Configure App-V Server to use HTTPS
1. Intro In the last 8 months we were contacted by customers in several support cases regarding the question how to implement a secure connection with https between 2 servers, the publishing server and the management server in an App-V environment. The customers had Windows Server 2019 in place and were using the latest version of App-V Server 5.1.136.1*. That’s the reason, why we shared our experiences with the community in November 2024 during the M.A.D. days and now want to share the procedure how to setup such a connection in this blog. During the M.A.D. Days in Hamburg 2024, we demoed and discussed a failure when setting up https with an Server 2019 and TLS 1.2. In this blog I want to show how to setup it up directly https between App-V in short steps. We are using Windows Server 2022 what has some advantages regarding the handling for the https handling. For example we do not need to think about the used TLS version. It uses automatically the highest TLS version or can be set to use any available TLS 1.2 or higher protocol. 2. Basic communication Client and Server (Sync-Publishing) 2.1. Client process On a client you can switch easily from an http connection to the publishing service to an https connection. In preparation you need to setup the bindings on the Server and create a SSL certificate for the Clients. In a Microsoft PKI environment, you can request a certificate over the CA: After the enrolment you can test to reach the https url on the Server: 2.2. Using HTTPS for Sync Publishing on clients In our Lab I have setup 4 Publishing connections: To the 1 st publishing Server http and https and to the 2 nd server the same. Overall I have 4 possible connections to Publish from the client. The Screenshot shows the GPO: To use HTTPS you need to configure Binderies on the IIS of the Management Server. Set a port of your choice and be sure the Firewall is not blocking these ports. In the event viewer we see that the Publishing Refresh was successful: 3. Preparing and enable Publishing Server for HTTPS between the servers 3.1. Existing environment On a basic setting of the main App-V Server with the Management Service and Publishing Service (Hostname in the LAB HAMWS2022S2), we have the following ports configured: Management HTTP: 60000 HTTPS: 8000 Publishing HTTP: 60001 HTTPS: 8001 3.2 Standard Setting On the main server, https will not be configured to connect to the Management Database on the same machine. The connection is on the same machine and we are using “http://localhost:[Port]/ 3.3 Confirm Working Environment We want to check before we make changes that communication on http is working correctly from 2 nd Publishing Server (HAMWS2022S3) to the main Server (HAMWS2022S2): When we check now the console on the main server we the 2 Servers are syncing (Last Publishing): Additional we need to check the Sequence ID is the same on both Metadata files. For that we need to compare the files on both servers: Path is C:\ProgramData\Microsoft\AppV\Server\Publishing 4. Preparing on the main App-V Server HAMWS2022S2 4.1 Binding As mentioned above, the Bindings we have set for https. The Ports are 8000 for Management and 8001 for Publishing 4.2 Certificate Create a SSL certificate and select it for the HTTPS settings in the Publishing Binding for the configured Port: 4.3 Registry Key On Server 2022 we additional set the following keys to force using TLS 1.2: Based on the following article, you can find the details of the RegKeys and how to set it. Link: TLS 1.2 enforcement for Microsoft Entra Connect 4.4 Change to HTTPS The RegKey on the 2 nd Server to connect to the Management Server via HTTPS: 4.5 Restart and Test Now we can see that the connection between the 2 servers is over https as described above with the console or the same Sequence ID. Additional we can collect the traffic with Wireshark and see the TLS 1.2 traffic: We can see the handshake between the 2 servers and data has been exchanged. Thanks for reading Peter RüttingerLife After APP-V Server: Exploring Options for Application Streaming and Delivery
The discontinuation of Microsoft’s APP-V Server has left many enterprises seeking new methods to manage application streaming and delivery. As organisations adapt to an ever-evolving technological landscape, the need for efficient, scalable, and secure application delivery solutions is paramount. This article delves into the life after APP-V Server and explores the various alternatives available for application streaming and delivery. The End of an Era: APP-V Server Microsoft Application Virtualization (APP-V) Server was a popular tool that provided a flexible and efficient way to deliver applications to end-users without installing them on individual machines. By streaming applications on demand, APP-V helped reduce system conflicts and improve application management. However, with Microsoft ending support for APP-V server in April 2026 organisations will , if not already doing so , have to pivot to alternative solutions. All Is not lost however! There are alternatives to APP-V full Infrastructure available including several from Microsoft. Modern Solutions for Application Streaming and Delivery 1. Microsoft Endpoint Manager - Microsoft Microsoft Endpoint Manager (MEM) is a comprehensive solution that combines Configuration Manager and Intune to deliver and manage applications across devices. MEM enables traditional and modern management approaches, allowing organisations to deploy applications via the cloud seamlessly. It offers robust security features, simplified application updates, and enhanced user experiences. You may wonder how we deliver an APP-V application via Intune. You can use PSADT (PSAppDeployToolkit) as a wrapper around App-V sources. In the wrapper run the following the commands: Install Add-AppvClientPackage "$dirFiles\$appPackageName.appv" $UserSID = (Get-LoggedOnUser).SID Publish-AppvClientPackage -Name $appPackageName -UserSID $UserSID Get-AppvClientPackage -Name $appPackageName | Mount-AppvClientPackage UnInstall $ReturnCode = Execute-ProcessAsUser -Path "$PSHOME\powershell.exe" -Parameters "-WindowStyle Hidden -Command & { & `"Get-AppvClientPackage -Name $appPackageName | Stop-AppvClientPackage | UnPublish-AppvClientPackage`"; Exit `$LastExitCode }" -Wait -PassThru Get-AppvClientPackage -Name $appPackageName | Remove-AppvClientPackage From that package create a .intunewin file, upload to Intune and deploy. You will need Microsoft-Win32-Content-Prep-Tool 2. MECM (Microsoft Endpoint Configuration Manager formerly SCCM) When you use SCCM to manage virtual applications, you gain several benefits, such as a single management infrastructure, scalability, deployment, and content distribution features To deploy virtual applications to computers, you need to have both the Configuration Manager client and the App-V Client installed on your computers. The Configuration Manager client manages the delivery of virtual application packages to the App-V Client, which then runs the virtual application on the client Here are some key points about deploying App-V applications with SCCM: Creating Virtual Applications: You must first create the virtual application using the App-V Application Virtualization Sequencer. The sequencer monitors the installation and setup process for an application and records the information needed for the application to run in a virtual environment Deployment Methods: SCCM supports two methods for delivering virtual applications to clients: streaming delivery and local delivery (download and execute). Streaming delivery is beneficial for applications that require frequent updates or patches, as it reduces disk space requirements on the client. Local delivery ensures that the application is always available, even if the client is offline Configuration: You need to configure the SCCM environment to deploy virtual applications via App-V. This involves setting up the Configuration Manager Console and ensuring that the necessary client agents and settings are in place Microsoft Endpoint Configuration Manager (MECM) and Microsoft Intune are both parts of the Microsoft Endpoint Manager suite, but they serve different purposes and have distinct features: MECM (Microsoft Endpoint Configuration Manager) On-Premises Solution: MECM is primarily an on-premises tool used for managing a wide range of devices within an organization’s network. Comprehensive Management: It offers extensive capabilities for managing devices, applications, and security policies. Legacy Systems: MECM is well-suited for managing traditional desktop environments and legacy systems. Complex Deployments: It supports complex deployment scenarios, including operating system deployment, software updates, and configuration management. Intune Cloud-Based Solution: Intune is a cloud-based service focused on modern device management. Mobile Device Management (MDM): It excels in managing mobile devices, including smartphones and tablets, across various platforms like iOS and Android. Simplified Management: Intune provides simplified application management, policy deployment, and endpoint security. Integration: It integrates seamlessly with other Microsoft services, such as Azure Active Directory and Microsoft Defender for Endpoint, to enhance security and compliance In summary, MECM is ideal for on-premises, comprehensive management of traditional IT environments, while Intune is designed for modern, cloud-based management of mobile and remote devices. Both tools can be used together for a hybrid approach, leveraging the strengths of each. Endpoint management services and solutions at Microsoft | Microsoft Learn 3. App Attach for APP-V If you are about to embark into the Cloud or you are already there then why not consider using the App Attach Blade to stage your APP-V applications? Its simple , fast and efficient with no DC or SQL server needed. App attach and MSIX app attach - Azure Virtual Desktop | Microsoft Learn Watch a demo presentation here: MSIX and app attach made easy - YouTube 4. APP-V Management, Publishing and Reporting server Communal Project If you followed our event at MAD day in Hamburg in November 2024, you would have seen a superb demo of a 3rd party APP-V Management , Publishing and reporting Server by one of our Microsoft Partner, Andreas Nick of Nick IT In Andreas’ own words: Since App-V Publishing Server has been discontinued for 2026, we have started to create a replacement based on DotNet Core and a Maria DB (on each server). The server is functional and compatible in its current form. Kerberos is supported and theoretically it is possible to install it in a Docker container under Linux. We will show a short demo of publishing and App-V reporting. For a Demo, please take a look here: https://youtu.be/RfTWy_NMlyY 5. AppVentix - Deployment & Application Lifecycle Management for App-V and MSIX AppVentiX is a management and deployment solution for App-V, MSIX (app attach) and FSlogix app masking. It simplifies the process of deploying and updating Microsoft application packages in various environments. AppVentiX also allows users to manage App-V and MSIX simultaneously and facilitates the transition from App-V to MSIX. AppVentiX supports the management of App-V and MSIX (app attach) on both virtual machines and physical machines, whether they operate in the cloud or on-premises. It is compatible with Server OS, Multi-session OS, and Single-session OS. https://appventix.com/ Their demo at MAD day : MAD DAY 2024 Deploy applications in real-time with AppVentiX - -Bram Wolfs and Ingmar Verheij 6. CloudFish Deployment Management for App-V and MSIX Cloudfish Deploy is a solution providing real-time application lifecycle management for multiple packaging technologies including MSI, MSIX (including App Attach), App-V, ThinApp and even PowerShell scripting. Their simplified and centralised application management interface provides real-time software deployments for physical and virtual desktop environments, both persistent and non-persistent. The Cloudfish Deploy solution simply consists of three portable executables – the management console, the agent, and the client. No backend required. https://www.cloudfish.co.uk/ When selecting a new application streaming and delivery solution, organisations should consider several factors to ensure they choose the best fit for their needs: Compatibility: Ensure the solution supports the operating systems and applications used within the organization. Scalability: Choose a solution that can grow with the organization and handle increasing workloads. Security: Opt for a solution with robust security features to protect sensitive data and ensure compliance with regulations. User Experience: Consider the ease of use and overall experience for end-users, as this can impact productivity and satisfaction. Cost: Evaluate the total cost of ownership, including initial setup, maintenance, and ongoing support fees. Best Practices for a Smooth Transition Transitioning from APP-V to a new application delivery solution can be challenging. Here are some best practices to ensure a smooth and successful migration: Assess Current Infrastructure Conduct a thorough assessment of the current infrastructure to identify dependencies, compatibility issues, and potential challenges. This assessment will help in planning and executing the migration more effectively. Plan and Test Develop a detailed migration plan that outlines the steps, timelines, and resources required. Testing the new solution in a controlled environment before full deployment is crucial to identify and address any issues early on. Train IT Staff and End-Users Provide comprehensive training to IT staff and end-users on the new solution to ensure they are familiar with its features and functionalities. This training will help minimize disruptions and ensure a smooth transition. Monitor and Optimize After deploying the new solution, continuously monitor its performance and gather feedback from end-users. Use this feedback to optimize the solution and address any issues promptly. Conclusion The discontinuation of APP-V Server has prompted and will continue to prompt organisations to seek modern alternatives for application streaming and delivery. By exploring solutions such as Microsoft Endpoint Manager (either MECM or Intune), App Attach for APP-V or using a 3rd party solution such as AppVentix, CloudFish organisations can find the best fit for their needs. Considering factors such as compatibility, scalability, security, user experience, and cost, and following best practices for a smooth transition, organisations can ensure continued efficiency and productivity in application delivery. Embracing these modern solutions will not only address the challenges posed by the end of APP-V Server but also pave the way for more advanced, flexible, and secure application management in the future. Philip McLoughlin Support Escalation EngineerM.A.D. Day 2024 – Hamburg 15th November 2024 – Recap.
In Hamburg on the M.A.D. Day (Modern Application Deployment) we could announce that App-V is no longer being deprecated – The Client and the Sequencer. But the Server will still go away. With this Post I would like to clarify a few things which also was brought up by Tim Mangan in his Analysis of the M.A.D. Day 2024 and specific this announcement. In April 2026 the following App-V Components will be End of Life: All App-V 5.0 SP3 and 5.1 Clients All App-V 5.0 SP3 and 5.1 Sequencer The App-V Server Components 5.1 (Management / Publishing and Reporting Server) The original plan was to remove the App-V Client with the Release of Windows in 26H2 – so the last Windows Client OS would be Windows in 25H2 – as this would be also a LTSC Version of this release and the Support of App-V is bound to the Windows OS you use – the End Date is always the same End Date as the OS you use. As Example: Windows 11 24H2 has an Support End date of October 2027 Windows Server 2025 as an End Date for Extended Support in 2034 These dates of the OS are matching with App-V. What has changed now? When we as Microsoft say – we no longer deprecate we mean that we will not remove the App-V Client from future OS Versions. And also the Sequencer will be still part of the ADK. This Include Windows Client as well as Server and also Windows 365 and AVD versions. In addition to stop the removal we also commit to bring Bugfixes and Security Fixes to App-V on the given OS this includes Supported Windows Client Versions and Server. The Product Team has decided not to provide an End date to APP-V Client and Sequencer which now puts the product on a like for like basis with MSI; that product has had no features for more than a decade (or longer) but still ships with the OS and bugs are addressed. It is still part of any Windows OS release. The same will apply to APP-V. Why was this decision made? I use a Slide from our own investigations with some Enterprise Customers. This matches partially with the Report Card Tim is creating. To download the Report Card, you can go to Tims Website (Home) When we look at this chart, we see that Packaging with the MSIX Packaging Tool ends up with a success rate of ~ 30 %. So, 7 out of 10 Applications need additional adjustments. If we compare it with App-V and the Sequencer we are between 80% – 90% success rate, without the need to touch the Package again. And the orange bar shows a higher success rate. To get the app to work it will require more manpower and additional resources thus incurring additional costs and there is no guarantee that the apps will function correctly. Where are all the MSIX Packages from Vendors? Our Official Statement is that “all Store Apps” are MSIX and they can be loaded… OK – but we also see in reality that a majority of Customers turn off the Microsoft Store so that Employees are prevented from loading “Consumer” Apps to their Work environment and for Enterprise apps Microsoft Store for Business was retired in 2023. There are not many “real” Enterprise / LOB Applications out there which come native as an MSIX Package – The New Teams is an Example and if you like we can add the New Outlook to that list as well. And here is the magic word “NEW” – if you build a new App you can go with MSIX no question. But in enterprises there are still many “older” Win32 Applications which are there for years, they do their Job, and they are still needed in enterprise organizations. Office and Add-ins It’s worth to mention that it is a common use case to virtualize Office Add ins and let the local C2R (Click2Run) installed Office start into an App-V Bubble so it can see the add-ins. This scenario is not possible with MSIX as of today – nor does Office support the use of MSIX enabled Add-ins in Office. The only Application Virtualization Platform where customers get support from Microsoft when using Office as part of it, is App-V. Everything else (Including MSIX) is not supported. Statement Because of these reasons we see that removing the App-V Client / Sequencer would end up in a situation which would create Adoption blockers to new OS / Office. Here we would like to give customers the choice and maintain their investment in App-V moving forward. At the same time, we will continue to invest in MSIX and App Attach to close gaps. Here is our Statement: We will continue to evaluate and balance MSIX and App Attach investments with longer-term ambitions to close the gaps with App-V, but we recognize it’s currently not a complete replacement, and we need to renew our commitment to App-V to put our enterprise customers at ease and unblock their migration to the cloud and to newer Windows versions. I hope I can clarify a few points here. The last thing I would like to see is any confusion around that statement. There was confusion enough with the April 2026 Date and MDOP. If there are anything unclear about this – please feel free to get in touch with me Thank you for reading. If you are interested in all Sessions from the M.A.D. Event, please check out M.A.D. Day Channel: M.A.D. Day - YouTube Sebastian Gernert Escalation Engineer
