SOLVED

MSIX App Attach Group Policy Issues

%3CLINGO-SUB%20id%3D%22lingo-sub-1438404%22%20slang%3D%22en-US%22%3EMSIX%20App%20Attach%20Group%20Policy%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1438404%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%E2%80%99ve%20been%20testing%20out%20MSIX%20App%20Attach%20on%20the%20new%202004%20build%20of%20Windows%2010%20Multi-User%20and%20works%20fine%20running%20the%20staging%2C%20register%2C%20deregister%20and%20destaging%20scripts%20manually.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20having%20issues%20getting%20them%20to%20run%20via%20GPO.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20possible%20combination%20I%20use%20the%20Stage%20script%20fails%20to%20run.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20it%20is%20permission%20based%20and%20the%20Mount-VHD%20command%20is%20failing.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20run%20the%20stage%20script%20manually%20the%20register%20and%20others%20work%20fine%20via%20GPO%3CBR%20%2F%3E%3CBR%20%2F%3EI%E2%80%99ve%20also%20tried%20the%20combined%20script%20below%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblog.itprocloud.de%2FAutomatic-MSIX-app-attach-scripts%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.itprocloud.de%2FAutomatic-MSIX-app-attach-scripts%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3Eand%20still%20the%20Startup%20script%20doesn%E2%80%99t%20run.%20As%20per%20the%20article%20I%20have%20granted%20the%20Gpsvc%20permission%20to%20mount%20the%20VHD.%3CBR%20%2F%3E%3CBR%20%2F%3EAnyone%20have%20any%20ideas%3F%3CBR%20%2F%3E%3CBR%20%2F%3EJames%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1446961%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20App%20Attach%20Group%20Policy%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1446961%22%20slang%3D%22en-US%22%3EI%20answered%20this%20myself%20in%20the%20end.%3CBR%20%2F%3E%3CBR%20%2F%3EWas%20due%20to%20permissions%20as%20I%20had%20the%20VHDs%20hosted%20on%20Azure%20File%20Share%20so%20the%20Gpsvc%20couldn%E2%80%99t%20mount%20them.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20moved%20them%20to%20a%20local%20share%20on%20my%20file%20server%20and%20working%20perfectly.%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20be%20nice%20to%20know%20if%20I%20could%20get%20it%20to%20work%20off%20the%20Azure%20File%20Share%20but%20I%E2%80%99m%20unsure%20how%20to%20get%20it%20working%3CBR%20%2F%3E%3CBR%20%2F%3EJames%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610448%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20App%20Attach%20Group%20Policy%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610448%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F688159%22%20target%3D%22_blank%22%3E%40Jamesatighe%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20running%20into%20the%20same%20issue%20and%20to%20work%20around%20it%20we%20have%20moved%20it%20to%20a%20file%20share%20on%20a%20VM%20in%20the%20Azure%20Vnet.%20However%20it%20would%20be%20a%20nicer%20solution%20to%20use%20Azure%20files%26nbsp%3B%20we%20are%20using%20that%20for%20our%20profile%20storage%20with%20ADDS%20integration.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIssue%20is%20authentication.%20The%20logon%20script%20GPO%20is%20run%20with%20the%20local%20system%20account%2C%20I%20can't%20find%20a%20way%20to%20allow%20access%20to%20the%20AZ%20file%20share%20for%20this%20account.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1657300%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20App%20Attach%20Group%20Policy%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1657300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516290%22%20target%3D%22_blank%22%3E%40R_Akers%3C%2FA%3E%26nbsp%3Byou%20can%20create%20a%20scheduled%20task%20to%20run%20as%20a%20%22user%22%20account%20on%20startup%20that%20has%20mount%20permissions%20and%20access%20to%20the%20share%20in%20Azure%20Files%20with%20AD%20permission%20sync%20enabled%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi,

I’ve been testing out MSIX App Attach on the new 2004 build of Windows 10 Multi-User and works fine running the staging, register, deregister and destaging scripts manually.

I am having issues getting them to run via GPO.

Any possible combination I use the Stage script fails to run.

I believe it is permission based and the Mount-VHD command is failing.

If I run the stage script manually the register and others work fine via GPO

I’ve also tried the combined script below

https://blog.itprocloud.de/Automatic-MSIX-app-attach-scripts/

and still the Startup script doesn’t run. As per the article I have granted the Gpsvc permission to mount the VHD.

Anyone have any ideas?

James
3 Replies
Highlighted
Best Response confirmed by Jamesatighe (Occasional Contributor)
Solution
I answered this myself in the end.

Was due to permissions as I had the VHDs hosted on Azure File Share so the Gpsvc couldn’t mount them.

I moved them to a local share on my file server and working perfectly.

Would be nice to know if I could get it to work off the Azure File Share but I’m unsure how to get it working

James
Highlighted

@Jamesatighe 

 

We are running into the same issue and to work around it we have moved it to a file share on a VM in the Azure Vnet. However it would be a nicer solution to use Azure files  we are using that for our profile storage with ADDS integration. 

 

Issue is authentication. The logon script GPO is run with the local system account, I can't find a way to allow access to the AZ file share for this account.

Highlighted

@R_Akers you can create a scheduled task to run as a "user" account on startup that has mount permissions and access to the share in Azure Files with AD permission sync enabled