VDI Meets MSIX with App Attach

A common use case seen in some customers is to use datacenter hosted operating systems, either in private data centers or in the cloud. Often these operating systems are set up generically and applications are added dynamically based on the logged on user. The implementation may be either VDI or a shared operating system, but in either case after signing into the OS the end-user must wait for the apps to be ready. MSIX App Attach significantly reduces this wait time, getting the applications into a usable state more rapidly.

App Attach delivers the fastest provisioning experience for MSIX applications in a stateless VDI environment. Some preliminary performance numbers on provisioning time between scripted standard installation of MSIX packages versus pre-release versions of MSIX AppAttach may be seen at Tim Mangan Blog.

Keep in mind that the operating system, the packages, plus the user and application state information stores are managed through different techniques to allow for the dynamic composition of a virtual machine when a user logs in, and all parts need to be in place for the user to become productive.

More specifically, App Attach mounts MSIX applications at logon without requiring a full application installation, instead, the application shell integrations are performed to appear installed to the end-user.

When the application is in use, only the required blocks of data are copied to the virtual machine - bypassing a lengthy installation process of copying all the application payload to the virtual machine. Furthermore, the block-level single instance recognition of MSIX avoids streaming and storing application blocks that are common to other packages.

This approach is recommended because it lowers costs by reducing data storage and improves governance practices by providing a uniform way to install applications across all virtual machines in a pool.

The MSIX applications are attached as *.vhd or virtual hard disk files meaning that the application host operating system must have the Hyper-V feature installed to do this action. Hyper-V can easily be enabled with the following PowerShell command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Importantly, you need to disable four update services that affect applications. The first is Windows Update, which you can disable with:

sc config wuauserv start=disabled

Second, you need to disable Windows Store updates. To do that, use the “reg” command:

reg add HKLM\Software\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 0 /f 

Third, disable the Automatic app update scheduled task with the following two commands:

Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Automatic app update"/Disable
Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start"/Disable

And finally, the application host also needs to have Content Delivery auto download disabled.

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug /v ContentDeliveryAllowedOverride /t REG_DWORD /d 0x2 /f

Once you have completed the above steps, the host operating system is configured, and you can prepare your applications for App Attach. While this can be done through a command line, you can use MSIX Hero, a freeware utility. The MSIX Hero team have created a graphical MSIX to VHD package conversion utility that works great.

Publishing requires the correct certificates to be present on the application host virtual machines. As such, it is a best practice to place these certificates in the operating system image so that they are immediately present when applications mount.

The virtual machines will require SMB file share access to the VHD files and the computer accounts will require read-only rights. Always try to run the latest version of the SMB protocol to ensure the best performance and security.

To tie everything together requires four final PowerShell scripts that manage the following activities with App Attach.

  • A startup script that runs the stage script
  • A logon script that runs the register script
  • A logoff script that runs the deregister script
  • A shutdown script that runs the destage script

Microsoft has guidance on customizing these files to suit your configuration. Once these files have been tested, create a GPO and add the PowerShell files to the various script events and target your virtual machines with it. Because of the special needs of VDI machines they rarely share many of the same Group Policy objects that desktops and laptops would use.

Usually virtual machines predetermined for this role would exist within their own organizational unit in the Active Directory, where all the relevant policies for the device are targeted.