MSIX app attach Azure portal integration public preview

Microsoft

MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.

 

Previously, you had to use PowerShell scripts to enable MSIX app attach.  MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.

 

Draft troubleshooting guide for MSIX app attach is available here.

Overview and requirements

 

Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.

 

The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:

  • Host pool in Windows Virtual Desktop with at least one active session host
  • Host pool in the validation environment
  • MSIX packaged application expanded into an MSIX image
  • MSIX image is uploaded to file share
  • The file share is accessible for all session hosts in the host pool
  • When using a digital certificate that is not sourced from a CA please follow instructions here on each VM in the host pool 

 

This video walks through the MSIX app attach UI.

 

Deploy WVD (Windows Virtual Desktop) host pool

 

The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.

rds1.png

 

MSIX application

 

MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.

 

Prepare MSIX image

 

MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.

 

If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:

 

Application name

URL

Chrome as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVMWy-sU8aiaStuxQ?e=AqwZ0D

Chrome in an MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVLPExhghP4iM8LRQ?e=wJHd9P

Microsoft Edge Dev v89 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVddlHiIoei4RdROQ?e=kwdvDq

Microsoft Edge Dev v89 as MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVczWWmEiUhv2IC3A?e=eBGL8B

Microsoft Edge Dev v87 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVbdz4gmTb7rqHoeg?e=6dEhj5

Microsoft Edge Dev v87 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVaArIPkiAg5XzusQ?e=ZthNbz

PowerBI as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5

 

Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice

PowerBI as MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVi5SXqDxAr6MBAKw?e=pm1c2q

WVDMigration as MSIX image (test different cert type)

https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc

 

WVDMigrationBAD as MSIX image (bad packaging format)

https://1drv.ms/u/s!Amut9BnVnw7mkOF6izJaA6rMxih_fQ?e=VU6Wbp

Microsoft Edge Dev v87 as MSIX image (expired cert)

https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E

 

Notepad++ as MSIX image (missing cert test)

https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea

 

If you are using your own application, you will need to install the certificate used to sign the MSIX package.

 

Install certificates

 

If you are using the provided MSIX applications, there are two certs:

 

Configure a file share

 

All session hosts need access to the file share with MSIX app attach packages.  This Tech Community blog covers the process.

 

Configure MSIX app attach via Azure portal

 

Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home

In the search bar type Windows Virtual Desktop and click on the service.

 

rds.png

 

Select a host pool where MSIX applications are to be delivered.

 

rds2.png

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click + Add. This will open the Add MSIX package blade.

 

rds3.png

 

MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.

MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.

Package applications – list of MSIX applications available in an MSIX package.

Display name – Optional display name to be presented in the interface.

Version – MSIX package version automatically delivered from parsing the package.

Registration type

On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.

 

Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.

State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.

Click Save.

 

Publish MSIX application to an application group

 

In the WVD resource provider navigate to the Application groups blade.

Select an application group.

 

Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.

 

Select the Applications blade. The Applications grid will display all currently added applications.

rds4.png

Click + Add to open the Add application blade.

Application source

  • For desktop app groups the only source for applications is an MSIX package.

rds5.png

 

  • For remote app group, there are three sources of applications.
    • Start menu
    • App path
    • MSIX package

 

MSIX package – display list of packages added to the host pool.

 

 

rds6.png

 

Display name – Optional display name to be presented in the Applications interface.

Description – Short description.

Note the options below are only applicable to remote application groups.

  • Icon path
  • Icon index 
  • Show in web feed

Click Save.

 

Assign users to app group

 

Select app group.

Select Assignments

To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.

Select the users you want to have access to the apps. You can select single or multiple users and user groups.

Select Save.

It will take five minutes before the user can access the application.

 

Change MSIX package state

 

Via the Applications grid

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Select one or multiple that need to have their state change and click the Change state button.

 

Via update package

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click on Package name in the MSIX packages grid this will open the blade to update the package.

Toggle the State via the Inactive/Active button as desired and click Save.

 

Change MSIX package registration type

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click on Package name in the MSIX packages grid this will open the blade to update the package.

Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.

 

Remove MSIX package

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Select one or multiple that need to be removed click the Remove button.

 

Removing MSIX application

 

Navigate to the host pool and select Application groups.

Select the application group from which the MSIX application is to be removed.

From the application group blade select Applications.

Select the desired application and click Remove.

240 Replies

@Edmond Chou Apologies, I do not recall putting cert on GitHub can you share the URL (the cert in the documentation is from my OneDrive)

@groberso do you have the actual error displayed by the portal?

This is a known issue. We are trying to deploy a fix tomorrow (today 12/18). However, if you have an alternative sub we can whitelist it and circumvent the bug.
this is a problem with the Azure whitelist flag. We are looking to ix it today 12/18 but the fastest way to get you enabled is to whitelist a different sub....

@Stefan Georgiev 

 

Having strange test results...

  1. MSIX published RemoteApps are randomly visible and randomly vanish from Remote Desktop client. I had probably 6-7 apps that were not visible and suddenly they appeared to multiple users. But now they are gone. 
  2. When I tried to launch Remoteapp MSIX apps while they were visible in Remote Desktop Client, instead of opening application, Explorer was opened. Tested with sample Google Chrome and with own Notepad plus app and both with same results
  3. When testing Full Desktop with MSIX apps some of the users see the MSIX apps icons on the Start Menu after logging in to desktop and some do not even if the MSIX app is published to group containing both users.

@Jantu123 For point 2, Explorer is always launched if the applicaiton is not available for whatever reason. So it is possible that you have added an app and assigned it to an application group which presents the icons to the client, all before the session host has reported in and mounted the VHD(x) and registered the app

@TomHickling 

 

Thanks for the explanation. I have checked that in disk management, I see the MSIX .vhdx mounted while I have these issues.

 

However in last one hour I actually managed to start for a while the MSIX published as a Remoteapp but then maybe 30 minutes later launching the App again opened Explorer instead. I then closed the Remote Desktop Client and after restarting only MSIX RemoteApp icons vanished. No changes done on my side... 

Wondering whether or not this appearing / disappearing MSIX RemoteApp icons in Remote Desktop Clients are related to this Azure whitelist flag.

@Stefan Georgiev 

Works like a charm! Thanks! Is there any information about MSIX-App Attach going GA?

 

Thanks!

@Stefan Georgiev 

hello, 

 

I still have this error The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: wvd-0, Error: Error accessing virtual disk at ≤\\stox.file.core.windows.net\msix\bignotepadplusplus.vhd≥. (Code: 400)

 

As you can see, some stuffs are missing from the page  ADD MSIX PACKAGE (we should see msix package, package application, display name....)

Same problem after recreating the hostpool on another region.

 

biginquebec130_1-1608340697298.png

 

 

@biginquebec130 the other fields only appear after the session host can access vhdx. For me, the cure was to recheck/grant permissions for session host on both share (RBAC) and directory level (NTFS). I then cleared Kerberos tickets for the computer account (effectively skipping restarting it) with command klist purge -li 0x3e7. After that it worked :)

@Stefan Georgiev 

 

I registered two Subscriptions to test this feature. Received confirmation Mail but not sure which Subscription or if both Subscriptions were whitelisted. What is the symptom if Subscription is not whitelisted?

 

  • have WVD host pool with one Active session host.
  • Host pool is in validation mode.
  • File share where I uploaded MSIX Image is accessible to VMs in the host pool as well as for users (read-only permissions).
  • Installed WVDContosoAppAttach certificate to session host > Local Computer > Trusted people.
  • I have succesfully added the provided Chrome MSIX Image to the host pool. Verified on the session host disk management that Image is mounted.
  • Published MSIX app  to Remoteapp Application group only.
  • For testing purposes I have also published from the Start menu Paint to the same Remoteapp Application group.

 

When refreshing Remote Desktop client, I initially see Both Paint from Start Menu as well as MSIX published app as expected. Paint can be successfully launched, MSIX app does not Work. Connection opens but Google chrome is not started.

 

If I go back and refresh again Remote Desktop client web feed, Published MSIX app vanishes leaving only published Paint from Start Menu. I repeatedly tested this behaviour last Time on Saturday.

 

This same issue occurs with both of My Subscriptions.

 

What could be the issue? Really frustrated that I cannot get this working…

 

IMG_Before.png shows the State immediatelly after First Time publishing chrome (20.27).

IMG_After.png shows the State after I refreshed the web feed three minutes Later (20.30) when MSIX chrome app vanished...

 

 

 

 

 

@Jantu123 I am assuming that when you say randomly visible remote apps you mean the feed. There is no good reason for RA to be gone from the feed after being published I really would like for us to chat next week and see what is going please PM me and I will setup something 

the whitelisting flag if it was impacting the sub you are using will not let you publish any apps so it's not tied to the flag

We are aiming for Q1...but quality must be met. I do want to ship sup par GA:)

This is a permissions issue. The VMs in your host pool cannot access the path. Are you using Azure File? (check https://techcommunity.microsoft.com/t5/windows-virtual-desktop/step-by-step-guide-on-computer-accoun...) if not put MSIX images on a folder on your c: drive and share it to everyone if that does not work pm me :)
Hi Jantu, I would feel the same way for the MSIX app not to appear and the start menu app to appear we are talking about app registration failing. Initially it seems to work but once our code sees that the app does not stage/register its missing from the feed. Can you pm me your host pool name and I will have an engineer look at this

@Stefan Georgiev 

hello Stefan

I checked once again permissions for session host on both share (RBAC) and directory level (NTFS) but I still have this error : “...Error accessing virtual disk at…”

 

biginquebec130_1-1608484711346.png

 

Note that Host and storage account are joined to an Azure ADDS (not classic ADDS)

-RBAC : my host has the role Storage File Data SMB Share Contributor on the Storage account

(it’s also a member of an Azure AD group with this role)

biginquebec130_2-1608484711353.png

 

-NTFS level : my Host has -modify- on the storage account’ Share

Note that the host can access and mount this vhd \\stoxxx.file.core.windows.net\msix\GoogleChrome_68.46.66.0_x64__74vyvr5aw93s6.vhdx

biginquebec130_3-1608484711377.png

 

I tried put the vhd on a local share and it works like a charm.

Please help me to find where is my mistake with Azure File permissions in the Azure ADDS scenario.

 

Best regards

Dear Tom,

I already tried with "\\wvd-dc\appshare\...vhd" but still didn't work. Thanks.

@Stefan Georgiev

 

Hi Stefan, I sent you PM with host pool information yesterday.

 

One additional interesting thing what I noticed that when I provisioned yesterday new Session host using default Windows 10 Enterprise 20H2 mult-session image to same host pool (validation enabled) just to rule out that something is wrong with my custom image, there was no logs related to MSIX App Attach. I have created custom View containing every entry from RemoteDesktopServices where Event source contains  AppAttach.

 

Results seen from newly created Session host. Nothing related to AppAttach...

Jantu123_0-1608531340540.png

 

Results seen in previously created session host in same host pool 

Jantu123_1-1608531599051.png

 

Update from monday:

 

Noticed that newly provisioned Session host WVD agent is older compared to one earlier provisioned in same validation host pool. 1.0.2743.1300 versus 1.0.2548.6500. Maybe this older WVD agent is missing MSIX App attach features... Any way to Force WVD agent update?

Jantu123_0-1608574070525.png

 

 

@biginquebec130 

Pretty sure this isnt supported. Games a bogey with AAD DS as there is no hybrid join capability so no writing back the devices to AAD. You're giving the Managed Identity of the VM access to FileShare, this isnt the AD object for which it'll determine has the correct NTFS permissions. 
Keen to get confirmation/roadmap item for this scenario though as we have a few environments that use standalone AAD DS as opposed to classic ADDS with Synchronization.