Overview

As of the writing of this article, Windows Virtual Desktop (WVD) supports one desktop application group (DAG) per host pool. This means that all users granted access to the DAG with MSIX app attach will see all applications. For example, if both Sales and HR users need a remote desktop but we must not allow Sales users to access HR applications we need to create a separate host pool.

This document provides an overview of how DAG and remote application groups (RAG) can be used together to isolate applications in remote desktop scenarios.

Note: This process has the side effect of displaying the remote apps in the user feed.

Figure 1: MSIX app attaches and application isolation.

Sample scenario

To better understand MSIX app attach and WVD capabilities we will follow the scenario below.

All our users (Sales, HR, and Eng) must-have a remote desktop. They all need access to Teams and Edge. Sales need additional access to Whiteboard and To Do. HR needs access to Power Bi. Eng needs access to Visual Studio Code (VSC). We cannot allow users to have access to apps besides those to which they do not have permission.

Setting up MSIX app attach

Requirements

To complete this scenario, we must have:

• WVD deployment with MSIX app attach
• MSIX share with correct permissions
• Application dependencies are included in the master image
• MSIX image for each app uploaded to the MSIX share
• MSIX packages have been added to the host pool and are set to active

The wrong way

To complete the MSIX app attach we must add the MSIX applications to a DAG or RAG. In our scenario, we must use a DAG and not RAG. If we assign all the apps in the DAG that will break the app isolation requirement. We cannot use a RAG as that will not grant remote desktop access.

All MSIX applications are assigned to a DAG.

Users for the different departments assigned to the DAG.

To verify this, we can log in as Pieter. Pieter has all the apps showing in his Start Menu (they were intentionally pinned).

We can see that this was not what our scenario prescribes as an outcome.

The “right” way

We do not need to change our MSIX images and them being assigned to the host pool. We need to change our DAG and create three new RAGs (Remote Application Group).

Note: this scenario can be implemented only if the users are fully logged off (session disconnected) from all session hosts.

We need to leave only the common apps Teams and Edge in the DAG.

We then create three RAGs name SalesApps, HRApps and EngApps.

For each RAG we will add the corresponding MSIX applications and assign the corresponding users.

Note: All users must remain assigned to the DAG.

Note: The Showinwebfeed option will allow for the two application icons to be suppressed however this is not enabled in WVD currently.

SalesApps RAG has been configured as per our scenario.

When Sales user (Pieter) signs in the feed will show, the DAG and the apps assigned to the RAG.

Sales user experience

When Sales user (Pieter) signs in the feed will look like this.

In remote desktop:

• Same host pool
• Edge, Teams, Whiteboard, and Todo are available
• VSCode is not available

Eng user experience

Note: If users have not been logged off during the reassignment of application to app groups please make sure to fully log off (session disconnected) users from all session hosts.

When Eng user (Stefan) signs in their feed shows.

On remote desktop they can see:

• Same host pool
• Edge, Teams, and VS (Visual Studio) code are available.
• Whiteboard is not available

• All three apps are running

View from session host as admin

When we access the session host virtual machine directly, we can see:

• when Sales user (Pieter) and Eng user (Stefan) sign they intentionally end up on the same machine.
• Hostname
• All mounted Virtual Hard Disks (VHDs) part in Disk Management
• See staged packages on the machine using Get-AppxPacakge *<packageName>* -AllUsers

Note: the switch -AllUsers indicates that the package is staged for all users on the machine, but only those users that have it registered can use/see it.