Introduction
This article introduces MSIX & a deep dive/walkthrough on MSIX App Attach, Microsoft’s layering solution for delivering applications to a modern workspace.
The three main components of an End-user compute environment are typically the operating system, applications and user profile. Un stitching or separating these components enables you to simply deployments, virtual desktop delivery and operating system updates/upgrades.
Traditionally, Application installs, updates and removal actions are completed within the master gold image. The introduction to MSIX App Attach presents a new concept of application delivery and maintaining applications within a virtual desktop environment.
Today’s Application deployment Options for WVD:
- Create an OS image per role – creating customised application sets on user group-specific images.
- The Use of App Masking – centralising applications on one OS image and App Masking to only show the required applications to specific user groups.
- MSIX App Attach – Attach the required applications (containerised) to the operating system. This provides no footprint on the OS and offers applications to be mounted via a virtual disk (dynamically).
The difference between Application Layering and Application Virtualisation:
One of the most common themes to manage virtual applications is application layering. The technology allows you to wrap applications in a container like a layer in a virtual disk drive or similar format. This essentially allows you to reduce the need to have many individual revisions of each application and simplify the delivery of applications to an operating system.
Layering aims not to isolate the application within its own virtual file system and registry but house all the required components on its own virtual disk. This is the core difference between Application virtualisation.
When a user logs on, the layering technology accesses and combines the data from the virtual hard drive into the host operating system to make the operating system (OS) think the application is installed within the operating system when in fact, the app is running from a mounting disk drive.
What is MSIX
MSIX is a new Windows app Package format that provides a modern app packaging experience for windows applications. The MSIX Package format preserves existing application packages’ functionality and enables new, modern deployment features for Win32, WPF, and Windows Forms applications.
Features:
- Network bandwidth Optimisation – MSIX decreases the network impact by using the 64k block. This is done by using the AppxBlockmap.xml file contained within the MSIX Application package. MSIX has been specifically designed to support cloud and modern systems.
- Disk Optimisations – MSIX removes files’ duplication across apps and windows, enabling shared files across applications. The applications are still independent of each other, and updates will not impact any other application that may share a file.
- Reliability – MSIX provides a reliable install, and it’s suggested that the success rate is around 99.96% over millions of installs with a Microsoft guaranteed uninstall.
The Following Video From Microsoft provides a introduction to MSIX …
Inside a MSIX Package:
This section briefly covers the internals of an MSIX Package.
The following diagram depicts the components inside a MSIX Package.
- App Payload – The payload files are the app code files and assets created when building the image, for example, “icon”.
- AppxBlockMap.xml – The package block map file is an XML file containing a list of the app’s files, including indexes, cryptographic hashes for each block of data stored in a package. The block file is verified and secured with a digital signature when the package is signed.
- AppxManifiest.xml – The package manifest contains the information needed to deploy, display and update the MSIX Application. The information includes Package identity, package dependencies, required capabilities, visual elements and extensible points.
- AppxSignature.p7x – This file is generated when the package is signed. All Packages are required to be signed before you and run them (Validated).
Please see the link for which platforms MSIX supports: https://docs.microsoft.com/en-us/windows/msix/supported-platforms
What is MSIX App Attach
MSIX App Attach is Microsoft’s Application layering technology using the new MSIX package format. This App Layering technology enables you to separate applications from the core Operating system and deliver applications to users dynamically. It’s suggested that MSIX App Attach is similar in concept to FSlogix Profile containers where the user profile is detached and filter drivers are used to redirect the profile to a virtual disk.
The following table from Microsoft compares key feature of MSIX app attach and other app layering.
| Feature | Traditional app layering | MSIX app attach |
|---|---|---|
| Format | Different app layering technologies require different proprietary formats. | Works with the native MSIX packaging format. |
| Repackaging overhead | Proprietary formats require sequencing and repackaging per update. | Apps published as MSIX don’t require repackaging. However, if the MSIX package isn’t available, repackaging overhead still applies. |
| Ecosystem | N/A (for example, vendors don’t ship App-V) | MSIX is Microsoft’s mainstream technology that key ISV partners and in-house apps like Office are adopting. You can use MSIX on both virtual desktops and physical Windows computers. |
| Infrastructure | Additional infrastructure required (servers, clients, and so on) | Storage only |
| Administration | Requires maintenance and update | Simplifies app updates |
| User experience | Impacts user sign-in time. Boundary exists between OS state, app state, and user data. | Delivered apps are indistinguishable from locally installed applications. |
You can find out more here: https://docs.microsoft.com/en-us/azure/virtual-desktop/what-is-app-attach
How MSIX App Attach Works:
This section will cover how MSIX App Attach works and several technical videos showing you how to create and deploy MSIX App Attach.
The following diagram depicts the MSIX App Attach Process.
- The user open’s the “Remote Desktop” Client and enters their credentials, and selects the host pool they have access to.
- The process of communicating with the WVD management service (broker etc.) is completed, and a session is assigned to an available Virtual machine within the host pool.
- The FSLogix Agent on the session host requests the user profile from the file share for the user in question.
- The file share could be Azure Files, Azure Netapp Files or Iaas File server / other.
- Applications (App Attach) are mounted to the Virtual Machine for that user. This can be achieved using a logon script, general scripting, third party applications etc.
As you will see from the diagram, both the User profile and Application(s) are separate from the main operating system. This enables improvements in dynamic delivery of applications and profiles, Something I refer to as “Dynamic User Roaming (DUR)“ Coined 😃.
I use the term “Dynamic User Roaming” to describe the ability to take a particular user’s profile and applications enabling the ability to access any device (session host in this case) with the same experience.
The term “Dynamic” is characterised by constant change, activity, or progress. Which is very fitting when describing user roaming to any device offering the same experience, profile and applications. It suggested that “Dynamic User Roaming” is the future for a true roaming experience.
Traditional Image App Delivery:
To help explain this in detail, I have depicted the traditional way that IT admins deploy applications and desktops to users in the below diagram. Essentially, multiple images are created for departments or user types/categories. This image management method is time-consuming, and you effectively have to manage the applications and windows updates for each image.
Removing the need to update/remediate applications provides a much simpler approach for Image Operating system management. You could even consider spinning up new images automatically each time an update is completed if the User profile and applications are separated from the gold image, as it would make no difference compared to traditional methods.
The segmentation of applications offers many advantages; one of the key benefits is simple management and the ability to focus on a specific area rather than the whole image regarding remediation, updates and future deployments. This means you could have different remediation cycles specific to an area of image management, reducing the amount of change in one maintenance window.
MSIX App Attach App Delivery:
The following diagram depicts how MSIX App Attach works and the elasticity it offers Windows Virtual Desktop.
As you can see from the diagram, FSlogix profiles are mounted to each virtual machine. You will also note that each VM has the generic (common Applications) Applications deployed on the image (core). You could deploy all App Attach applications; however, in this example, departmental images are separated from the Os.
You will see that each different department’s users are presented with specific applications they require. For example, Sales only receive Sales App1 and Sales App2. MSIX App Attach enables you to isolate applications for the required specific user groups in question.
MSIX App Attach Terminology:
The following diagram provides some context on the different steps/processes/ actions relating to MSIX App Attach.
Get my book on “A Introduction to MSIX app attach”
Create a MSIX Package
The following video shows you how to create an MSIX App Attach. This demo shows the creation of a Notepad++ MSIX Package.
Create a App Attach Container (Virtual Disk (VHD):
I have created a script to help with the process. You can find this code here:
https://github.com/RMITBLOG/MSIX_APP_ATTACH/blob/master/createvdisk.ps1
You will need to download the script and set the execution policy before running.
The following video shows the creation of the VHD disk for MSIX App Attach:
Unpack a MSIX file to the VHD format
Download MSIX MGR here: https://aka.ms/msixmgr
Use the following cmd to unpackage the MSIX
msixmgr.exe -Unpack -packagePath "C:\temp\appattach_test_path\MSIX unpack\notepadpp_1.0.0.0_x64__ekey3h7rct2nj.msix" -destination "C:\temp\appattach_test_path\notepad++" -applyaclsThe following Video shows the process of un-packing a MSIX package ready for MSIX:
Testing a MSIX App Attach Package
I have created a number App Attach Scripts for testing applications: https://github.com/RMITBLOG/MSIX_APP_ATTACH
The video shows the scripts in use and a notepad++ running via MSIX App Attach.
Publishing an MSIX App Attach Application as a Remote App
In this brief section, we will cover the publication of a Remote App using MSIX App Attach.
When creating a MSIX App Attach Remote App, you need to ensure the following:
- The MSIX App Attach App is staged and then registered for the user in question.
- The Remote app has been configured with the required Application group in the ARM WVD Console.
- You also need to ensure you configure the Remote application using the correct file paths.
Application Path: C:\temp\AppAttach\mytestsuccess_1.0.0.0_x64__ekey3h7rct2nj\msix\mytestsuccess_1.0.0.0_x64__ekey3h7rct2nj\pinball.exe
Icon Path: C:\Program Files\WindowsApps\mytestsuccess_1.0.0.0_x64__ekey3h7rct2nj\pinball.exe
For this example, I have used Pinball. I have used the application source of file Path to configure the Remote App.
Video Demo of MSIX App Attach Remote App(s). This example we are using Pinball!…
(.CIM) New File Extension
I found the details in Microsoft’s MSIX App Attach Documentation (glossary) that suggests new file extension ( at the time of writing this post). Microsoft has stated the following “.CIM is a new file extension associated with Composite Image Files System (CimFS). Mounting and unmounting CIM files is faster than VHD files. CIM also consumes less CPU and memory than VHD.”
“The following table is a performance comparison between VHD and CimFS. These numbers were the result of a test run with five hundred 300 MB files in each format run on a DSv4 machine.”
| Specs | VHD | CimFS |
|---|---|---|
| Average mount time | 356 ms | 255 ms |
| Average unmount time | 1615 ms | 36 ms |
| Memory consumption | 6% (of 8 GB) | 2% (of 8 GB) |
| CPU (count spike) | Maxed out multiple times | No impact |
Find out more here: https://docs.microsoft.com/en-us/azure/virtual-desktop/app-attach-glossary#cim
Update on the CIM format 27/09/2020:
The . CIM (Composite Images (CIMs)) format has been introduced into the Windows 10 2004 release. This image format is similar to the .WIM or read-only.VHD. These have been designed as a Windows Container image layout offering read-only disk and file system volume device for the image.
The .CIM image consists of a small collection of files, including metadata and filesystem description files. “As a result of their “flatness”, CIMs are faster to construct, extract and delete than the equivalent raw directories they contain.”
CIMs are composite as they can contain multiple file systems that can be mounted individually while sharing the same data region backing files.
One other benefit to CIMs is that the image type support deduplication at the file level.
It is suggested that CIMfs will be supported on both Windows 10 & Windows Server 2019 builds 19041 (version 2004) and onwards.
07/10/2020 Demo of a Composite image (.Cim)
I have created a quick video showing CimFS (.Cim) in action. This may be a first in Industry to demo 😊 . Check it out—improved performance and a similar process to the VHD(x) test scripts.
Update 24/10/2020 – Cim testing tool
you can now test CIM yourself; details for the installer and how to get a community key are here. https://ryanmangansitblog.com/2020/10/16/testing-cimfs-composite-file-system-windows-virtual-desktop/
MSIX App Attach Update: 22/09/2020
Microsoft announces an update for MSIX App Attach on Windows Virtual Desktop (22/09/2020). MSIX App Attach has now been baked into the WVD Azure blade to simplify App Attach’s delivery. You will still need to create and test MSIX App Attach packages (vDisk’s) (package); however, the delivery to the WVD host pool has been taken care of by the WVD team at Microsoft 😀.
There have been a few comments in the IT community regarding no need for the previously required scripts for stage, register, de-register and de-stage scripts. However, this is not entirely true; it is advised these scripts are still required for testing App Attach. You may also choose to package on a none WVD host and may need the scripts to test before uploading to storage.
One or Many – As stated in the announcement and my previous comments, throughout the preview, you can have one or many Applications on an App Attach disk. Just remember larger the app, slower the attach to the operating system. Larger applications should be separated to their own virtual disk. You also need to factor in IOPS usage into your storage requirements.
you can find out more here: https://techcommunity.microsoft.com/t5/windows-virtual-desktop/announcing-new-management-security-and-monitoring-capabilities/m-p/1699543
You can also watch Christian Brinkhoff & Dean Cefola talk about MSIX App Attach with Pieter Wigleven, WVD PM lead here >>>.
Video of Stefan Georgiev discussing the up and coming new MSIX App Attach Features coming up:
WVD Community presentation on MSIX App Attach 1st of October 2020
MSIX App Attach GA Announcement 13/04/2021
Check out the following post which includes lots of resource links for MSIX app attach.
MSIX App Attach Resources List – Ryan Mangan’s IT Blog
Testing MSIX App Attach In Mass
Check out the following short video of the testing of applications (MSIX App Attach) using AppCURE’s CLI
Delivering MSIX & MSIX App Attach to Enterprise:
The process for creating MSIX App Attach “Applications” is lengthy and time-consuming. Check out the following commercial tools that remove the pain points and let you deliver MSIX App Attach in minutes.
AppCURE – is an application packaging tool that enables you to extract applications from a source device without the need for the Application Media. The output offers the application files raw in a program folder or an MSIX package. So for those moving from older systems like Windows 7, AppCURE would help you extract those Applications quickly.
Find out more here: AppCURE Website
Application Studio (previously known as code name MSIX to VDM) – This tool enables you to spit out MSIX App Attach ready disks, including the configuration information, in seconds. There are also lots of added features, including converting from APPV to MSIX then to MSIX APP Attach and a built-in feature enabling App Attach conversions for VMware app volumes 4. This technology has a wide range of features to help organisations get to MSIX App Attach quicker and convert, manage, secure, export MSIX App Packages.
Find out more here: MSIX to VDM website
Summary:
MSIX App Attach is an interesting concept, and I do like the fact that Microsoft is using the same MSIX format for App Attach, which is an excellent way of keeping things simple and standardised.
This will effectively enable a higher success rate of application delivery to Windows Virtual Desktop and local desktops as the format is standardised. I also like the fact you can reverse MSIX App Attach back into an MSIX, as the format and structure are exactly the same.
This does provide some structure/comfort regarding the future capabilities of application delivery, and organisations can have some peace of mind knowing that Microsoft has clearly thought this out.
Noted that some apps don’t work with MSIX as of yet; however, I’m sure these kinks will be ironed out.
It will be interesting to see if other vendors will adopt MSIX App Attach or align their technologies with Microsoft’s MSIX. I am really looking forward to seeing the advancements in MSIX App Attach and hopefully, the GA of MSIX App Attach for Windows virtual Desktop.
Ryan Mangan's IT Blog 
Have you run into issues on the unpack? My unpack doesn’t seem to set ACLS and I get this: Error: The MSIX Application metadata expand request failed on all Session Hosts that it was sent to.
Make sure you have the correct permission set to the file share. (Session Hosts)
Hi, I have a few queries, how to deal best with MSIX applications that have services when deploying to standard users in a CVAD environment? Are MSIX Apps with Services supported to deploy when registered multiple times by different users on same VDA/session host?
Thanks
MSIX can be deployed to single or all users. MSIX app attach can be registered to one or many users. If the service packages successfully in the MSIX container then it will work with MSIX app attach.
Thanks Ryan. Yes services do capture fine into the MSIX package and have successfully been deployed to users who have Admin rights – What if we don’t give users admin rights on a Win10 Multisession platform? Thanks
I need more context, does the app need to be run as elevated. I will assume the package has been set to
Capability Name=”runFullTrust”
Capability Name=”allowElevation”
We keep getting “Host-1 Error: Error accessing virtual disk” when trying to added the UNC path of the VHD of the Azure file share.
We’ve got the all the permission set – the ONLY thing I can think of is when I made this host to test on we set it to no for the validation option, because it’s a test host anyways. Does that actually matter?
You need Host validation as its in preview. If permissions are correct and Validation is set, it will work. Keep me posted.
Hi Ryan, Are there any recommended ways of updating the created .VHDX files containing the MSIX applications? e.g. Notepad++ or Adobe Reader when new versions are made available. – Other than the lengthily task of creating the MSIX package from scratch and creating a new VHDX file with a new set of scripts? Thanks.
Hi, I almost made it happen to deploy my first MSIX package. But I failed at sycing the WVD VM to the Azure AD. Well AD Connect is showing me the object and it’s sucessful export task, after I added the OU to the sync. But it does not show up in Azure AD. So I am unable to assign the SMB Reader role to it and adding the package keeps failing.
Hi Ryan, Great demo! Can you have multiple MSIX apps on the same VHD?
Yes you can. VHD/VHDX/CIMFS
Thank you sir!
Hi Ryan,
Can you do a demo on how to create multiple apps on a single vhdx?
Thanks!
Hi Ryan- Can you do a demo on how to add multiple MSIX apps to a single VHDX?
Hi Ryan, any comment on this one?
https://techcommunity.microsoft.com/t5/msix-deployment/msix-app-attach-and-firewall-rules/m-p/2938374
Let me look into this. However, if you deploy the firewall via a group policy, is this a workaround?
MSIX App Attach will generate a disk like d:\67\apps\… so a number is in it which prevent to use policies 😦
can you send me the MSIX or the app manifest
The mounted App Attach didk contains a number. So by policy not really possible.
Your github scripts are gone. Nice demo. Sorry, total noob here. In giving the Session Host permissions, I’ve gone into the StorageAccount>AccessControl> and made all my users and the AVD machine all owners. Still not working. Is there another way to set permissions on the file share?
Try here: https://github.com/RMITBLOG/MSIX_APP_ATTACH/wiki