Dec 14 2020 10:05 AM - edited Feb 23 2021 09:39 AM
MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.
Previously, you had to use PowerShell scripts to enable MSIX app attach. MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.
Draft troubleshooting guide for MSIX app attach is available here.
Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.
The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:
This video walks through the MSIX app attach UI.
The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.
MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.
MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.
If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:
Application name |
URL |
Chrome as MSIX image |
|
Chrome in an MSIX package |
|
Microsoft Edge Dev v89 as MSIX image |
|
Microsoft Edge Dev v89 as MSIX package |
|
Microsoft Edge Dev v87 as MSIX image |
|
Microsoft Edge Dev v87 as MSIX image |
|
PowerBI as MSIX image |
https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5
Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice |
PowerBI as MSIX package |
|
WVDMigration as MSIX image (test different cert type) |
https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc
|
WVDMigrationBAD as MSIX image (bad packaging format) |
|
Microsoft Edge Dev v87 as MSIX image (expired cert) |
https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E
|
Notepad++ as MSIX image (missing cert test) |
https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea
|
If you are using the provided MSIX applications, there are two certs:
All session hosts need access to the file share with MSIX app attach packages. This Tech Community blog covers the process.
Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home
In the search bar type Windows Virtual Desktop and click on the service.
Select a host pool where MSIX applications are to be delivered.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click + Add. This will open the Add MSIX package blade.
MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.
MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.
Package applications – list of MSIX applications available in an MSIX package.
Display name – Optional display name to be presented in the interface.
Version – MSIX package version automatically delivered from parsing the package.
Registration type
On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.
Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.
State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.
Click Save.
In the WVD resource provider navigate to the Application groups blade.
Select an application group.
Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.
Select the Applications blade. The Applications grid will display all currently added applications.
Click + Add to open the Add application blade.
Application source
MSIX package – display list of packages added to the host pool.
Display name – Optional display name to be presented in the Applications interface.
Description – Short description.
Note the options below are only applicable to remote application groups.
Click Save.
Select app group.
Select Assignments
To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.
Select the users you want to have access to the apps. You can select single or multiple users and user groups.
Select Save.
It will take five minutes before the user can access the application.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to have their state change and click the Change state button.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the State via the Inactive/Active button as desired and click Save.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Click on Package name in the MSIX packages grid this will open the blade to update the package.
Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.
Select MSIX packages.
This will open the data grid with all MSIX packages currently added to the host pool.
Select one or multiple that need to be removed click the Remove button.
Navigate to the host pool and select Application groups.
Select the application group from which the MSIX application is to be removed.
From the application group blade select Applications.
Select the desired application and click Remove.
Jan 07 2021 06:26 PM
Jan 07 2021 09:50 PM - edited Jan 07 2021 09:54 PM
Here are pictures from my test environment.
MSIX packages worked last two days both when testing "Desktop Application Group" and "Remoteapp Application group" using MSIX Chrome from you and 2 MSIX packages that I created myself.
Then yesterday because my colleague mentioned that his test environment had this issue with appearing / disappearing MSIX Remoteapp icons I made some changes in my own test environment Remoteapp Application group (flipped probably "Show in web feed in Application group App setting), refreshed and after that all my MSIX Remoteapp icons disappeared leaving only Win32 app (Paint) from Start Menu.
Only Paint from Start Menu is visible now :(
All MSIX packages are Active state, on-demand.
Only RemoteApp Application group in Session host pool configured at the moment.
Four Apps in single Application Group (3 are MSIX, 1 is Win32 app from Start Menu). Only Win32 app paint is visible.
Finally I have made Assignment directly to test user which is working because Paint is visible but MSIX packages are no longer visible.
Host pool name: msixtest01
Test Subscription ID: 13b192ee-44e0-477e-b648-ba289915a83b
Test user account: janne.tuominen @kettulaan.com (remove spaces)
It would be great if we could have some debugging or instructions how to troubleshoot this.
Jan 07 2021 10:37 PM - edited Jan 07 2021 11:23 PM
My colleague reported yesterday that he has the issue of appearing/vanishing Remoteapp in his test environment. My environment started to work couple of days ago (both Remoteapp Application group & Desktop Application Group) but now also my environment stopped working after I made minor changes yesterday in Application Group application (Show in web feed changed from No --> Yes).
Both scenarios with MSIX - Desktop Application Group & Remoteapp Application Group are no longer working.
The issue seems to be in registration part because MSIX images are successfully staged and this time I can see them mounted in computer management so they are not dismounted like before.
From the logs there are below error messages visible:
AppAttachServiceImpl - SysNtfyLogoff: Package deregistration for MSIX app attach failed during user logoff
and
AppAttachServiceImpl - AppAttachRegisterAsync: Failed to get packages to register: Microsoft.RDInfra.Shared.Common.RestError.RestException: WVD_50002: ≤S-1-5-21-1582688470-541055633-2624462867-3101≥ not found. ---> Microsoft.RDInfra.Shared.Common.RestError.InnerRestException: WVD_50002: ≤S-1-5-21-1582688470-541055633-2624462867-3101≥ not found.
--- End of inner exception stack trace ---
at Microsoft.RDInfra.Messaging.MessageUtils.SetOperationResultAndEnsureSuccessStatusCode(ResponseMessage response, IMonitoringOperation operation, ILogger logger) in S:\src\Shared\Microsoft.RDInfra.Messaging\src\Microsoft.RDInfra.Messaging\MessageUtils.cs:line 109
at Microsoft.RDInfra.RDAgent.WebSocket.Broker.<SendRequestAndWaitResponseAsync>d__26`2.MoveNext() in S:\src\Shared\AgentInterfaces\src\Microsoft.RDInfra.RDAgent.WebSocket\Broker.cs:line 209
--- End of stack trace from previous location where exception was thrown ---
I sent message to you which contains host pool name, Subscription ID and test user accounts.
Jan 08 2021 01:10 AM
@Jantu123 Thanks for pointing this out! I had not noticed it.
End result for a user with only remote app group is an empty workspace i.e. same as in your environment. Also same in both test environments (on-prem AD and AAD DS integrated).
Jan 08 2021 01:20 AM
Thanks for confirming the results. Do you see the same error message with AppAttach registration part?
AppAttachServiceImpl - AppAttachRegisterAsync: Failed to get packages to register: Microsoft.RDInfra.Shared.Common.RestError.RestException: WVD_50002: ≤S-1-5-21-1582688470-541055633-2624462867-3101≥ not found.
Jan 08 2021 01:38 AM
Jan 09 2021 04:04 PM - edited Jan 09 2021 04:35 PM
So tried a few of your scenarios,
no problem uploading and creating the MSIX in the portal it works like a charm, however i'm not able to see the app, I can se the VHD gets mounted, but the app does not register?
I have tried with your provided sample, and with some I created my self and from a third source.
This is logged
AppAttachServiceImpl - AppAttachRegisterAsync: Failed to get packages to register: Microsoft.RDInfra.Shared.Common.RestError.RestException: WVD_50002: ≤S-1-5-21-1166188620-3132992566-3953684836-1111≥ not found. ---> Microsoft.RDInfra.Shared.Common.RestError.InnerRestException: WVD_50002: ≤S-1-5-21-1166188620-3132992566-3953684836-1111≥ not found.
--- End of inner exception stack trace ---
at Microsoft.RDInfra.Messaging.MessageUtils.SetOperationResultAndEnsureSuccessStatusCode(ResponseMessage response, IMonitoringOperation operation, ILogger logger) in S:\src\Shared\Microsoft.RDInfra.Messaging\src\Microsoft.RDInfra.Messaging\MessageUtils.cs:line 109
at Microsoft.RDInfra.RDAgent.WebSocket.Broker.<SendRequestAndWaitResponseAsync>d__26`2.MoveNext() in S:\src\Shared\AgentInterfaces\src\Microsoft.RDInfra.RDAgent.WebSocket\Broker.cs:line 209
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AgentBrokerCommunication.Interfaces.IBrokerExtensions.<CallRequiredInterfaceAsync>d__3`2.MoveNext() in S:\src\Shared\SharedMessaging\src\AgentBrokerCommunicationInterfaces\IBroker.cs:line 0
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AppAttach.AgentAppAttachPackageListServiceImpl.<GetAppAttachPackagesToRegister>d__6.MoveNext() in S:\src\RDAgent\src\Service\AppAttach\AgentAppAttachPackageListServiceImpl.cs:line 60
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AppAttach.AppAttachServiceImpl.<AppAttachRegisterAsync>d__28.MoveNext() in S:\src\RDAgent\src\Service\AppAttach\AppAttachServiceImpl.cs:line 597
Furthermore I am pretty sure it has screwed up my FSlogix setup too, i'm unable to attach the upd at log on, un less i delete it and let it create a new... ?!? how weird is that? (frxtray screen dump attached)
What am I overlooking ?
Jan 10 2021 05:30 AM - edited Jan 10 2021 09:43 AM
EDIT::::::
The Volume is mounted and i can register the AppxPackage by hand, is that as intended, cause i did not see the step in your guide :)
Add-AppxPackage -Path "C:\Program Files\WindowsApps\NotepadPP_1.0.0.0_x64__gz1by593hb2dw\AppxManifest.xml" -DisableDevelopmentMode -Register
So tried out MSIX app attach, but i run into problems, Applications are note visible, the VHD is mounted, but I cannot see the application.
I have both my own app and one of your sample apps
Event log says...
AppAttachServiceImpl - AppAttachRegisterAsync: Failed to get packages to register: Microsoft.RDInfra.Shared.Common.RestError.RestException: WVD_50002: ≤S-1-5-21-1166188620-3132992566-3953684836-1111≥ not found. ---> Microsoft.RDInfra.Shared.Common.RestError.InnerRestException: WVD_50002: ≤S-1-5-21-1166188620-3132992566-3953684836-1111≥ not found.
--- End of inner exception stack trace ---
at Microsoft.RDInfra.Messaging.MessageUtils.SetOperationResultAndEnsureSuccessStatusCode(ResponseMessage response, IMonitoringOperation operation, ILogger logger) in S:\src\Shared\Microsoft.RDInfra.Messaging\src\Microsoft.RDInfra.Messaging\MessageUtils.cs:line 109
at Microsoft.RDInfra.RDAgent.WebSocket.Broker.<SendRequestAndWaitResponseAsync>d__26`2.MoveNext() in S:\src\Shared\AgentInterfaces\src\Microsoft.RDInfra.RDAgent.WebSocket\Broker.cs:line 209
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AgentBrokerCommunication.Interfaces.IBrokerExtensions.<CallRequiredInterfaceAsync>d__3`2.MoveNext() in S:\src\Shared\SharedMessaging\src\AgentBrokerCommunicationInterfaces\IBroker.cs:line 0
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AppAttach.AgentAppAttachPackageListServiceImpl.<GetAppAttachPackagesToRegister>d__6.MoveNext() in S:\src\RDAgent\src\Service\AppAttach\AgentAppAttachPackageListServiceImpl.cs:line 60
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.RDInfra.AppAttach.AppAttachServiceImpl.<AppAttachRegisterAsync>d__28.MoveNext() in S:\src\RDAgent\src\Service\AppAttach\AppAttachServiceImpl.cs:line 597
Jan 11 2021 07:38 AM
I’m running into an error adding WVD computers to an AADDS group.
Step 2 in Step by Step Guide on Computer Account Authorization for Azure Files:
Process overview
The error is: "Active Directory Domain Services
Object WVD-xxx cannot be added to group xxx because:
Insufficient access rights to perform the operation."
The user is the global admin.
Environment is AADDS. No on premise AAD. No Azure AD Connect.
AADDS is managed via a Windows 2012 server joined to AADDS domain with Active Directory admin tools installed: ADAC, AD PowerShell, AD Users & Computers, etc.
Have created several vms in Windows Virtual Desktop all of which were added to AADDC Computers group in ADU&C on the management server.
However, of several Windows Virtual Desktops vms in AADDC Computers group only one is listed in the Azure Active Directory portal, Devices, All Devices. There are over 100 Azure AD Registered devices in the portal Devices group but they are not shown in the AADDC group on the management server – only the WVD vms are shown. However, all users and groups in the portal are shown in the AD Users & Computers group on the management server.
Synchronization for AADDS is set for “All” and Health shows recent synchronization.
The vms are able to ping the AADDS domain controllers and the Windows management server and the management server is able to ping the devices.
Event Viewer shows the following error:
"The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool."
Enabled Local Computer Policy, Computer Config, Security Settings, User Rights Assignment to allow global admin account to "Add workstations to domain" without effect.
I’ve opened an SR on the issue. Thanks in advance for any advice.
Jan 12 2021 10:31 PM
Can you share some insight on my problem?
1. I've successfully went through all the steps, making sure host pool in validation, application shows in feed etc.
2. I am using the Chrome.vhdx in this topic.
3. The MSIX App is NOT showing in feed, Desktop and Normal apps are showing correctly.
4. I can see below error in Azure Portal occasionally.
Thanks
Sid Zhang
Jan 13 2021 09:22 AM
@Stefan Georgiev I am getting an error when trying to add an MSIX VHD:
ActivityId: 1076fa01-4d92-4d4f-9eb5-189062b5101a Error: The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: GAG-WVD-MSH-0, Error: Error accessing virtual disk at ≤\\gagwvdstor1.file.core.windows.net\msix\MSIX\CDP-GNW\cdp-gnw.vhd≥. (Code: 400)
I have set NTFS permissions for the machine as well as RBAC on the machine identity.
The cert is installed into Trusted People onto the session host
I've tried putting the file on an on-prem file share and get the same error so I don't think it's linked to the Azure Files share
If I remote onto the host and use the powershell script to stage and attach, it works fine which is confusing.
Host pool is validation too and I've been approved for AppAttach.
Any advice welcome, I'm truly stumped!
Jan 14 2021 03:15 AM
Any updates regarding why App Attach registration part started to fail last week with the error
AppAttachRegisterAsync: Failed to get packages to register: Microsoft.RDInfra.Shared.Common.RestError.RestException: WVD_50002: ≤S-1-5-21-1582688470-541055633-2624462867-3101≥ not found.
@Thogjo has reported exactly same issue. I verified that the issue is still there...
Jan 14 2021 06:06 AM
hello
Any update about the issue (error 400) when trying to add MSIX stored on Azure File share (on a joined Azure ADDS Storage Account ?
-share & ntfs permissions are ok-
regards,
Jan 14 2021 07:41 AM
@AndrewTaylor140 I ran into the same issue. Have you checked RBAC permissions on the storage account. The machine object needs to be synced from AD and granted the SMB Share Contributor role just as an FSLogix user would. The NTFS permissions also need to include the machine account with a read only as a minimum.
See here
Jan 27 2021 06:32 PM
@Stefan Georgiev Hi, Is this GA schedule Calendar Year? Or is it Financial Year?
Jan 28 2021 02:42 PM
@Akane_Saito Financial
Jan 29 2021 03:04 AM
Works like a charm, however - i have to run the Add-appxpackage -register for the app to show up on my user, i thought that it would happen automatically, or am i wrong, can you point me in the right direction on how to fix this?
Jan 29 2021 05:16 AM
do you still have this error or is it solved for you?
I'm getting the same error;
Error: Could not get MSIX applications for Host Pool '≤≥' from image '≤\\xxxxxxxx.file.core.windows.net\msix\GoogleChrome.vhdx≥'. Check inner exception for details. (Code: 400)
Jan 29 2021 05:25 AM
My issue was because the users and machines were on different domains so the permissions couldn't cope. I just built a couple of file servers in azure with a DFS share for the packages, not had an issue since
Jan 29 2021 05:26 AM
I solved it.
Are you using AADDS or ADDS?
You need to make sure your sessionhosts have the IAM Storage File Data SMB Share Reader rights and also you need to follow the guide and grant the NTFS rights.
And finally, you must add the code certificate to trusted people on all sessionhosts :)