Wednesday, October 16, 2019

MSIX app attach will fundamentally change working with application landscapes on Windows Virtual Desktop!


In this article I want to explain why I believe this to be true, cove what MSIX app attach is and how it uses MSIX technology to empower administrators when dealing with applications and images for Windows Virtual Desktop.

Full disclosure: MSIX app attach is not publicly available yet and this article is based on pre-private preview technology and testing to give you a sneak peek on what’s coming.

Reiterating on Windows Virtual Desktop
September 30 marks a long-awaited day, Windows Virtual Desktop (WVD) reached general availability! Having been actively involved since the very early previews since almost 2 years ago, it’s great to finally see the service become available for production usage! The excitement and interest for WVD is huge. When you take a closer to all the advantages WVD brings to the table you’ll know why. To name a few, it allows you to be able to deliver Applications and Desktops from the Azure Cloud based on a PaaS service. It’s based on Azure Active Directory (AAD) which means you can instantly leverage Conditional Access, MFA and all other benefits that come with AAD.  It provides multi tenancy, an RBAC model and full separation between the WVD services and your hosts based on Reverse Connect. And, last but not least, it comes with Windows 10 Enterprise Multi-Session allowing you to publish applications and desktops based on a client OS (Windows 10) allowing multiple users to connect to the same instance to share resources and costs. This means you get the full Windows 10 look & feel, modern applications and the ability to reuse existing Application Packages that you might have in use for local clients. Best of both world if you ask me! For more information about WVD visit aka.ms/wvd

What did WVD change in terms of management?
As outlined in the previous paragraph, Windows Virtual Desktops makes Application and Desktop publishing a lot easier to deploy. With traditional RDS, many of the infrastructure roles like RD Connection Broker, RD Gateway, RD Web Access et cetera require IaaS. Installing, configuring and maintaining these roles not only require in depth understanding of how they work, there is also a lot of work involved in creating a high available and production ready environment. Even though many of the steps to deploy an RDS environment in Azure can be automated using Azure Resources Manager templates and PowerShell extensions, there is still a lot of knowledge and maintenance required. With WVD, the infrastructure components are transformed to Azure PaaS. This means that RD Connection Broker, RD Gateway, RD Web Access et cetera are now part of the WVD service and therefor managed for you by Microsoft. What remains, for obvious reasons, is the RD Session Host role. This is the role where users log on to and consume your applications and your data. The machines that run this role in an WVD environment are still based on IaaS and are (currently) still a member of your Active Directory Domain Servers (ADDS) or Azure Active Directory Domain Servers (AADDS). The good thing about selecting ADDS as your identity strategy is that you can fully re-use existing Group Policy Objects, Login scripts, WMI filters et cetera, that you might already have been using in an on-premises solution. Selecting AADDS as your identity strategy is ideal for organizations that are Cloud Based / Cloud Born and might not even have a traditional ADDS anymore.

What’s are the common challenges with Application landscapes and WVD today?
The previous chapter already provided the introduction on answering this question. Since the RD Session Host remains you are still full in control of this host. Installing, updating and making applications work is the most challenging and time-consuming task of any Application and Desktop delivery. This is the case based on an RDS infrastructure and still also applies to WVD. The reason is that we’re dealing with dozens and sometimes hundreds of different applications. These applications come from different vendors each providing different installation- and update guidelines. Many of them might never have been designed to run on multi-user operating system, require specific registry settings or files in the user’s profile or might even need elevated permissions to run. Having been in this space for years, I could write a book containing all of my adventures of getting applications to work in a Remoting Environment! When it comes down to the application landscape, you have a variety of options available today. A common approach is to use golden images. You install applications in an image and update your Session Collections or Host Pool by deploying an updated golden image. If different departments need to have access to a different set of applications, you require a set of different golden images that you need to manage and maintain. This could become a big management overhead in some use cases. Another option is to install applications into a single image and use FSLogix masking technology to hide and show a subset of applications based on departments or groups. The downside is that the golden image could potentially become too large to maintain. Streaming is also a commonly used option. This allows you to stream applications of demand. This does however require you to cache (part of) the applications, repackage them and maintain a complex Application Streaming infrastructure. MSIX app attach brings a new method to the table and essentially allows you to attach an application to an OS similar to Profile Containers. We started this paragraph by discussing how the RD Session Host remains in an WVD environment. That also means that the challenges we discussed also apply to any (existing) RDS environment on premises or in the cloud. So, if you currently run those environments keep on reading to because MSIX app attach also adds value there.

What is MSIX?
MSIX is a Windows app package format. It provides a modern packaging experience for all kinds of Windows applications. With an MSIX package the functionality of existing app packages and/or install files remain and it brings new, modern packaging and deployment features to Win32, WPF, and WinForm apps. Existing applications can also be converted into MSIX packages using the MSIX packaging tool. By offering an interactive user interface or command line to convert and package Windows apps, the MSIX packaging tool streamlines the packaging experience. The MSIX packaging tool can be found in Microsoft Store.

Where did MSIX app attach come from?
MSIX app attach (recently still know as codename App Attach), is based on several technology pieces that combined essentially allow you to attach an MSIX application stored on a central location. Using MSIX app attach, the application itself is completely detached from the operating system. You might be familiar with User Profile Disk (UPD) which has been part of RDS since Windows Server 2012. This allows you to store the entire user profile (basically everything under C:\users\<username>) inside a single .VHDX file and mount that file on the fly during the user’s logon. This solves the challenges of having to copy user profiles on each logon and logoff with the potential risk of profile corruption. With the acquisition of FSLogix, FSLogix Profile Containers is now the recommend profile solution for both RDS and WVD. The technology seems different, but FSlogix is based on Filter Driver Technology which makes the attached profile seem entirely local to the OS and to the user. With FSLogix Profile Containers, the user experience is consistent for every logon and the size of the profile does not really matter anymore. A 500Mb Profile Container is mounted just as fast as a 2Gb Profile Container.

What is MSIX app attach?
MSIX app attach (as the name suggests) is based on similar concept where the application (stored an MSIX format on a central location) is attached to the operating system. After attaching, applications look and feel as locally installed to the user as well as the operating system. And based on Application Groups in WVD, applications can be made available instantly and without the need to deploy a new golden image. When combining FSLogix Profile Containers and MSIX app attach, the OS stays completely clean and data, profiles and applications are fully separated.

How does MSIX app attach work?
A requirement for MSIX app attach to work is obviously that the applications need to be in an MSIX format. Newer applications are already available in this format, but that does not stop us from transforming existing MSI into MSIX! For this example, in this case I’m using Notepad++. Using the MSIX packing tool I converted the Notepad++ installer into an MSIX package. There are a couple of prerequisites that need to be in place prior to working with MSIX packing tool. For example, a signing certificate needs to be available. All the information needed for the installation and usage is available on Microsoft docs

As part of the packing process we define the installer, in this case npp.7.7.1.Installer.exe and a certificate we pre-created.


In order to create the MSIX package we need to define packaging information like a name, display name, publisher name and description. For the location we point to the location that we know Notepad++ will install in.


Once this step is completed, the Notepad++ installer is launched, and we can install and customized the application as needed including providing any post installation actions that we want to be part of the package. Upon completion the package is created, and a cleanup operation is automatically performed.

The end result is an MSIX package that we place on central storage. Since this is a lab environment, I’m using a simple File Share on my Domain Controller.


As a next step we convert the contents of the MSIX file into a VHD file per application and place those on the same File Share as well.


On the WVD host, in this case a Windows 10 Enterprise Multi-Session, we can now MSIX app attach Notepad++ using the centrally stored .VHD file. Since this is very early preview (currently not even Private Preview yet) we use a couple of manual PowerShell CmdLets to MSIX app attach Notepad++. You probably can however imagine that this can be integrated in the WVD Management for example connected to an Application Group we can create in WVD.


The MSIX app attach process is superfast, it only takes a couple of seconds to complete. Since no application files need to be copied, the size of the operating system disk does not grow, and attaching a huge application is just as fast as Notepad++ in this example.

Although the magic is not so easy to capture in a static screenshot, below shows the end result after Notepad++ has been MSIX app attach-ed:
  1. Notepad++ is available as a new application
  2. Notepad++ successfully launches
  3. To the OS and user, the location where Notepad++ resides is under C:\Program files\WindowsApps 
  4. The location is a mount path to the centrally stored VHD

The “De MSIX app attaching ” (that has a nice ring to it!) of the application is as fast and easy, basically it reverts the steps that where taken in the during MSIX app attach process.

The example above is based on a published Full Desktop in WVD. Obviously this MSIX app attach application can also easily be published as a RemoteApp in WVD. As per example the PowerShell CmdLet below to publish the application.

New-RdsRemoteApp -TenantName $tenantname -HostPoolName $hostpoolname  -AppGroupName $AppGroupName -Name "Notepad" -FilePath "C:\Program Files\WindowsApps\Notepad-WVD_1.0.3.0_x64__vcbnmdqcr7aap\notepad%2B%2B.exe"

Concluding
As said before, although the technology used in this setup is not available for public or private preview yet, I hope this information provided an interesting and valuable look into what’s coming! To me, MSIX app attach is a very welcome new and existing option to deal with application landscapes on WVD (and RDS).

Ignite 2019, Orlando!
If you attending Microsoft Ignite 2019 in Orlando, be sure to catch some WVD / MSIX related sessions! There is also going to be a dedicated session regarding MSIX app attach. I will also be attending Microsoft Ignite 2019, if you want to meet up feel free to send me a message using any of the contact info below!


Freek Berson Contact info: LinkedIn | Blog | Twitter | Email

Tuesday, August 20, 2019

Working with Windows Virtual Desktop Diagnostic information in a Web UI


Recently the diagnostics tool for Windows Virtual Desktop was introduced. These diagnostic tools provide easier access to the diagnostic information of a WVD tenant. In particular it allows you to:
  • Look up diagnostic activities (management, connection, or feed)
  • Gather session host information for connection activities
  • Review virtual machine (VM) performance details
  • See which users are signed in to the session host, send messages and sign off users

Without the diagnostics tool if you wanted to dive into diagnostic settings, PowerShell was needed. The example below shows how to query the diagnostic service using Get-RdsDiagnosticActivities

Allthough there are many advantages to using PowerShell for such troubleshooting activities, also having a UI available for example for your helpdesk can be really benefitial. After installing diagnostics tool for Windows Virtual Desktop we can get that same information, but now in an easy accessible web UI.

From this UI we can also interact with the user sessions by sending messages and initiating a user log off.
The perfmon counters configured as part of the Diagnostic tool deployment will also start to show in the UI as shown below.

This includes the relatively new counter that measures User Input Delay

For a step-by-step guide on how to add the Diagnostic tool to you existing Windows Virtual Desktop tenant visit Deploy the diagnostics tool


Thursday, August 8, 2019

Windows Virtual Desktop: users to customize display settings and new client install types!


The latest version of the Windows Virtual Desktop Client (1.2.241) for Windows comes with a couple of great new features!

Upon installation you can now decide if you want to do a per-user of per-device installation! Which means the WVD Client can now also be installed by a user without local admin privileges.

Users are now able to customize the display settings they want from within the client! This includes settings related to multiple monitors, dynamic resolution and setting a specific resolution. These settings are stored on a per Published Desktop level, so you can also configure different settings for various published desktops you might have.

Also, since these settings are stored in the local registry it allows users to configure different settings on different devices they might own. The settings are stored in HKEY_CURRENT_USER\SOFTWARE\Microsoft\RdClientRadc\Feeds

You might know that the display settings, including various other .RDP properties, can also be configured on a per HostPool level by a Windows Virtual Desktop admin. For example, the command to disable multi-mon is:

Set-RdsHostPool -TenantName $tenantname -HostPoolName $hostpoolname -CustomRdpProperty "use multimon:i:0"

If display settings are configured on both a HostPool level by an admin as well as User Specified, the User Specified settings supersede the HostPool settings. In case both are not in place, the client default properties will be used.

Version 1.2.241 of the Windows Virtual Desktop Client is expected to become available to all users on August 13.

Tuesday, August 6, 2019

Using FIDO2 security keys with Windows Virtual Desktop!

A couple of weeks ago Microsoft introduced the public preview of FIDO2 security keys support in Azure Active Directory. More info on that announcement here:
Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in



Since Windows Virtual Desktop is based on Azure Active Directory for authentication, FIDO2 security keys can also be used to secure applications and desktops hosted on Windows Virtual Desktop (Preview).

I have configured this for my WVD lab environment, and I’m sharing the results in this blog post.

Setting up support for FIDO2 security keys for Azure Active Directory as an administrator is relatively easy. Go to the Azure Portal, browse to Azure Active Directory and under Security you will find the Authentication Methods blade.


Here you can enable FIDO2 security Key support.


A user can browse to myprofile.microsoft.com where he is able to add a security key.

 I my case I added a Yubikey 5 NFC, which is a USB key with gesture support.

When I now logon to Windows Virtual Desktop (in this case using the Windows Client) I have the option to select Sign In with Windows Hello or security key.

 It first asks me to enter my associated pin

And after that allows me to provide my gesture.


Upon doing that, the Windows Virtual Desktop client logs on and I have my applications and desktops available!


The same is obviously true for the HTML5 (Web) client that WVD also provides. The screenshot below shows the logging on to the Web Client with the same security key.
This concludes my first test of Windows Virtual Desktop secured by a FIDO2 security key. More to come!





Tuesday, May 21, 2019

Azure Saturday Munich - recap!


On May 18th I presented a session at the Azure Saturday Event, hosted at the Microsoft HQ in Munich. I have presented there in the past, and it was great to be back again this year. Over 400 attendees attended this year’s event! Huge thanks and shout out to the organizers Benjamin Abt (@Abt_Benjamin), Thomas Janetscheck (@azureandbeyond) and Max Melcher (@maxmelcher) for their unlimited energy to make this event an awesome experience!

The organizers kicked off the event in the mail hall of the Microsoft building.

Chris Heilmann opened the event with a keynote session on Building human interfaces powered by AI.















After that I presented my session on Windows Virtual Desktop. I covered the scenarios, use cases and technical architecture and performed a live demo of admin and end user experience. I got a great crowd! Lot’s of interest of Windows Virtual Desktop and great interaction during and after the session. Thanks everyone who joined my session!



With over 400 attendees, 26 sessions and 30 speakers it was an amazing community event! I hope to be back next year and hope to see you there!



Thursday, March 21, 2019

FSLogix for everyone!


Last November Microsoft announced the acquisition of FSLogix.

“…Office 365 ProPlus is currently the best Office experience, and, with FSLogix enabling faster load times for user profiles in Outlook and OneDrive, Office 365 ProPlus will become even more performant in multi-user virtual environments (including Windows Virtual Desktop)…”

The main question that was left behind was what the licensing model would be like. Integrated into a Microsoft 365 license or O365 license? What about on premises deployments? Is it only going to be available on Azure?

*** ANNOUNCED TODAY ***

FSLogix may be used when you have the one of the following licenses:

· Microsoft 365 E3/A3
· Microsoft 365 E5/A5
· Microsoft F1, Business
· Windows 10 Enterprise E3/E5
· Windows 10 Education A3/A5
· Windows 10 VDA per user
· Remote Desktop Services (RDS) CAL

The entitlements that have been announced are not yet in effect. Currently this is expected to be around the June timeframe. In the meantime, FSLogix solutions can be used with a trial key that lasts well beyond June and without limitations in the product. Request trials here.

We could see the Windows 10 and Microsoft 365 statements coming, but it’s super great that RDS CAL is included in this! This basically means, FSLogix for everyone! And this is not limited to the FSLogix O365 container, it applies to the full suite: O365 Container, Profile Container, AppMasking and Java redirection!

In our opinion this the best answer to all of the licensing questions and concerns out there! We can continue to have the best Office 365 experience whether it is On Premises, Azure IaaS or Windows Virtual Desktop!







Windows Virtual Desktop: Public Preview Available

As of today, Windows Virtual Desktop is available in Public Preview! Having been part of the private preview since the early releases of RDmi, it’s great to see it being available for everyone to test drive as part of the public preview!

To get started, follow this link for more information: https://www.microsoft.com/en-us/microsoft-365/blog/2019/03/21/windows-virtual-desktop-public-preview/

We can now also share some more details on the licensing of Windows Virtual Desktop. If you want to use Windows 10 Multi Session as the operating system, you can do so based on either of the following licenses

· Microsoft 365 E3/A3
· Microsoft 365 E5/A5
· Microsoft F1, Business
· Windows 10 Enterprise E3/E5
· Windows 10 Education A3/A5
· Windows 10 VDA per user

You can also use the Windows Server as a “traditional” RD Session Host role for Windows Virtual Desktop. What you only need in that case is

· Remote Desktop Services (RDS) CAL

To get started with Windows Virtual Desktop, check out this page: http://aka.ms/wvdpreview If you have questions or if you are looking for help setting up Windows Virtual Desktop, feel free to reach out!

You can expect follow up articles here on setting and using up Windows Virtual Desktop!

If you are not yet familiar with Windows Virtual Desktop, the explanation below is how Microsoft describes the service.

“…Windows Virtual Desktop enables you to create a full desktop virtualization environment in your Azure subscription without having to run any additional gateway servers. You can publish as many host pools as you need to accommodate your diverse workloads. You can use the Windows Virtual Desktop PowerShell and REST interfaces to configure the host pools, create app groups, assign users, and publish resources. Once assigned, users can launch any Windows Virtual Desktop client to connect to their published Windows desktops and applications. Users are securely established through reverse connections to the service, so you never have to leave any inbound ports open. For ongoing maintenance of your Windows Virtual Desktop environment, you can use built-in delegated access to assign roles and collect diagnostics to understand various configuration or user errors…”
Source: Windows Virtual Desktop Guide.