MSIX App Attach

About MSIX App Attach

MSIX is a Windows app package format that provides a modern packaging experience to all Windows apps. It preserves the functionality of existing app packages, installs files, and enables new, modern packaging and deployment features for Win32, WPF, and Windows Forms apps.

MSIX enables enterprises to stay current and ensure their applications are always up to date.

References

• Overview

• What is MSIX App Attach?

• A Deep Dive into MSIX App Attach

Operating Systems Supporting MSIX App Attach

• Azure WVD: Windows 10 Enterprise Multi-session 2004 (or later)

  • Microsoft Download Link

• Windows 10 Enterprise, Pro, or Education (version 2002 or later)(single session limit)

Note

Microsoft has not yet released the official Windows Server ISO for production use. Currently, this feature is tested on-premises with "Windows Server vNext Insider Preview (build 20270)" and with Azure WVD (Windows 10 Enterprise Multi-session 2004).

Various Stages of MSIX App Attach

MSIX app attach has four phases that must be performed in the following order:

1. Stage (System Context: once while first HyShell call, call via SessionHost Service)
2. Register (User Context: on every user login, call via HyShell)
3. Deregister (User Context: automated on user logout, nothing from SessionHost side)
4. De-stage (System Context: optional on SessionHost service stop or automatically on VM reboot)

Staging

Staging involves two steps:

1. Mounting the VHD(x) or CIM to the VM.

2. Notifying the OS that the MSIX package is available for registration.

Registration

Registration makes a staged MSIX package available for your users. Registration is on a per-user basis. If you haven't explicitly registered an app for that specific user, they won't be able to run it.

There are two types of registration: regular and delayed.

Regular registration

In regular registration, each application assigned to a user is fully registered. Registration happens when the user signs in to the session, which might impact the time it takes for them to start using Windows Virtual Desktop.

Delayed registration (default)

In delayed registration, each application assigned to the user is only partially registered. Partial registration means the Start menu tile and double-click file associations are registered. Registration happens while the user signs in to their session, which minimizes the time to start using Windows Virtual Desktop. Registration is complete only when the user runs the application in the MSIX package.

Delayed registration is currently the default configuration for the MSIX App Attach.

De-registration

De-registration removes a user's registered but non-running MSIX package while the user signs out of their session. During de-registration, the MSIX App Attach pushes application data specific to the user’s local user profile.

De-stage

De-staging notifies the OS that an MSIX package or application not running or staged for any user can be unmounted. This removes all reference to it in the OS.

Set the registry to true and restart the Session Host Service.

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\(DestageAppsOnServiceStop)

MSIX App Attach in HyWorks

MSIX App Attach in Accops/ HyWorks

Install and package applications separately, publish and use them as per entitlements and requirements.

1. Create MSIX package

2. Create a VHD file from the MSIX package.

3. Copy to a remote or local shared location with appropriate permissions. For more details, refer to the Network shared folder permission settings.

4. Prepare Session Host Server:

   1. Update CN names (Semicolon ';' separated) into registry on each Session Host Server(s)

   2. The information should correspond to the certificate used to sign the application package.

      1. Registry Location

         HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\(AppAttachCnNames)

5. Ensure the registry flag IsDesktopCustomizationEnabled is also set to 'true' in the SessionHost Registry.

6. Restart Session Host service.

7. At least once, it is mandatory to manually stage an application created using the self-signed certificate (followed by a Register, De-registration, and De-stage operation) on all the session host servers. This process is mandatory for all the applications created using the self-signed certificate. Refer to Manual Stage, Register, De-register and De-stage

8. Configure MSIX App Attach Type Application in HyWorks.

9. Launch Shared Desktop from Accops Clients.

10. Now, HyShell will be executed, and the user can see the attached applications' shortcuts on the Desktop or Start menu (as configured).

How to create an MSIX file from the installer setup file

Microsoft Reference

Prerequisites (for creating MSIX package):

• Windows 10, version 1809 (or later)

• Microsoft account may require to be logged in.

• Install MSIX Packaging tool MSIX Packaging Tool.

• Launch the MSIX Packaging tool from the Start menu.

• In the MSIX Package Tool, "Select Task" and click the "Application package" icon.

• Check "Create package on this computer."

• Wait for the "Additional preparations" section to complete scanning; once done, select all "recommended action items" and click on the "Disable selected" button below.

• Wait for the previous step to finish, then click on next.

• Select the installer exe for which you want to make the MSIX package, followed by any arguments(if required). (e.g. C:\Installers\7z1900-x64.exe)

• Signing Preference:

  1. In "Signing Preference," select "Sign with a certificate (.pfx)" and browse the certificate file. Refer to the steps to create a self-signed certificate for publishing apps with self-signed certificates.

  2. If the certificate is password protected, type the password in the password box.

• Enter the timestamp server as "http://timestamp.digicert.com" and press next.

• Package Name (3 and 50 characters in length that consist of alpha-numeric, period, and dash characters.):

  1. Required and corresponds to package identity Name in the manifest to describe the contents of the package.

  2. It is not shown to the end user.

• Package display name:

  1. Required and corresponds to the package in the manifest to display a friendly package name to the user in the start menu and settings pages.
  2. The field accepts a string between 1 and 256 characters in length and can be localized.

• Publisher name:

  1. Required and corresponds to a package that describes the publisher’s information.

  2. The Publisher attribute must match the publisher subject information of the certificate used to sign a package.

• Version:

  1. Required and corresponds to the package in the manifest to describe the package’s version number.

  2. This field accepts a version string in quad notation: "Major.Minor.Build.Revision". e.g. 1.9.0

• Set the description and press next.

• Follow the installation steps of the installer.

• Click the restart button if required.

• Press next and say, “Yes, move on.”

• Press Next > select destination path > click on Create > Close.

• The final MSIX package will be available at the path provided.(e.g. 7Zip_1.9.0.0_x64__a222a09sg3tv2.msix)

How to create an App Attach Container (Virtual Disk (VHD)) from an MSIX file

Microsoft Reference

Prerequisites to create a VHD file:

• Windows 10 Enterprise, Pro, or Education [Update 20H2]
• Hyper-v role should be enabled.

Use the PowerShell script below to create a VHD from the MSIX package created previously. Update the following entries:

1. $vhdSrc (full path for output vhd file)
2. $msixSrc (full path of input msix file)
3. $parentFolder (parent folder name to be used inside VHD)
4. 50MB (replace with an approx size to be used by your package)
5. Download and Unzip the msixmgr tool.
6. Replace path [path]\msixmgr.exe for executable and update drive letter "f:" with an available one at the below command:

msixmgr.exe -Unpack -packagePath $msixSrc -destination "f:\$parentFolder" -applyacls

Note

Change the drive letter if the error comes similar to "Failed with HRESULT 0x8bad0001 when trying to unpack .msix."

create_vhd.ps1:

#region variables 
$vhdSrc = "c:\temp\7Zip_1.9.0.0.vhd"
$msixSrc = "E:\Dash\GIT-HUB\MSIX\7Zip_1.9.0.0_x64__a222a09sg3tv2.msix"
$parentFolder = '7Zip_1.9.0.0'
#endregion

#region cleaneup
try
{
    if (Test-Path -LiteralPath $vhdSrc) 
    {
        Remove-Item $vhdSrc
    }
}
catch{}
#endregion


New-VHD -SizeBytes 50MB -Path $vhdSrc -Dynamic -Confirm:$false

$vhdObject = Mount-VHD $vhdSrc -Passthru
$disk = Initialize-Disk -Passthru -Number $vhdObject.Number
$partition = New-Partition -AssignDriveLetter -UseMaximumSize -DiskNumber $disk.Number
Format-Volume -FileSystem NTFS -Confirm:$false -DriveLetter $partition.DriveLetter -Force

E:\Dash\GIT-HUB\MSIX\msixmgr\x64\msixmgr.exe -Unpack -packagePath $msixSrc -destination "f:\$parentFolder" -applyacls

#Unmount the disk
Dismount-DiskImage -ImagePath $vhdSrc

VolumeGuid

Configure MSIX App Attach into HyWorks Management Console

Settings to configure MSIX App into the Application Information tab

• Application Type
  • Option-1: "Installed App" (supports "Browse Application Details")
  • Option-2: "MSIX App Attach" (hides "Browse Application Details")
• Parent Folder Name
  • Parent folder name provided while VHD file creation
  • e.g. "7zip"
• MSIX Name
  • MSIX package file name (remove .msix extension)
  • e.g. "7Zip_1.9.0.0_x64__a222a09sg3tv2"
• Volume Guide
  • Value can be obtained from the output of the create_vhd.ps1 script
    • e.g. "9f273139-5476-4560-b64f-78d985f24684"

Only MSIX App-related existing settings are now visible in the Additional Settings tab

Verify that the provided path is available (green tick)

Limitations of MSIX App Attach Integration

1. MSIX App Attach applications are accessible from shared hosted desktops through HyShell only. They are not supported in remote App or shell mode.

2. As described above, the configuration will require access to the session host server.

Appendix

Create and configure a self-signed trusted certificate

How to create a self-signed trusted certificate

Launch PowerShell with admin privilege and execute command: (replace CN=Accops as per your requirement)

New-SelfSignedCertificate -Type Custom -Subject "CN=Accops" -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "cert:\LocalMachine\My"

Export self-signed certificate

Export the self-signed certificate into a .pfx file with a private key and use it in the “Signing preference” menu.

Open "Manage Computer Certificates" from the Start menu [ or via run -> certmgr.msc] and follow the steps below:

Important

Make sure the Encryption selected in the dropdown is AES256-SHA256.

Import self-signed certificate

Import the previously exported self-signed certificate into the Trusted People LocalMachine store on Session host servers.

The CN must look like this.

Network shared folder permission settings.

Manual Stage Register De-register and De-stage Application

Stage

Use the PowerShell script below to stage an application on the session host server. Before executing the script, update the values for the following variables:

• $vhdSrc: Provide the full path of the VHD file.

• $packageName: Provide the MSIX package name without extension.

• $parentFolder: Provide the name of the parent folder created inside the VHD.

• $volumeGuid: Provide the volume GUID obtained during the VHD creation process.

Stage.ps1

    #MSIX App Attach staging sample

    Set-ExecutionPolicy Unrestricted

    #region variables
    #$vhdSrc="\\172.25.0.11\Public\MSIX\7zip.vhd" #at network location
    $vhdSrc="c:\Apps\7Zip_1.9.0.0.vhd" #at network location
    $packageName = "7Zip_1.9.0.0_x64__0p6e02kja1var" 
    $parentFolder = "7Zip_1.9.0.0"
    $parentFolder = "\" + $parentFolder + "\"
    $volumeGuid = "03177d95-8a4e-4c68-92a8-957d5c05814f"
    $msixJunction = "C:\temp\AppAttach\"
    #endregion

    #region cleaneup
    try
    {
        if (Test-Path -LiteralPath $msixJunction\$packageName) 
        {
            Remove-AppxPackage -AllUsers -Package $packageName
            Remove-Item -LiteralPath $msixJunction\$packageName -Force -Recurse
            Dismount-DiskImage -ImagePath $vhdSrc -Confirm
        }
    }
    catch{}
    #endregion

    echo $vhdSrc

    #region mountvhd
    try 
    {
        Mount-Diskimage -ImagePath $vhdSrc -NoDriveLetter -Access ReadOnly                 
        Write-Host ("Mounting of " + $vhdSrc + " was completed!") -BackgroundColor Green 
    }
    catch
    {
        Write-Host ("Mounting of " + $vhdSrc + " has failed!") -BackgroundColor Red
    }
    #endregion

    #region makelink
    $msixDest = "\\?\Volume{" + $volumeGuid + "}\"

    if (!(Test-Path $msixJunction)) 
    {
        md $msixJunction
    }

    $msixJunction = $msixJunction + $packageName

    cmd.exe /c mklink /j $msixJunction $msixDest
    #endregion

    #region stage [Init]
    [Windows.Management.Deployment.PackageManager,Windows.Management.Deployment,ContentType=WindowsRuntime] | Out-Null
    Add-Type -AssemblyName System.Runtime.WindowsRuntime
    $asTask = ([System.WindowsRuntimeSystemExtensions].GetMethods() | Where { $_.ToString() -eq 'System.Threading.Tasks.Task`1[TResult] AsTask[TResult,TProgress](Windows.Foundation.IAsyncOperationWithProgress`2[TResult,TProgress])'})[0]
    $asTaskAsyncOperation = $asTask.MakeGenericMethod([Windows.Management.Deployment.DeploymentResult], [Windows.Management.Deployment.DeploymentProgress])

    $packageManager = [Windows.Management.Deployment.PackageManager]::new()

    $path = $msixJunction + $parentFolder + $packageName # needed if we do the pbisigned.vhd
    $path = ([System.Uri]$path).AbsoluteUri

    #endregion stage [Init]

    #region stage [Execution]

    $asyncOperation = $packageManager.StagePackageAsync($path, $null,"StageInPlace")  #StageInPlace
    $task = $asTaskAsyncOperation.Invoke($null, @($asyncOperation))

    $task
    #endregion stage [Execution]

Registration

Use the PowerShell script below to register an application on the session host server. Before executing the script, update the values for the following variable:

• $packageName: Provide the same MSIX package name used in the staging process.

Register.ps1

    #MSIX app attach registration sample

    #region variables 
    $packageName = "7Zip_1.9.0.0_x64__0p6e02kja1var" 
    $path = "C:\Program Files\WindowsApps\" + $packageName + "\AppxManifest.xml"
    #endregion

    #region register
    Add-AppxPackage -Path $path -DisableDevelopmentMode -Register
    #endregion 

De-registration

Use the PowerShell script below to de-register an application on the session host server. Before executing the script, update the values for the following variable:

• $packageName: Provide the same MSIX package name used in the registration process.

De-registration.ps1

    #MSIX app attach deregistration sample

    #region variables 
    $packageName = "7Zip_1.9.0.0_x64__0p6e02kja1var" 
    #endregion

    #region derregister
    Remove-AppxPackage -PreserveRoamableApplicationData $packageName 
    #endregion 

De-Stage

Use the PowerShell script below to de-stage an application on the session host server. Before executing the script, update the values for the following variable:

• $packageName: Provide the same MSIX package name used in the de-registration process.

• $vhdSrc: Provide the full path of the VHD file.

De-stage.ps1

    #MSIX app attach de-staging sample

    #region variables 
    $packageName = "7Zip_1.9.0.0_x64__0p6e02kja1var" 
    $vhdSrc="c:\Apps\7Zip_1.9.0.0.vhd"
    $msixJunction = "C:\temp\AppAttach\" 
    #endregion

    #region derregister
    Remove-AppxPackage -AllUsers -Package $packageName
    Remove-Item -LiteralPath $msixJunction\$packageName -Force -Recurse
    Dismount-DiskImage -ImagePath $vhdSrc -Confirm
    #endregion