MSIX AppAttach is a Microsoft technology that was introduced in Windows 10 2004 edition (April 2020). Nerdio Manager simplifies and automates the process of storing and attaching MSIX applications packaged as VHD(X) files to AVD session hosts and users making applications available to assigned users "on-the-fly" as they log into their AVD session.
To begin using AppAttach in Nerdio Manager you need to create a VHD(X) package containing the MSIX application. The process for creating such packages is documented here.
You will need the following items to get started:
- VHD(X) file containing the MSIX application - this is a file that you create (or obtain from app publisher) that is ready to be used for AppAttach.
- Application name - this is the name of the application as seen by Windows when it is installed. It is typically provided by the application publisher. As an example, Notepad++ app name is NotepadPP_220.127.116.11_x64__gz1by593hb2dw.
- Parent folder name - this is the name of the folder in the VHD(X) file that contains the expanded MSIX application. It is provided by the application publisher or something that you specify when creating the VHD(X) package.
- Volume GUID - VHD(X) packages are mounted on the AVD session host VMs as virtual disks and have GUIDs associated with them. This is something that is provided by the creator of the VHD(X) package.
- (Optional) Certificate - each VHD(X) package is signed with a digital cert. If you used a self-signed cert that was used to sign the VHD(X) package you will need to be sure that this cert is installed on the session host VMs. Have the .CER file handy.
To help you get you started, we created a few VHD(X) packages for some popular applications that you can download and start using in your AVD environment for testing purposes.
- Mozilla Firefox
- Google Chrome
Pre-requisites to use MSIX AppAttach with Nerdio Manager
To get started with publishing MSIX AppAttach applications to your users' AVD sessions with the Nerdio Manager you will need the following 4 things.
- VHD(X) package with associated information listed above. Feel free to use our sample packages to get started.
- Azure Files share that is integrated with Active Directory and has the proper security configuration. More on this below.
- AVD host pool with session hosts running Windows 10 2004 or newer. MSIX AppAttach is not available in prior versions of Windows 10.
- Nerdio Manager version 2.4.0 or newer.
Azure Files share
Note: If the storage account has network restrictions, Nerdio Manager will experience errors like so:
Nerdio Manager leverages Azure Files share technology to store MSIX AppAttach packages and associated metadata. You can use an existing Azure Files share or create a new one with Nerdio Manager (video tutorial). The Azure Files share MUST be AD-integrated to be used as an AppAttach storage location in Nerdio Manager.
Once you've created an Azure Files share and joined it to your AD domain, you must configure security settings on the share to allow session hosts and users to read the contents of the AppAttach packages. With Azure Files, there are two places where these security settings are configured.
- Azure Files Access Control
- NTFS permissions
In these two places, both the session host VM computer and user who will use the application must have at least reader access. The good news is that the default NTFS permissions on newly created Azure Files shares already have the necessary configuration. However, Azure Files share Access Control still needs to be configured.
This is an easy method to give all current and future session host VMs access to the Azure Files shares.
- In Active Directory, create a new Global Security group in an OU that is being synched to Azure AD with ADConnect
- Add Domain Computers and Domain Users to the new group
- In Azure Portal, find your Azure Files share and go to Access Control
- Add the new security group with Storage File Data SMB Share Reader role (you may need to wait for the next sync cycle for new groups to be available in AzureAD)
The end result will be read-only access to the Azure Files share by all domain users and computers. Feel free to customize the above procedure to suite your organization's security policies.
Adding Azure Files AppAttach storage location
Once Azure Files share has the necessary permissions, it can be added to Nerdio Manager under SETTINGS>Integrations>AppAttach Storage Locations. Click Link and select the Azure Files share.
Note: If your Azure Files share is not listed, be sure to link the Resource Group containing the storage account in Nerdio Manager, under Settings>Integrations>Azure Environment>Linked Resource Groups.
Uploading AppAttach VHD(X) packages and assigning users
Once you've added the AppAttach Storage Location on the SETTINGS page, you're ready to upload VHD(X) packages and assign them to users. Go to APPATTACH APPS menu and click Upload.
Once the package is uploaded, click on Assignments next to the app and assign users and groups.
NOTE: users will not see the application until it is assigned to them on this page AND also assigned to the host pool (see next section).
Assigning AppAttach packages to host pools
Once the AppAttach VHD(X) package is uploaded and assigned to users and/or groups, it must be assigned to one or more host pools. Users who are assigned to an application and log into a host pool where that application is also assigned will automatically see the application installed.
It is important to note that AppAttach application assignment to host pools takes effect only when new session hosts are created or existing ones are re-imaged. Don't forget to re-image any existing host pool to enable AppAttach.
Go to Workspaces>Dynamic host pools and from the drop-down menu next to the host pool select Manage>AppAttach apps. Turn AppAttach on, select the AppAttach storage location that contains the apps you want to assign and select the individual apps to be available on this host pool.
Once the storage location is linked, app is uploaded and assigned to users and host pool, the session hosts are re-imaged (or new ones created) then users will begin seeing the application in their AVD session.