The future of application virtualization. Learn here how to create and configure MSIX app attach package(s) containers on Windows 10 Enterprise multi and single-session for Windows Virtual Desktop


“It’s a game-changer”, that’s how most people react after they learned about Microsoft’s new application delivery solution; MSIX app attach. It’s different and disruptive from how we do application delivery today on traditional VDI/RDS infrastructures.

With the new released Windows 10 Enterprise single and-multi-session build 2004 version, we added the MSIX APIs into the OS that make it possible to use MSIX app attach (app attach remains in preview until further notice). It’s now easier than ever before to test this new revolutionary app delivery service. Read more below. 

Windows applications, or also known as win32 apps are what the vast majority is using on a virtual desktop environment. The update and management process of an image is mostly happening because of either updating the OS or the installation or update request from the application vendor.

Think in a new direction of doing application updates on—without creating new images—or updating existing images while removing all the users—reboot the session hosts and log the sessions back on. Sound disruptive and cool, right? Please read the rest because MSIX app attach makes this possible 🙂

In this article, I’ll learn you what the benefits of MSIX app attach are and how you can virtualize applications with MSIX app attach to use them in your Windows Virtual Desktop environment

Table of Contents

Click on the title to jump to that spot in this article:

What is MSIX app attach

MSIX (without app attaches) is a Windows app package format that provides a modern packaging experience to all Win32, UWP, and Windows apps. It’s a new way of doing application virtualization compared to technologies such as App-V.

Adding the app to attach technology makes MSIX more compliant for virtualized desktop environments such as Windows Virtual Desktop. The main challenge within DaaS/VDI around application delivery is around the images and how the apps come into the image. Separating the applications from the image to update and assign applications without doing an image update sounds like the solutions, right? Well, that’s exactly what MSIX app attach can accomplish…

See below the most important benefits:

  • Less re-imaging
  • Same package format across your entire organization
  • No repackaging needed, most likely ISVs will provide packages to customers
  • Applications are indistinguishable from app in the OS image

Windows 10 Enterprise single and multi-session build 2004 has been released

This week, we released the long-awaited build 2004 – or officially known as the Windows 10 May 2020. It’s now possible to update your existing session hosts to this new version. One very important improvement in this OS – as I shared earlier is the addition of the MSIX components to use MSIX app attach for Windows 10 single and multi-session as part of Windows Virtual Desktop.  With previous versions of Windows 10, enabling the sideloading policy either through Group Policy or Settings was required to install an MSIX package. With Windows 10, version 2004, you can deploy a signed MSIX package onto a device with no special configuration setting.

Learn more about other new features in the new build here.

Note: Office 365 ProPlus has been renamed to Microsoft 365 Apps for Enterprise.

MSIX app attach via the Azure Portal

Previously, you had to use PowerShell scripts to enable MSIX app attach. We will be integrating the app attach capability in the Azure portal and Azure Resource Manager. This will eliminate the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks. Coming soon available.

Desktops in the Cloud – episode on MSIX app attach

You can also learn more about it here at Episode 5 of Desktops in the Cloud with Stefan Georgiev from the WVD Engineering team, leading MSIX app attach.

How does the process work?

Your images consists of 3 main components that are key for implementing a desktop virtualization environment, the operating system, applications, and user-defined data (windows profile). The logon process works via the Microsoft FSLogix Profile Container process – block-based via a filter driver, separate from the OS.

The MSIX app attach process works similar, however, it uses symbolic links instead for the folder mounting process.

All the steps are happening in just milliseconds.

How are Windows OS and applications installed, updated, and managed?

When we asked the community the question in 2020 (PREVIEW RESULTS) on how their OS and applications are installed, updated, and managed. The vast majority responded with manually. This effectively most of the time means that the application requires a new image update and will increase the level of maintenance effort in your environment.

“Question: How are Windows OS and applications installed, updated and managed on your main platform?”

Requirements

Note: Make sure to disable Auto-update as the MSIX app attach containers will be read-only.

Prepare your custom image

Run the following commands on the custom (Windows 10 Enterprise single or multi-session) image.

Make sure to use at least the new released build 2004 or the past 19041 Insiders preview release. It’s now available in the Azure portal!

Looking for other information on Azure custom images with Windows Virtual Desktop, please use one of my previous articles to follow up. You can also use this customer image in conjunction with the Azure shared image gallery (SIG) and make it easy to enrol this image to multiple session hosts (as part of your host pool) at the same time – the same for advanced image management capabilities.

Note: Office 365 ProPlus has been renamed to Microsoft 365 Apps for Enterprise.

Perform the following command on the image 

reg add HKLM\Software\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 0 /f

Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug /v ContentDeliveryAllowedOverride /t REG_DWORD /d 0x2 /f

Package an MSIX application – (e.g. Notepad++)

You can run the following steps from inside the custom image or on a separate machine for the sake of packaging with the same Windows 10 Enterprise build installed…

Search for the MSIX Packaging Tool in the Microsoft Store and install it to your Windows 10 virtual machine.

Start the Packing tool

Click on Create your app package

Click Create package on this computer

Make sure the status is the same on your image/session host as in the screenshot for the different action items.

Click on Next

Browse for the application installer. This could be any of your win32 applications. I’ll use Notepad++ for the exercise.

Assign your certificate with the right CN (common name – e.g. Contoso) that we need later. This could be a self-signed certificate as well (for PoC – testing purposes).

Note: Make sure the CN=Contoso (organization name) is correct on the certificate as well as in the package configuration.

Self-signed certificate (optional)

See below how you can create a self-signed certificate for your demo/lab environment instead.

New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso" -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "cert:\LocalMachine\My"

Export the self-signed certificate into a .pfx file with privatekey and use it in the “Signing preference” menu.

Export the self-signed into the Trusted People LocalMachine store.

The CN must look like this…

Click on Next

Enter in the application-specific requirements. The Publisher’s name is the certificate CN (common name – e.g. Contoso) name of the organization. Make sure the certificate is injected in your image, otherwise the application cannot register and will fail.

Note: If the CN is detected correctly, you’ll see the “subject of the certificate provided” notification. The certificate could be self-signed, public or internally created via a RootCA. It’s important that the private key and CN are matching later in the 

Click on Next

Run through the installation process of your application

For me, that will be Notepad++

Make sure to disable Auto-update as the MSIX app attach containers will be read-only.

Start the application to make sure everything installed correctly.

If the application installed correctly, you see the screen below. Make sure to reboot your machine if required before I move to the next step.

Create the MSIX package

We are almost ready.

Click on Next

Note: When you want to package extra plugins or extra other applications in the same MSIX package, please click on “No, I’m not done”.

I’m done, so I click on Yes, move on

Click on Next

Save the .MSIXpackage file somewhere on your computer or network.

Click on Create

The package is ready for the next step.

Note: When you want to edit things in the package, please click on Package editor.

MSIX app attach via the Azure Portal

Previously, you had to use PowerShell scripts to enable MSIX app attach. We will be integrating the app attach capability in the Azure portal and Azure Resource Manager. This will eliminate the need for custom scripts and makes it possible to publish your packaged applications to application groups with a few clicks. Coming soon available.

Create – and assign the app attach container (VHD) – via AppVentiX (community tool)

If you prefer the manual approach, as documented on Microsoft Docs—in more detail—click here to continue. 

AppVentix is a solution (previously known as App-V scheduler) that can create MSIX app attach containers for you without following any PowerShell (manual) steps. It also supports the direct assignment of app attach containers during the logon phase of a Windows Virtual Desktop session. Based on e.g. Active Directory groups or Organizational Units in Active Directory.

Learn here more about it and request the free community version – or watch this demo how it works in conjunction with Windows Virtual Desktop.

Create the app attach container (VHD) – via MSIX hero (community tool) 

If you prefer the manual approach, as documented on Microsoft Docs—in more detail—click here to continue. 

The community tool below is available for free and allows you to create the MSIX app attach container automatically as well as the scripts.

Note: There’s also no need for the Hyper-V modules to create the VHD within this tool.

Download the tool here.

Expanding package to app attach package – manual

We must expand the .MSIX package file to a VHD(x) to make it ready for mounting/staging. Perform the following steps to do that. You can run those steps from the master image.

Download and install the MSIX mgr tool – this will import the MSIX commands to perform the next steps

Unpack the .zip file to e.g. C:\MSIXappattach

Copy/move the .MSIX package file also in that location

Create the app attach container (VHD) – manual 

Create the app attach container by running the command below

New-VHD -SizeBytes 1024MB -Path c:\MSIXappattach\notepadplusplus.vhd -Dynamic -Confirm:$false

Note: Make sure to align the size of the VHD with the requirements of the application.

Mount the app attach container – virtual disk to your session host with the command below

$vhdObject = Mount-VHD c:\MSIXappattach\notepadplusplus.vhd -Passthru

Make sure to initialize the disk via the $disk variable to make it easier for the bulk of doing more in the future.

$disk = Initialize-Disk -Passthru -Number $vhdObject.Number

Create a partition table within the app attach container – virtual disk

$partition = New-Partition -AssignDriveLetter -UseMaximumSize -DiskNumber $disk.Number

Format the app attach container – virtual disk

Format-Volume -FileSystem NTFS -Confirm:$false -DriveLetter $partition.DriveLetter -Force

Open the app attach container – virtual disk in Windows Explorer

Create a application folder in the app attach container – virtual disk root

Note: When putting the package in the VHD it is best practice to have an \\apps\<package name> folder

Perform the following command in cmd.exe (as administrator) to expand the .MSIX package into a app attach package container (VHD) – with the e.g. c:\MSIXappattach folder as source.

Note: Make sure to change the drive letter, this could be a random assigned letter.

msixmgr.exe -Unpack -packagePath Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt.msix -destination "d:\notepadplusplus" -applyacls

The folder look like this after a successful expansion to the app attach container…

When you are done – make sure to dismount the app attach (VHD) container and copy them to your Azure Files or Azure NetApp Files share – just like the example below.

Note: Also make sure that your session host – VMs can reach the share! More info here.  

Create the MSIX app attach staging script (which mounts the container)

Mount the created app attach container – virtual disk to your machine. We need to collect the unique volume GUID which we need for the script to detect the right disk.

Open a command prompt

Run command

mountvol

Once you found the GUID, modify the ($volumeGuid) script below with the information that is specific to your VHD and MSIX app configuration.

The example below is in conjunction with Azure Files as network file share location. Read here how to configure Azure Files.

#MSIX app attach staging sample

#region variables

$vhdSrc="\\AzureFiles.file.core.windows.net\msixappattach\notepadplusplus.vhd"

$packageName = "Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt"

$parentFolder = "notepadplusplus"

$parentFolder = "\" + $parentFolder + "\"

$volumeGuid = "0b00bf15-fcae-4e06-a35a-1967bbbf4429"

$msixJunction = "C:\temp\AppAttach\"

#endregion

#region mountvhd
try 
{
    Mount-Diskimage -ImagePath $vhdSrc -NoDriveLetter -Access ReadOnly                 
    Write-Host ("Mounting of " + $vhdSrc + " was completed!") -BackgroundColor Green 
}
catch
{
    Write-Host ("Mounting of " + $vhdSrc + " has failed!") -BackgroundColor Red
}
#endregion


#region makelink
$msixDest = "\\?\Volume{" + $volumeGuid + "}\"

if (!(Test-Path $msixJunction)) 
{
    md $msixJunction
}

$msixJunction = $msixJunction + $packageName

cmd.exe /c mklink /j $msixJunction $msixDest
#endregion

#region stage
[Windows.Management.Deployment.PackageManager,Windows.Management.Deployment,ContentType=WindowsRuntime] | Out-Null
Add-Type -AssemblyName System.Runtime.WindowsRuntime
$asTask = ([System.WindowsRuntimeSystemExtensions].GetMethods() | Where { $_.ToString() -eq 'System.Threading.Tasks.Task`1[TResult] AsTask[TResult,TProgress](Windows.Foundation.IAsyncOperationWithProgress`2[TResult,TProgress])'})[0]
$asTaskAsyncOperation = $asTask.MakeGenericMethod([Windows.Management.Deployment.DeploymentResult], [Windows.Management.Deployment.DeploymentProgress])

$packageManager = [Windows.Management.Deployment.PackageManager]::new()
    
$path = $msixJunction + $parentFolder + $packageName # needed if we do the pbisigned.vhd
$path = ([System.Uri]$path).AbsoluteUri
  
$asyncOperation = $packageManager.StagePackageAsync($path, $null, "StageInPlace")
                                                                                                                    
$task = $asTaskAsyncOperation.Invoke($null, @($asyncOperation))
        
$task
#endregion

Create the MSIX app attach application – registration script

Replace the package name variable for your own package, it’s basically the filename of the .MSIX file before the expanding process.

#MSIX app attach registration sample
#region variables 
$packageName = "Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt"

$path = "C:\Program Files\WindowsApps\" + $packageName + "\AppxManifest.xml"
#endregion

#region register
Add-AppxPackage -Path $path -DisableDevelopmentMode -Register
#endregion

De-register the MSIX app attach application

Perform the following step during log off of your Windows Virtual Desktop – session hosts.

Note: You can also decide to do it during the shutdown could be more efficient, also when other users are using the same application on the session host. 

#MSIX app attach deregistration sample
#region variables 
$packageName = "Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt"
#endregion

#region derregister
Remove-AppxPackage -PreserveRoamableApplicationData $packageName 
#endregion

De-stage (dismount) the MSIX app attach container

Perform the following step during log off of your Windows Virtual Desktop – session hosts.

Note: You can also decide to do it during the shutdown could be more efficient, also when other users are using the same application on the session host. 

#MSIX app attach de staging sample
#region variables 
$packageName = "Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt"

$msixJunction = "C:\temp\AppAttach\" 
#endregion

#region derregister
Remove-AppxPackage -AllUsers -Package $packageName 

cd $msixJunction 
rmdir $packageName -Force -Verbose 
#endregion

Test the stage and registration scripts

Run both the staging and registration .ps1 scripts from your Windows 10 Enterprise (build 2004) session host and see – when the script(s) run successfully – you should see the following message in return which confirms a successful mounting and registration process.

Disk Management should look similar like the screenshot below. Both MSIX app attach applications are loaded from Azure Files.


The applications run perfect – for the end-user shown as local installed application. 🙂

Publish an MSIX app attach as Remote App – ARM-based portal

After the application is injected in your session hosts, you can easily create a virtual application and publish it to your end-users as Remote App. Via the new Azure ARM portal, you only have to perform two single steps.

Before you do this, please keep the following two bullet points in consideration while testing.

  • A user can be assigned to both a desktop app group and a RemoteApp app group in the same host pool. However, users can only launch one type of app group per session. Users can’t launch both types of app groups at the same time in a single session.
  • A user can be assigned to multiple app groups within the same host pool, and their feed will be an accumulation of both app groups.

Before we move forward, we must created a .lnk shortcut to the Notepad++ MSIX application in the startmenu folder. This step is not required for every application, only for MSIX due to the ++ in the name.

The target and icon location must be something similar as: “C:\Program Files\WindowsApps\Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt\VFS\ProgramFilesX86\Notepad++\notepad++.exe”

Save the Notepad++.lnk file in C:\ProgramData\Microsoft\Windows\Start Menu\Programs

Open the Windows Virtual Desktop service from the Azure Portal

Click on Application Groups

Open one of your Remote Application Groups, with RemoteApp as type

Click on Applications– under manage

Click on Add

Choose for Application source – file path.

Paste the Notepad++ .lnk file in the target location in the Application path area.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk

Note: When you have problems with the icon file, please make sure to copy the original.exe file somewhere on your image and point it to that location, such as the one below. 

C:\temp\AppAttach\Notepadplusplus_1.0.0.0_x64__h91ms92gdsmmt\notepad++.exe

Click on Assignments and the Remote Application(s) to the right Azure AD users or Azure AD Groups.

Refresh your Workspace 

Start Notepad++ – it works! 🙂

Publish an MSIX app attach as Remote App – ARM-based PowerShell

Run the following command to publish the MSIX application as Remote Application via PowerShell. Only applies to the ARM-based version of Windows Virtual Desktop, aka the spring 2020 update.

New-AzWvdApplication -GroupName $appgroupname -Name Notepad -ResourceGroupName $rgname -Filepath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk"

Publish an MSIX app attach as Remote App – non-ARM based PowerShell

Run the following command to publish the MSIX application as Remote Application via PowerShell. Only applies to the non-based version of Windows Virtual Desktop, aka the fall 2019 release.

New-RdsRemoteApp -TenantName $tenant -HostPoolName $hostpool -AppGroupName $AppGroup -Name "Notepad" -FilePath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++.lnk"

MSIX app attach–experience demo

This video shows the outcome of this article – experience how we separate the User Profiles and (MSIX app attach) Applications from the OS —on Azure Files with kerberos authentication and NTFS ACLS.