Fundamental Deployment Concepts

Deployment File Types for MSIX

• “.msix” and “.appx”. Previously[anchor link to “The MSIX Package Layout”], the MSIX file format for “.msix” files was discussed. The overall format is shared by both .appx and .msix packages with differences in the AppXManifest file that make the package be a UAP or MSIX package. In fact, most of the utilities used to install the package don’t care which of these two formats are used.
• “.msixbundle” and “.appxbundle”. Additionally, these OS utilities also support the “bundle” formats “.appxbundle” and “.msixbundle”. The bundle is also a compressed file with a manifest, but also contains multiple .appx or .msix packages within the bundle. The Manifest provides information used by the installer to determine which of the internal packages to deploy. For example, the two packages might be present for x86 and x64, or for seperate localization (languages), or operating systems (windows versus android).
• The “Store License” file. Packages in the Microsoft Store require a license file. This even includes the free packages in the store. The license file comes in two forms, both xml and a binary format. When an end-user is acquiring apps from the Microsoft Store directly, the license file comes down with the package in the background and is not seen by the end-user. In scenarios where these packages are acquired centrally for deployment, the Administrator may need to deal with this file also. In addition to providing store-based licensing protections, this file also is used to help with the detection and application of updates to the package version.
• The “App Installer” file. The App Installer File is an additional Xml file used for certain types of deployment, especially when hosting of the MSIX package occurs on websites. This file usually points to the MSIX file, but also enables updates when used to deploy the package outside of the Microsoft Store.
• VHD/CimFs. Used with MSIX AppAttach, MSIX files can be converted to VHD files and mounted for fast deployment in VDI like scenarios. CimFs, a new read-only disk format for better performance, is expected to replace the use of VHD at some point.

Configuration Manager and MSIX Deployment

Configuration Manager has a long and distinguished history of managing Windows devices with application management as one of its many capabilities.

For sure, many of you are aware that managing applications on Windows 10 devices comes in different forms. Configuration Manager on its own provides multiple ways to install MSIX applications on a device, and it is important to point out that there are also cloud-based MSIX application management options that you can explore.

When Configuration Manager is in a hybrid-cloud configuration, known as co-management, it is possible to have Intune handle MSIX applications on the same device.

This section focuses exclusively on distributing MSIX packages with Configuration Manager and its underlying infrastructure. There are two main paths you can follow to publish an MSIX package through Configuration Manager.

However, whichever path you choose depends on how the application source is acquired. This is because with MSIX, if the application is in the Windows Store, then it makes sense to use that solution with Configuration Manager. Otherwise you might have a bunch of application source files that need to be loaded directly into the Configuration Manager.

With that caveat out of the way, the first way to distribute an MSIX package assumes that you have an offline copy of the application that can be loaded into the Configuration Manager for distribution.

While using Windows Store is the preferred method for handling the distribution of modern applications, there are times (e.g., distributing internally repackaged software) when the store model isn’t suitable because it is more rigid and that can add significant delays to the publishing process.

Having the MSIX package file offers more control over the delivery of MSIX applications, but considering the following.

Paid apps from the store are not supported for offline installation via Configuration Manager. For repackaged software this is likely not an issue but for purchased software you may need to integrate Configuration Manager with your Windows Store for Business.

* Support begins with Windows 10 1703** Requires a minimum of Configuration Manager 1806

Comparison between online and offline support for MSIX capabilities in Configuration Manager

In situations where I need to distribute repackaged software within the organization, you could use the offline installation approach when loading the package directly into the Configuration Manager as an application object with source files.

With this approach, youI can take advantage of Configuration Manager’s distribution point servers and trigger the distribution of the package across the network.

First, go to the Software Library workspace in the Configuration Manager console. Next, expand Application Management, and right click Applications. Finally, select Create Application.

On the General page, change the Type field to “Windows app package” and locate the MSIX package you want to install by clicking the “Browse…” button.

The process is simple for standalone applications. But, for applications that have dependencies, it is more complicated because you need to individually add application dependencies to the Configuration Manager and then link them to the main application object.

Another important thing you need to consider is whether the application is installed for a specific user or for all users.

Be sure to look for the “Provision this application for all users on the device” checkbox further on in the creation process.

Traditionally, Configuration Manager uses the application deployment targeting to demine if the application should be installed for all users of a machine or only for a specific user. With MSIX this behavior is controlled by the checkbox.

Many organizations are interested in knowing if they can distribute packages to machines outside of the corporate network. The quick answer is yes -- if they are managed using the Cloud Management Gateway or Intune. The Cloud Management Gateway is where Configuration Manager uses Azure Services to manage clients that are not connected to the corporate network.

Intune can complement Configuration Manager for deploying applications in a Co-Management configuration, which is going to be covered in the next chapter.

The second way to install an MSIX package with Configuration Manager is to link directly to an application in the public Windows Store. From there, you can download an application with all its dependencies straight into your device using the Windows Store. But this delivery method offers very light management of the application installation.

The application is then delivered to devices by leveraging the Windows Store client on the device and the Windows Store cloud service to distribute the applications to devices.

Here's how to achieve that:

• In the Configuration Manager console, create a new application object.
• Then, from the General page, select “Windows app package (in the Windows Store)” in the Type field.
• Next, select the “Browse…” button and log in with a Microsoft account (not your work account) and search for the application

.

Once you’ve selected the application and returned from the Windows Store, the Location field will have a link to the application.

In the third case, you can use the private Microsoft Store for Business to distribute an MSIX package. In this scenario the Windows Store for Business is used to acquire and load applications for deployment with Configuration Manager. There are a number requirements that you must adhere to in order to successfully deploy through a private Microsoft Store for Business.

First, Microsoft Store for Business must be added as an Azure Service to Configuration Manager. Second, the synchronization must be active and error free before you can begin. In the image below, Microsoft Store for Business has been configured as an Azure Service.

Applications will be brought across into the Configuration Manager Console upon successful synchronization with the store.

When you initially synchronize an application through Microsoft Store for Business, it is classified as a License. Therefore, you look for them in Application Management > License Information for Store Apps.

To finish the process, you need to create an application from the license.

- First, right click a license and select Create Application.

- The create application wizard will walk you through the steps of creating the application, which is mostly inputting metadata about the application.

Now that you have completely synchronized an application from Windows Store to a private Microsoft Store for Business, expect Configuration Manager to synchronize every 30 minutes.

While this interval is sufficient for most situations, there may be occasions where you need to manually initiate a synchronization for troubleshooting or prototyping purposes. When you need to manually synchronize an application, use the following workflow:

1. Open the Configuration Manager console.
2. Go to the Administration workspace.
3. Expand Azure Services.
4. Right click the Microsoft Store for Business node you already configured.
5. Select Synchronize with the store.

Configuration Manager limits manual synchronization to once every ten minutes. If you attempt another synchronization before the 10 minutes have passed, the request will be denied.

Once you have configured applications in Microsoft Store for Business, you are going to need to troubleshoot the synchronization between Windows Store and your Microsoft Store for Business regularly.

The first step is to locate the synchronization status for your Microsoft Store for Business in the Configuration Manager console.

Under Administration > Azure Services, select your Microsoft Store for Business service. The details section will then display the properties of that service, one of which is “Last Sync Status”. Below, we can see a “Failed” synchronization status.

If there is a synchronization problem, start your investigation by evaluating the following logs on the site server. You can use the order presented below:

1. WSfbSyncWorker.log
2. SMS_CLOUDCONNECTION.log

It is important to point out that in this scenario with the Windows Store the content for the applications is downloaded to the site server then replicated to distribution points for installation by client devices. The other method that uses MSIX packages with distribution points is when you supply the MSIX file directly to a Configuration Manager application object.

As mentioned at the onset, when the Configuration Manager is in a co-management configuration, applications can be delivered using Intune. In this configuration, the client device can leverage the application management investment that was made with Configuration Manager while having the option of performing application management functions from Intune.

So, let’s proceed to the next chapter where we can explore MSIX packages delivered via Intune.

Using Intune with MSIX

Before diving straight into Intune, let's illustrate the broad support MSIX receives across a wide range of enterprise use cases which includes more purpose-built devices such as the Surface Hub and Hololens.

Modern application formats and Intune capabilities

The good news is that Intune provides similar options to distribute MSIX applications as Configuration Manager. In this section, I will cover three key scenarios for installing MSIX applications with Intune:

• MSIX uploaded to Intune
• MSIX from a public store
• MSIX from a private store

That being said, before you can load an application to Intune, you need to consider how the limitations of Intune affect the way you deploy the application. Intune is a cloud-based service with its own unique limitations that must be understood.

The main limitation is that package file size must be less than 30GB. This was a recent improvement over the previous limit of 8GB.

For those cases where you need to upload and distribute your own MSIX package to Intune, you can create a Line-of-business app object in the Intune console. When the package is loaded, it is scanned for dependencies which are then listed in the Intune console.

If the reported dependencies are not present in the main package, you should upload them at the prompt, or the application may not run correctly when delivered to the user.

For those cases where you need to create an MSIX application from the public Windows Store, Microsoft has developed a prescribed process for adding a public store application to Intune.

The first step is locating the application in the public store through a browser. Once you’ve located the application, copy the URL to the application from your browser’s URL field and paste it into the Intune console.

This URL must also be entered into the Appstore URL field of the Intune application object.

Also enter in the publisher field as well since it is a required field.

You can synchronize Intune and Windows Store with Microsoft Store for Business, which makes regular publishing less fragile because it eliminates a lot of data entry errors that occur when creating the application object from the public store.

Additionally, paid applications can be purchased by bulk through the synchronization mechanism, a feature which greatly simplifies license management.

Microsoft has published a workflow to integrate Intune and Microsoft Store for Business and it comes with considerable effort up front to get it working. The good news is that once the configuration is complete, applications that exist in Microsoft Store for Business will automatically replicate to your Intune tenant.

For those situations where you need to manually trigger the synchronization, you can trigger it in the Intune console, like you can with the Configuration Manager.

To trigger a synchronization, open the Microsoft Store for Business blade located in the Tenant administration portal and then open the “Connectors and tokens” page. From there, you can view the status of the synchronization and the last synchronization timestamp (see the figure below).

To sync with Microsoft Store for Business, click the Sync button.

As with Configuration Manager, Intune supports Delivery Optimization in Windows 10 to allow for peer sharing of application content. To enable this functionality, a device configuration profile must be created in the Intune console and targeted at client devices to allow content sharing. Devices on the same local network can then use each other to speed up download times while offloading the Internet connection.

VDI Meets MSIX with App Attach

A common use case seen in some customers is to use datacenter hosted operating systems, either in private data centers or in the cloud. Often these operating systems are set up generically and applications are added dynamically based on the logged on user. The implementation may be either VDI or a shared operating system, but in either case after signing into the OS the end-user must wait for the apps to be ready. MSIX App Attach significantly reduces this wait time, getting the applications into a usable state more rapidly.

App Attach delivers the fastest provisioning experience for MSIX applications in a stateless VDI environment. Some preliminary performance numbers on provisioning time between scripted standard installation of MSIX packages versus pre-release versions of MSIX AppAttach may be seen at Tim Mangan Blog.

Keep in mind that the operating system, the packages, plus the user and application state information stores are managed through different techniques to allow for the dynamic composition of a virtual machine when a user logs in, and all parts need to be in place for the user to become productive.

More specifically, App Attach mounts MSIX applications at logon without requiring a full application installation, instead, the application shell integrations are performed to appear installed to the end-user.

When the application is in use, only the required blocks of data are copied to the virtual machine - bypassing a lengthy installation process of copying all the application payload to the virtual machine. Furthermore, the block-level single instance recognition of MSIX avoids streaming and storing application blocks that are common to other packages.

This approach is recommended because it lowers costs by reducing data storage and improves governance practices by providing a uniform way to install applications across all virtual machines in a pool.

The MSIX applications are attached as *.vhd or virtual hard disk files meaning that the application host operating system must have the Hyper-V feature installed to do this action. Hyper-V can easily be enabled with the following PowerShell command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Importantly, you need to disable four update services that affect applications. The first is Windows Update, which you can disable with:

sc config wuauserv start=disabled

Second, you need to disable Windows Store updates. To do that, use the “reg” command:

reg add HKLM\Software\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 0 /f

Third, disable the Automatic app update scheduled task with the following two commands:

Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Automatic app update" /Disable
Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable

And finally, the application host also needs to have Content Delivery auto download disabled.

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug /v ContentDeliveryAllowedOverride /t REG_DWORD /d 0x2 /f

Once you have completed the above steps, the host operating system is configured, and you can prepare your applications for App Attach. While this can be done through a command line, you can use MSIX Hero, a freeware utility. The MSIX Hero team have created a graphical MSIX to VHD package conversion utility that works great.

Publishing requires the correct certificates to be present on the application host virtual machines. As such, it is a best practice to place these certificates in the operating system image so that they are immediately present when applications mount.

The virtual machines will require SMB file share access to the VHD files and the computer accounts will require read-only rights. Always try to run the latest version of the SMB protocol to ensure the best performance and security.

To tie everything together requires four final PowerShell scripts that manage the following activities with App Attach.

• A startup script that runs the stage script
• A logon script that runs the register script
• A logoff script that runs the deregister script
• A shutdown script that runs the destage script

Microsoft has guidance on customizing these files to suit your configuration. Once these files have been tested, create a GPO and add the PowerShell files to the various script events and target your virtual machines with it. Because of the special needs of VDI machines they rarely share many of the same Group Policy objects that desktops and laptops would use.

Usually virtual machines predetermined for this role would exist within their own organizational unit in the Active Directory, where all the relevant policies for the device are targeted.