Certainly! Here are the steps outlined for utilizing the features in Azure Virtual
Desktop that allow dynamic attachment of applications:
1. Introduction:
Azure Virtual Desktop provides two features for dynamically attaching
applications to user sessions: MSIX app attach and app attach
(preview).
2. MSIX App Attach:
MSIX app attach is generally available.
It facilitates the dynamic attachment of applications to user sessions.
3. App Attach (Preview):
App attach is now available in preview.
The preview version enhances both administrative and user
experiences.
4. Benefits of Both Features:
Applications are not locally installed on session hosts or images.
This simplifies the creation of custom images for session hosts.
5. Operational Efficiency:
This approach reduces operational overhead and costs for the
organization.
6. Containerized Applications:
Applications run within containers.
Containers separate user data, the operating system, and other
applications.
7. Enhanced Security:
The use of containers increases security by isolating applications from
each other.
8. Improved Troubleshooting:
Containerization makes applications easier to troubleshoot.
9. Overall Benefits:
Both MSIX app attach and app attach (preview) contribute to a more
streamlined and efficient application management process in Azure
Virtual Desktop.
Advantages of App Attach Over MSIX:
1. Granular Permission Control:
App Attach offers per-application, per-user permission control,
allowing precise management of user access to applications during
remote sessions. In contrast, MSIX relies on assignment to application
groups, where all desktop users can see all MSIX app attach
applications in the desktop application group.
2. Flexibility in Host Pool Usage:
With App Attach, a single application package can be utilized across
multiple host pools, providing greater flexibility. In MSIX, applications
may be limited to running on a specific host pool, necessitating the
creation of additional packages for use in different host pools.
3. Cross-Host Compatibility:
Applications attached through App Attach can run on any session host
running a Windows client operating system within the same Azure
region as the application package. In contrast, MSIX applications are
constrained to the host pool to which they are added.
4. Seamless Application Upgrades:
App Attach enables the upgrade of applications to a new version with a
new disk image without requiring a maintenance window. In contrast,
updating MSIX applications involves deleting and recreating the
application with a new package version, necessitating a maintenance
window for the update.
5. Concurrent Versions on a Session Host:
Users can concurrently run two versions of the same application on the
same session host using App Attach. However, in MSIX, running two
versions of the same application on the same session host is not
supported.
6. Telemetry Support:
Both App Attach and MSIX provide telemetry support for usage and
health, accessible through Azure Log Analytics.
These advantages showcase how App Attach offers more fine-grained control,
flexibility, compatibility, and ease of management compared to MSIX, making it a
preferred choice in certain scenarios.
Supported Application Package Types and File Formats:
There are various application package types and associated file formats that you can
utilize, each with specific feature availability:
MSIX and MSIX Bundle:
File Formats: .msix, .msixbundle
Feature Availability: Supported for both MSIX app attach and App
attach.
Appx and Appx Bundle:
File Formats: .appx, .appxbundle
Feature Availability: Supported exclusively for App attach.
"MSIX and Appx share similarities, with the key distinction being that MSIX serves as a
superset of Appx. While MSIX incorporates all the features present in Appx, it also introduces
additional functionalities specifically tailored to enhance its suitability for enterprise
applications.
Application Assignment Process for Users:
To ensure users receive the correct applications during sign-in, the following criteria
must be satisfied within the host pool environment:
1. Application Assignment to Host Pool:
Assign the desired application to the specific host pool. This enables
selective availability of the application across different host pools,
ensuring optimal hardware resource utilization. For instance, graphicsintensive applications can be designated to run exclusively on host
pools with GPU-optimized session hosts.
2. User Access Configuration:
Users must have the ability to sign in to session hosts within the
designated host pool. This necessitates their inclusion in either a
Desktop or RemoteApp application group. In the case of a RemoteApp
application group, it's essential to add the app attach application to the
group. However, there is no requirement to include the application in a
desktop application group.
3. User or Group Assignment to Application:
Assign the application to the specific user or a group containing the
user. This assignment can be managed through user accounts or
groups.
If all these criteria are met, the user gains access to the assigned application. This
structured process allows administrators to control which users can access an
application on particular host pools, enabling diverse application combinations for
users within the same host pool or even those signed in to the same multi-session
session host. Users failing to meet these requirements will not have access to the
designated application.
Application Images Setup:
To integrate your application packages with Azure Virtual Desktop, the initial step
involves creating an MSIX image from your existing application packages utilizing the
MSIXMGR tool. Following this, it is essential to store each disk image on a file share
that is accessible by your session hosts. For detailed information on the specifications
for a file share, please refer to the Azure Virtual Desktop documentation on File
Share.
Supported Links:
Create MSIX Image
File Share Permissions
Types of Disk Images:
In Azure Virtual Desktop, you have the option to use different types of disk images,
including Composite Image File System (CimFS), VHDX, or VHD. However, it is not
recommended to use VHD due to performance considerations. Mounting and
unmounting CimFS images are more efficient compared to VHD and VHDX files, with
lower consumption of CPU and memory resources. Specifically, the use of CimFS is
recommended for application images when your session hosts are running Windows
11.
A CimFS image is composed of several files, including one with the .cim file extension
containing metadata. Additionally, there are at least two other files, one starting with
objectid_ and the other starting with region_, which store the actual application data.
Notably, files accompanying the .cim file do not have a file extension
Application Registration Process:
In App attach, the registration of applications involves mounting disk images from a
file share to a user's session during sign-in, followed by a registration process that
ensures the availability of the applications to the user. There are two registration
types:
1. On-Demand Registration:
Description: On-demand registration involves partially registering
applications at sign-in, with the full registration of an application
deferred until the user initiates the application.
Recommendation: This is the recommended registration type as it does
not impact the sign-in time to Azure Virtual Desktop.
Default Method: On-demand registration is the default registration
method.
2. Log On Blocking Registration:
Description: Each application assigned to a user undergoes full
registration during the user's sign-in process.
Impact on Sign-In Time: Log on blocking registration may affect the
sign-in time to Azure Virtual Desktop as the registration process occurs
during sign-in.
Supported Identity Providers for App Attach:
App attach is compatible with the following identity providers:
1. Microsoft Entra ID:
Status: Supported
2. Active Directory Domain Services (AD DS):
Status: Supported
3. Microsoft Entra Domain Services:
Status: Not supported
File Share Requirements for App Attach:
For App attach to function seamlessly, it is necessary to store your application
images on an SMB file share. This file share is then mounted on each session host
during the sign-in process. App attach does not impose specific requirements on the
type of storage fabric employed by the file share.
While App attach is storage-agnostic, we recommend utilizing Azure Files for your
file share. Azure Files offers compatibility with both Microsoft Entra ID and Active
Directory Domain Services. Moreover, it strikes a balance between cost-effectiveness
and management overhead, making it a recommended choice for optimal
performance with App attach.
Configuring Permissions for App Attach:
In the App attach setup, each session host mounts application images from the
designated file share. To ensure smooth operations, it's crucial to configure NTFS and
share permissions, granting read access to the files and file share for each session
host's computer object. The specific permission configurations depend on the
chosen storage and identity providers for your file share and session hosts.
Using Azure Files with Microsoft Entra ID:
Role-Based Access Control (RBAC): Assign the Reader and Data Access Azure
RBAC roles to the Azure Virtual Desktop and Azure Virtual Desktop ARM
Provider service principals. This allows session hosts to access the storage
account using access keys.
Storage Account Requirement: The storage account must belong to the same
Azure subscription as your session hosts.
Security Note: Exercise caution when assigning RBAC roles to the Azure Virtual
Desktop ARM Provider service principal, as it grants access to all data within
the storage account. It is advisable to limit this storage account to store only
apps for use with App attach and regularly rotate access keys.
Instructions: Refer to the documentation on Assigning RBAC roles to the Azure
Virtual Desktop service principals for detailed steps.
Using Azure Files with Active Directory Domain Services:
RBAC Role: Assign the Storage File Data SMB Share Reader Azure RBAC role as
the default share-level permission.
NTFS Permissions: Configure NTFS permissions to grant read access to each
session host's computer object.
For additional insights and guidance on using Azure Files with session hosts joined to
Microsoft Entra ID, Active Directory Domain Services, or Microsoft Entra Domain
Services, consult the Overview of Azure Files identity-based authentication options
for SMB access.
Performance Optimization Recommendations for Applications in App Attach:
For optimal application performance in App attach, consider the following
recommendations:
1. Regional Alignment:
File Share and Session Hosts: Place your file share in the same Azure
region as your session hosts to optimize performance. If Azure Files is
employed, ensure the storage account is also located in the same Azure
region as your session hosts.
2. Antivirus Scans Exclusion:
Disk Images: Exclude the disk images containing your applications from
antivirus scans. These images are read-only, and excluding them can
enhance performance.
3. Storage and Network Considerations:
Performance Requirements: Ensure that both your storage and network
fabric can deliver the necessary performance for App attach operations.
Avoid FSLogix Profile Containers: To prevent potential conflicts and
performance issues, it is advisable to avoid using the same file share for
FSLogix profile containers.
Prerequisites for Using App Attach in Azure Virtual Desktop:
1. Existing Configuration:
Host pool with session hosts, an application group, and a workspace.
2. Session Host Requirements:
Session hosts must run a supported Windows client operating system.
At least one session host must be powered on (Windows Server is not
supported).
3. Host Pool Configuration:
Host pool needs to be configured as a validation environment.
4. Identity Provider:
Session hosts must be joined to Microsoft Entra ID or an Active
Directory Domain Services (AD DS) domain.
5. File Share:
An SMB file share in the same Azure region as session hosts.
All session hosts in the pool must have read access with their computer
account.
File share is used for storing application images.
6. Azure Files Usage:
If using Azure Files with session hosts joined to Microsoft Entra ID:
Assign Reader and Data Access Azure RBAC roles to Azure
Virtual Desktop and Azure Virtual Desktop ARM Provider service
principals.
Note: Future updates may eliminate the need to assign the
Azure Virtual Desktop ARM Provider service principal.
7. MSIX or Appx Disk Image:
An MSIX or Appx disk image created from an application package and
stored on the file share.
For MSIX images, Desktop Virtualization Contributor Azure RBAC role is
required to add images.
To assign users to the application group,
Microsoft.Authorization/roleAssignments/write permissions on the
application group are needed.
Prerequisites for Using App Attach in Azure Virtual Desktop:
1. Existing Configuration:
Host pool with session hosts, an application group, and a workspace.
2. Session Host Requirements:
Session hosts must run a supported Windows client operating system.
At least one session host must be powered on (Windows Server is not
supported).
3. Host Pool Configuration:
Host pool needs to be configured as a validation environment.
4. Identity Provider:
Session hosts must be joined to Microsoft Entra ID or an Active
Directory Domain Services (AD DS) domain.
5. File Share:
An SMB file share in the same Azure region as session hosts.
All session hosts in the pool must have read access with their computer
account.
File share is used for storing application images.
6. Azure Files Usage:
If using Azure Files with session hosts joined to Microsoft Entra ID:
Assign Reader and Data Access Azure RBAC roles to Azure
Virtual Desktop and Azure Virtual Desktop ARM Provider service
principals.
Note: Future updates may eliminate the need to assign the
Azure Virtual Desktop ARM Provider service principal.
7. MSIX or Appx Disk Image:
An MSIX or Appx disk image created from an application package and
stored on the file share.
For MSIX images, Desktop Virtualization Contributor Azure RBAC role is
required to add images.
To assign users to the application group,
Microsoft.Authorization/roleAssignments/write permissions on the
application group are needed.
Steps to Add an MSIX or Appx Image as an App Attach Package in Azure Portal:
1. Sign In:
Access the Azure portal and sign in.
2. Navigate to Azure Virtual Desktop:
Use the search bar to type "Azure Virtual Desktop" and select the
corresponding service entry to access the Azure Virtual Desktop
overview.
3. Access App Attach:
Within Azure Virtual Desktop, choose the "App attach" option, and then
click on the "+ Create" button.
4. Complete Basics Information:
On the Basics tab, provide the necessary information:
(Additional Information Not Provided in the Text)
Specify the name or identifier for the App attach package.
Set relevant configuration details such as the subscription,
resource group, and Azure region.
(Specific Fields Not Mentioned in the Text)
Image Source: Choose the source of the image (MSIX or
Appx).
Image Name: Specify the name of the MSIX or Appx
image.
File Share Path: Indicate the path to the SMB file share
where the application images are stored.
Validation Environment: Confirm the host pool
configured as a validation environment.
Identity Provider: Verify the session hosts are joined to
Microsoft Entra ID or an Active Directory Domain Services
domain.
Completing Information on the Image Path Tab:
Option: Select from Storage Account:
Image path:
Choose "Select from storage account" if your image is stored in Azure
Files.
Storage account:
Pick the storage account where your image is located.
File share:
Choose "Select a file," then navigate to the file share and
directory containing your image.
Check the box next to the desired image (e.g., MyApp.cim), then
select "Select."
MSIX package:
Select the MSIX or Appx package from the chosen image.
Option: Input UNC:
Image path:
Choose "Input UNC" if your image is specified by a UNC path.
UNC:
Enter the UNC path to your image file.
MSIX package:
Select the MSIX or Appx package from the specified UNC path.
For Either Option:
Display name:
Provide a user-friendly name for your application.
Version:
Verify that the displayed version number matches the expected version.
Registration type:
Select the registration type you prefer to use (e.g., On-demand or Log
on blocking).
State:
Choose the initial state for the package.
Health check status on failure:
Select the status for the package if it fails to stage on a session host.
This status is reported for AppAttachHealthCheck for the session host
health check status.
Assigning an App Attach Package:
1. Access Azure Virtual Desktop:
Navigate to the Azure Virtual Desktop overview.
2. Select App Attach:
Within the Azure Virtual Desktop overview, choose "App attach."
3. Choose App Attach Package:
Select the name of the specific App attach package that you want to
assign.
4. Navigate to Manage Section:
In the "Manage" section, locate and click on "Host pools."
5. Initiate Assignment:
Click on "+ Assign" to initiate the assignment process.
6. Select Host Pools:
From the drop-down list, choose one or more host pools to which you
want to assign the App attach package.
7. Ensure Read Access:
Confirm that all session hosts within the selected host pool(s) have read
access with their computer account, adhering to the prerequisites.
8. Complete Assignment:
Click on "Add" to complete the assignment of the App attach package
to the chosen host pool(s).
Steps to Download APPX bundle back directly from MS store
Method 1
1. GO to MS store web page instead
https://apps.microsoft.com/home?hl=en-US&gl=US
2. Go to website https://store.rg-adguard.net/
3. Which ever MS app package you want just copy the weblink of the application and download
the bundle
Method 2 : By Evergreen PS Module
https://www.powershellgallery.com/packages/Evergreen/2312.878
1. Install-Module -Name Evergreen
2. Script to look for Specific App
Find-EvergreenApp firefox | Get-EvergreenApp -ErrorAction
SilentlyContinue -WarningAction SilentlyContinue | Where-Object {$_.Type
-eq 'msix' -and $_.Architecture -eq 'x64'}
