us to chat next week and see what is going please PM me and I will setup something
Dec 20 2020 01:34 AM
Dec 20 2020 01:34 AM
We are aiming for Q1...but quality must be met. I do want to ship sup par GA:)
Dec 20 2020 01:38 AM
Dec 20 2020 01:43 AM
Dec 20 2020 09:19 AM
hello Stefan
I checked once again permissions for session host on both share (RBAC) and directory level (NTFS) but I still have this error : “...Error accessing virtual disk at…”
Note that Host and storage account are joined to an Azure ADDS (not classic ADDS)
-RBAC : my host has the role Storage File Data SMB Share Contributor on the Storage account
(it’s also a member of an Azure AD group with this role)
-NTFS level : my Host has -modify- on the storage account’ Share
Note that the host can access and mount this vhd \\stoxxx.file.core.windows.net\msix\GoogleChrome_68.46.66.0_x64__74vyvr5aw93s6.vhdx
I tried put the vhd on a local share and it works like a charm.
Please help me to find where is my mistake with Azure File permissions in the Azure ADDS scenario.
Best regards
Dec 20 2020 05:05 PM
Dec 20 2020 10:24 PM - edited Dec 21 2020 10:13 AM
Hi Stefan, I sent you PM with host pool information yesterday.
One additional interesting thing what I noticed that when I provisioned yesterday new Session host using default Windows 10 Enterprise 20H2 mult-session image to same host pool (validation enabled) just to rule out that something is wrong with my custom image, there was no logs related to MSIX App Attach. I have created custom View containing every entry from RemoteDesktopServices where Event source contains AppAttach.
Results seen from newly created Session host. Nothing related to AppAttach...
Results seen in previously created session host in same host pool
Update from monday:
Noticed that newly provisioned Session host WVD agent is older compared to one earlier provisioned in same validation host pool. 1.0.2743.1300 versus 1.0.2548.6500. Maybe this older WVD agent is missing MSIX App attach features... Any way to Force WVD agent update?
Dec 21 2020 02:50 AM
@biginquebec130
Pretty sure this isnt supported. Games a bogey with AAD DS as there is no hybrid join capability so no writing back the devices to AAD. You're giving the Managed Identity of the VM access to FileShare, this isnt the AD object for which it'll determine has the correct NTFS permissions.
Keen to get confirmation/roadmap item for this scenario though as we have a few environments that use standalone AAD DS as opposed to classic ADDS with Synchronization.