Wednesday, October 16, 2019

MSIX app attach will fundamentally change working with application landscapes on Windows Virtual Desktop!


In this article I want to explain why I believe this to be true, cover what MSIX app attach is and how it uses MSIX technology to empower administrators when dealing with applications and images for Windows Virtual Desktop.

Full disclosure: MSIX app attach is not publicly available yet and this article is based on pre-private preview technology and testing to give you a sneak peek on what’s coming.

Reiterating on Windows Virtual Desktop
September 30 marks a long-awaited day, Windows Virtual Desktop (WVD) reached general availability! Having been actively involved since the very early previews since almost 2 years ago, it’s great to finally see the service become available for production usage! The excitement and interest for WVD is huge. When you take a closer to all the advantages WVD brings to the table you’ll know why. To name a few, it allows you to be able to deliver Applications and Desktops from the Azure Cloud based on a PaaS service. It’s based on Azure Active Directory (AAD) which means you can instantly leverage Conditional Access, MFA and all other benefits that come with AAD.  It provides multi tenancy, an RBAC model and full separation between the WVD services and your hosts based on Reverse Connect. And, last but not least, it comes with Windows 10 Enterprise Multi-Session allowing you to publish applications and desktops based on a client OS (Windows 10) allowing multiple users to connect to the same instance to share resources and costs. This means you get the full Windows 10 look & feel, modern applications and the ability to reuse existing Application Packages that you might have in use for local clients. Best of both worlds if you ask me! For more information about WVD visit aka.ms/wvd

What did WVD change in terms of management?
As outlined in the previous paragraph, Windows Virtual Desktops makes Application and Desktop publishing a lot easier to deploy. With traditional RDS, many of the infrastructure roles like RD Connection Broker, RD Gateway, RD Web Access et cetera require IaaS. Installing, configuring and maintaining these roles not only require in depth understanding of how they work, there is also a lot of work involved in creating a high available and production ready environment. Even though many of the steps to deploy an RDS environment in Azure can be automated using Azure Resources Manager templates and PowerShell extensions, there is still a lot of knowledge and maintenance required. With WVD, the infrastructure components are transformed to Azure PaaS. This means that RD Connection Broker, RD Gateway, RD Web Access et cetera are now part of the WVD service and therefor managed for you by Microsoft. What remains, for obvious reasons, is the RD Session Host role. This is the role where users log on to and consume your applications and your data. The machines that run this role in an WVD environment are still based on IaaS and are (currently) still a member of your Active Directory Domain Servers (ADDS) or Azure Active Directory Domain Services (AADDS). The good thing about selecting ADDS as your identity strategy is that you can fully re-use existing Group Policy Objects, Login scripts, WMI filters et cetera, that you might already have been using in an on-premises solution. Selecting AADDS as your identity strategy is ideal for organizations that are Cloud Based / Cloud Born and might not even have a traditional ADDS anymore.

What’s are the common challenges with Application landscapes and WVD today?
The previous chapter already provided the introduction on answering this question. Since the RD Session Host remains you are still full in control of this host. Installing, updating and making applications work is the most challenging and time-consuming task of any Application and Desktop delivery. This is the case based on an RDS infrastructure and still also applies to WVD. The reason is that we’re dealing with dozens and sometimes hundreds of different applications. These applications come from different vendors each providing different installation- and update guidelines. Many of them might never have been designed to run on multi-user operating system, require specific registry settings or files in the user’s profile or might even need elevated permissions to run. Having been in this space for years, I could write a book containing all of my adventures of getting applications to work in a Remoting Environment! When it comes down to the application landscape, you have a variety of options available today. A common approach is to use golden images. You install applications in an image and update your Session Collections or Host Pool by deploying an updated golden image. If different departments need to have access to a different set of applications, you require a set of different golden images that you need to manage and maintain. This could become a big management overhead in some use cases. Another option is to install applications into a single image and use FSLogix masking technology to hide and show a subset of applications based on departments or groups. The downside is that the golden image could potentially become too large to maintain. Streaming is also a commonly used option. This allows you to stream applications of demand. This does however require you to cache (part of) the applications, repackage them and maintain a complex Application Streaming infrastructure. MSIX app attach brings a new method to the table and essentially allows you to attach an application to an OS similar to Profile Containers. We started this paragraph by discussing how the RD Session Host remains in an WVD environment. That also means that the challenges we discussed also apply to any (existing) RDS environment on premises or in the cloud. So, if you currently run those environments keep on reading to because MSIX app attach also adds value there.

What is MSIX?
MSIX is a Windows app package format. It provides a modern packaging experience for all kinds of Windows applications. With an MSIX package the functionality of existing app packages and/or install files remain and it brings new, modern packaging and deployment features to Win32, WPF, and WinForm apps. Existing applications can also be converted into MSIX packages using the MSIX packaging tool. By offering an interactive user interface or command line to convert and package Windows apps, the MSIX packaging tool streamlines the packaging experience. The MSIX packaging tool can be found in Microsoft Store.

Where did MSIX app attach come from?
MSIX app attach (recently still know as codename App Attach), is based on several technology pieces that combined essentially allow you to attach an MSIX application stored on a central location. Using MSIX app attach, the application itself is completely detached from the operating system. You might be familiar with User Profile Disk (UPD) which has been part of RDS since Windows Server 2012. This allows you to store the entire user profile (basically everything under C:\users\<username>) inside a single .VHDX file and mount that file on the fly during the user’s logon. This solves the challenges of having to copy user profiles on each logon and logoff with the potential risk of profile corruption. With the acquisition of FSLogix, FSLogix Profile Containers is now the recommend profile solution for both RDS and WVD. The technology seems different, but FSlogix is based on Filter Driver Technology which makes the attached profile seem entirely local to the OS and to the user. With FSLogix Profile Containers, the user experience is consistent for every logon and the size of the profile does not really matter anymore. A 500Mb Profile Container is mounted just as fast as a 2GB Profile Container.

What is MSIX app attach?
MSIX app attach (as the name suggests) is based on similar concept where the application (stored in MSIX format on a central location) is attached to the operating system. After attaching, applications look and feel as locally installed to the user as well as the operating system. And based on Application Groups in WVD, applications can be made available instantly and without the need to deploy a new golden image. When combining FSLogix Profile Containers and MSIX app attach, the OS stays completely clean and data, profiles and applications are fully separated.

How does MSIX app attach work?
A requirement for MSIX app attach to work is obviously that the applications need to be in an MSIX format. Newer applications are already available in this format, but that does not stop us from transforming existing MSI into MSIX! For this example, in this case I’m using Notepad++. Using the MSIX packing tool I converted the Notepad++ installer into an MSIX package. There are a couple of prerequisites that need to be in place prior to working with MSIX packing tool. For example, a signing certificate needs to be available. All the information needed for the installation and usage is available on Microsoft docs

As part of the packing process we define the installer, in this case npp.7.7.1.Installer.exe and a certificate we pre-created.


In order to create the MSIX package we need to define packaging information like a name, display name, publisher name and description. For the location we point to the location that we know Notepad++ will install in.


Once this step is completed, the Notepad++ installer is launched, and we can install and customized the application as needed including providing any post installation actions that we want to be part of the package. Upon completion the package is created, and a cleanup operation is automatically performed.

The end result is an MSIX package that we place on central storage. Since this is a lab environment, I’m using a simple File Share on my Domain Controller.


As a next step we convert the contents of the MSIX file into a VHD file per application and place those on the same File Share as well.


On the WVD host, in this case a Windows 10 Enterprise Multi-Session, we can now MSIX app attach Notepad++ using the centrally stored .VHD file. Since this is very early preview (currently not even Private Preview yet) we use a couple of manual PowerShell CmdLets to MSIX app attach Notepad++. You probably can however imagine that this can be integrated in the WVD Management for example connected to an Application Group we can create in WVD.


The MSIX app attach process is superfast, it only takes a couple of seconds to complete. Since no application files need to be copied, the size of the operating system disk does not grow, and attaching a huge application is just as fast as Notepad++ in this example.

Although the magic is not so easy to capture in a static screenshot, below shows the end result after Notepad++ has been MSIX app attach-ed:
  1. Notepad++ is available as a new application
  2. Notepad++ successfully launches
  3. To the OS and user, the location where Notepad++ resides is under C:\Program files\WindowsApps 
  4. The location is a mount path to the centrally stored VHD

The “De MSIX app attaching ” (that has a nice ring to it!) of the application is as fast and easy, basically it reverts the steps taken during MSIX app attach process.

The example above is based on a published Full Desktop in WVD. Obviously this MSIX app attach application can also easily be published as a RemoteApp in WVD. As per example the PowerShell CmdLet below to publish the application.

New-RdsRemoteApp -TenantName $tenantname -HostPoolName $hostpoolname  -AppGroupName $AppGroupName -Name "Notepad" -FilePath "C:\Program Files\WindowsApps\Notepad-WVD_1.0.3.0_x64__vcbnmdqcr7aap\notepad%2B%2B.exe"

Concluding
As said before, although the technology used in this setup is not available for public or private preview yet, I hope this information provided an interesting and valuable look into what’s coming! To me, MSIX app attach is a very welcome new and existing option to deal with application landscapes on WVD (and RDS).

Ignite 2019, Orlando!
If you attending Microsoft Ignite 2019 in Orlando, be sure to catch some WVD / MSIX related sessions! There is also going to be a dedicated session regarding MSIX app attach. I will also be attending Microsoft Ignite 2019, if you want to meet up feel free to send me a message using any of the contact info below!

! Update Oct 21: Sign up for the MSIX app attach preview here!

Freek Berson Contact info: LinkedIn | Blog | Twitter | Email