MSIX app attach Azure portal integration public preview

Microsoft

MSIX app attach is an application layering solution that allows you to dynamically attach an application (that is an MSIX package) to a user session. Separating the application from the operating system makes it easier to create a golden virtual machine image, and you get more control with providing the right application for the right user.

 

Previously, you had to use PowerShell scripts to enable MSIX app attach.  MSIX app attach capability is now available in public preview in the Azure portal and is integrated with Azure Resource Manager. This eliminates the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks.

 

Draft troubleshooting guide for MSIX app attach is available here.

Overview and requirements

 

Before you get started, make sure to fill out and submit this form to enable MSIX app attach in your subscription. If you don't have an approved request, MSIX app attach won't work. Approval of requests can take up to 24 hours during business days. You'll get an email when your request has been accepted and completed.

 

The following are the requirements to setup MSIX app attach in a Windows Virtual Desktop environment:

  • Host pool in Windows Virtual Desktop with at least one active session host
  • Host pool in the validation environment
  • MSIX packaged application expanded into an MSIX image
  • MSIX image is uploaded to file share
  • The file share is accessible for all session hosts in the host pool
  • When using a digital certificate that is not sourced from a CA please follow instructions here on each VM in the host pool 

 

This video walks through the MSIX app attach UI.

 

Deploy WVD (Windows Virtual Desktop) host pool

 

The steps for deploying a WVD host pool are outlined here. It is mandatory to provision the session host pool in the validation environment.

rds1.png

 

MSIX application

 

MSIX app attach requires an application packaged as MSIX. If you do not have an MSIX application you can use the MSIX Packaging tool to repackage a Win32 application to MISX application. Instructions are available here.

 

Prepare MSIX image

 

MSIX app attach needs MSIX application to be stored in a VHD(x). Steps on how to perform the expansion are available here.

 

If you do not have access to an MSIX application and MSIX images feel free to use these. They are provided without any guarantees and should not be used in production environments:

 

Application name

URL

Chrome as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVMWy-sU8aiaStuxQ?e=AqwZ0D

Chrome in an MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVLPExhghP4iM8LRQ?e=wJHd9P

Microsoft Edge Dev v89 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVddlHiIoei4RdROQ?e=kwdvDq

Microsoft Edge Dev v89 as MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVczWWmEiUhv2IC3A?e=eBGL8B

Microsoft Edge Dev v87 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVbdz4gmTb7rqHoeg?e=6dEhj5

Microsoft Edge Dev v87 as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVaArIPkiAg5XzusQ?e=ZthNbz

PowerBI as MSIX image

https://1drv.ms/u/s!Amut9BnVnw7mkOVkUdswoKXTk9dfUw?e=fGTHy5

 

Note: this has dependencies that need to be delivered in the master image Links available here https://1drv.ms/u/s!Amut9BnVnw7mkOQth1hkT-SRdP2__g?e=YHbice

PowerBI as MSIX package

https://1drv.ms/u/s!Amut9BnVnw7mkOVi5SXqDxAr6MBAKw?e=pm1c2q

WVDMigration as MSIX image (test different cert type)

https://1drv.ms/u/s!Amut9BnVnw7mkOIEPLX6PYOzx96nrg?e=9qEpJc

 

WVDMigrationBAD as MSIX image (bad packaging format)

https://1drv.ms/u/s!Amut9BnVnw7mkOF6izJaA6rMxih_fQ?e=VU6Wbp

Microsoft Edge Dev v87 as MSIX image (expired cert)

https://1drv.ms/u/s!Amut9BnVnw7mkOJamDr-mrs3rOoeCg?e=43JT7E

 

Notepad++ as MSIX image (missing cert test)

https://1drv.ms/u/s!Amut9BnVnw7mkOF-o-E-bhp_btLgJw?e=6DO9ea

 

If you are using your own application, you will need to install the certificate used to sign the MSIX package.

 

Install certificates

 

If you are using the provided MSIX applications, there are two certs:

 

Configure a file share

 

All session hosts need access to the file share with MSIX app attach packages.  This Tech Community blog covers the process.

 

Configure MSIX app attach via Azure portal

 

Open a browser, preferably in incognito mode, and load the following link: https://preview.portal.azure.com/?feature.msixapplications=true#home

In the search bar type Windows Virtual Desktop and click on the service.

 

rds.png

 

Select a host pool where MSIX applications are to be delivered.

 

rds2.png

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click + Add. This will open the Add MSIX package blade.

 

rds3.png

 

MSIX image path – this is UNC path pointing to the MSIX image on the file share. For example, \\storageaccount.file.core.windows.net\msixshare\appfolder\MSIXimage.vhd.

MSIX package – if a valid, resolvable, and accessible path is provided this drop-down will be populated by all the MSIX packages in the MSIX image.

Package applications – list of MSIX applications available in an MSIX package.

Display name – Optional display name to be presented in the interface.

Version – MSIX package version automatically delivered from parsing the package.

Registration type

On-demand – this is the recommended type of registration. It postpones the full registration of the MSIX application until and the user starts the application.

 

Log on blocking – this type of registration is executing during session logon hence adding time to session logon completion.

State – MSIX package has two states (Active and Inactive). When a package is active users can interact with it. Inactive packages are ignored by WVD and not delivered to users.

Click Save.

 

Publish MSIX application to an application group

 

In the WVD resource provider navigate to the Application groups blade.

Select an application group.

 

Note: During MSIX app attach preview MSIX app attach remote apps may disappear from the user feed. The remote MSIX apps can disappear from the user feed because host pools in the evaluation environment may get served by an RD Broker in a production environment (this happens when the RD broker optimizes to improve the end-user experience). Because the RD Broker in the production environment doesn't understand the date of the MSIX app attach remote apps, it won't display them.

 

Select the Applications blade. The Applications grid will display all currently added applications.

rds4.png

Click + Add to open the Add application blade.

Application source

  • For desktop app groups the only source for applications is an MSIX package.

rds5.png

 

  • For remote app group, there are three sources of applications.
    • Start menu
    • App path
    • MSIX package

 

MSIX package – display list of packages added to the host pool.

 

 

rds6.png

 

Display name – Optional display name to be presented in the Applications interface.

Description – Short description.

Note the options below are only applicable to remote application groups.

  • Icon path
  • Icon index 
  • Show in web feed

Click Save.

 

Assign users to app group

 

Select app group.

Select Assignments

To assign individual users or user groups to the app group, select +Add Azure AD users or user groups.

Select the users you want to have access to the apps. You can select single or multiple users and user groups.

Select Save.

It will take five minutes before the user can access the application.

 

Change MSIX package state

 

Via the Applications grid

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Select one or multiple that need to have their state change and click the Change state button.

 

Via update package

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click on Package name in the MSIX packages grid this will open the blade to update the package.

Toggle the State via the Inactive/Active button as desired and click Save.

 

Change MSIX package registration type

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Click on Package name in the MSIX packages grid this will open the blade to update the package.

Toggle the Registration type via the On-demand/Log on blocking button as desired and click Save.

 

Remove MSIX package

 

Select MSIX packages.

This will open the data grid with all MSIX packages currently added to the host pool.

Select one or multiple that need to be removed click the Remove button.

 

Removing MSIX application

 

Navigate to the host pool and select Application groups.

Select the application group from which the MSIX application is to be removed.

From the application group blade select Applications.

Select the desired application and click Remove.

240 Replies

"MSIX packages" is visible in multiple Azure subscriptions without using Preview Portal. Is there an update that this can also be used without Validation Environment or are these steps still necessary?

AndreasR_0-1612951371195.png

 

@AndreasR @Stefan Georgiev @TomHickling 

Yes, can confirm this...does it mean thats "GA" now? I can't really think about that ;)

And more...I can also choose West Europe and North Europa as the Metadata location without using the Preview Portal...

br

Jochen

No this doesn't mean app attach is GA yet, we are definitely still in preview at this point. This was just an update to the portal experience

We removed the feature flag for the portal. Many people were getting inconsistent results as they will default to using the general portal (missing the guidance to use the preview URL and preview feature flag). This does not remove the need for the subscription to be white listed.

@Stefan Georgiev @TomHickling 

thanks guys! absolutely, that was confusing me too ;)

but...today I have seen a tenant which is not whitelisted with the menu "MSIX packages"...

(copy/paste:))We removed the feature flag for the portal. Many people were getting inconsistent results as they will default to using the general portal (missing the guidance to use the preview URL and preview feature flag). This does not remove the need for the subscription to be white listed.

Anyone know why this is happening? UNC path is 110% correct... I made a adobereaderdc.vhd and its in the Azure File Share.

 

DBR14_0-1612989641584.png

 

@Thogjo So you deployed a new session host with an image where hyper v role was enabled?

 

I can't figure out why I'm getting this... \\storageaccount.file.core.windows.net\fileshare\.adobereaderdc.vhd

 

I was getting the "Unable to reach virtual disk" and I found I forgot to turn on Validation environment, now I'm getting this...

DBR14_0-1612989931738.png

 

Does the computer account have smb reader access in iam (cant remember the excact name of the role)
Did you add the certificate to your session host?
Stefan Georgiev just released this troubleshooting methodology
https://github.com/stgeorgi/msixappattach/blob/master/Troubleshooting%20methedology%20v2.pdf
If above does not work, refer to Stefans PDF in the git link.

it's worth pointing out that if you're using AAD DS it won't work :) @Thogjo 

I have pointed that out numerous times earlier, but yes - you are correct
AADDS Is ‘no go’ with app attach

@Thogjo the issue was the .vhd -- in this case the AdobeReader package created by MSIX packager failed.

 

I then made one with Notepad++ and it worked! So the error I was getting is indicative of a bad .vhd/MSIX packaging.

 

I then immediately tried CPU-Z a super basic program, and it also failed just like Adobe Reader....

 

So I can only conclude at this point that this MSIX Packager is a total POS and its what is causing me headaches. If a basic program like CPU-Z can't be packaged and exported and attached then there is 0% hope right now a much more complex one will. 

 

I'm going to give VLC player a try since that was one I saw in a demo video, but that doesn't do much for my progression to production WVD with this.

 

 

So VLC also failed with the same error.

Oddly enough when I put in the previously working file path for the working Notepad++ vhd IT ALSO does this error now... \\mystorageaccount.file.core.windows.net\myfileshare\notepadplusplus.vhd and now it says this which Im not totally worried about because that TestHost-3 is irrelevant, but I don't get why it trips now and didn't before.
{"code":"400","message":"ActivityId: 7d376443-4102-49fc-be01-db92282a28e1 Error: The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: TestHost-3, Error: App contains untrusted signature."} YET... that same path has been unchanged and the VHD is the same ONE that worked under an hour ago.

So now I'm really lost as to what the issue is, this seems outlandishly inconsistent and troubleshooting seems fruitless...
Did you setup permissions for hte machine accounts?
Have you included that certificate with which the app was packaged in the trusted people location on your host pool TestHost-3?
@DBR14 are you using the MSIX packaging tool to create an MSIX out of CPU-Z? Secondly, how are you creating the VHD, please try this tool https://gorovian.000webhostapp.com/?exam=t5/windows-virtual-desktop/simplify-msix-image-creation-with-the... to avoid badly structured VHDs.
Lastly we have a troubleshooting guide for MSIX app attach here you may find useful https://github.com/stgeorgi/msixappattach/blob/master/Troubleshooting%20methedology%20v2.pdf

@Thogjo 

Let's hope that Azure ADDS is supported in the near future then. Sadly enough we're unable to use MSIX app attach at this moment.

@Stefan Georgiev @TomHickling 

 

Will AAD-DS be supported by the time this goes GA? Any potential way for it to be so like hosting the VHDs on a server domain joined to AAD-DS? I'm asking because if we will never get this I may need to shift from WVD to Horizon on Azure

@Stefan Georgiev @TomHickling 

Guys, I seem to have a problem in my MSIX APP-attach enabled demo subscription.

 

All of a sudden i can connect to NONE of my session hosts, I had 3 separate Hostpools, one regular MS, one MSIX appatach MS and one VDI - and I am able to connect to NONE of the sessionhosts.

 

So i thought no big deal, i'll redeploy - deleting everything and redeploying had NO effect, i still get this error when trying to connect - tried to deploy in both WEU and NEU regions.

-------------------------------

The remote resource can't be reached. Check your connection and try again or ask your network administrator for help.

[^] Hide details [OK]

[Expanded Information]
Error code: 0x300000d
Extended error code: 0x0
Timestamp (UTC): 2021-02-12T22:41:38.064Z
Activity ID: 3d8c7e2e-a23e-48ba-9c3b-dc2b99460000

 

 

Trying to connect thru browser i get....

It looks like your system administrator hasn’t set up any resources for demouser@manualize.dk yet. Please choose a different account or try again. If you believe you have received this message in error, please contact your system administrator.

 

But my remote desktop client says

that i do have an app.

 

 

 

 

 

-------------------------------------

I have had no issues in any of my other customer subscriptions that are not preview enabled.

 

Now i'm trying to redeploy in my MPN subscription which is not preview enabled

 

@mobilejon right now we are investing in aadj 

www.000webhost.com