Forum Discussion
App Attach only working if the App is Installed Locally First
I am trying to use App Attach to provide an application to my virtual desktop environment. The environment is currently 100% Entra ID, no DS if possible. RemoteApp host pool with Standard_D4as_v6 VMs running Windows 11 24H2 multi-session (no office 365 apps).
I am having troubles getting App Attach working as I understand it should.
- I packaged my app into MSIX on one of the session hosts via admin account.
- My app is self-signed with .PFX, each session host has the corresponding .CER file in Trusted People AND Trusted Root Certification Authorities (conflicting advice online led me to just do both).
- I converted .MSIX to .CIM disk via MSIXMGR on the same session host.
msixmgr.exe -Unpack -packagePath "path\file.msix" -destination "path\file.cim" -applyACLs -create -fileType cim -rootDirectory apps- I uploaded the .CIM file and the 6 supporting files to Azure Files Storage Account.
- All hosts have access to the azure storage account via access key, which I know is working because I’m using a different File Share in the same Storage Account to run FSLogix which has been working great. I haven't made any NTFS changes in my environment so far.
- On the storage account:
- Reader and Data Access is granted to Windows Virtual Desktop and Windows Virtual Desktop ARM Provider.
- Storage File Data SMB Share Reader is granted to each VM.
- Create App Attach resource, assigned it to the associated app group/workspace/host pool. I can see my app under the Apps tab in the Windows App/Remote Desktop app.
Now into the Windows App: when I click my app, it will load forever on “Securing Remote Session…” and if I click “Show Details” to see the Windows login screen, it is always frozen on “Preparing Windows”. I’ve switched the host pool to “Desktop” mode and my user can log in to the full desktop with no issues, it is just the remote app that gets hung up.
BUT if I log into the VM with my admin account, I launch my MSIX package, and approve the installation of my app, that makes it all work. Now I can go back to the Windows App and launch my remote app as a regular user, and it works perfectly. (Assuming I make the host pool assign the user to the session host where I manually installed the app)
As far as I understand, this shouldn’t be a requirement to get App Attach working, so I’m looking for advice or information as to why manually installing the app would fix my problem. I am suspicious of the self-signed certificate; I’d rather not buy one but let me know if that’s what I’m stuck doing. I’m also curious if the “App-Attached” version of my app is running, or if its just targeting the locally installed version behind the scenes on me… I am going to do more testing and see if I can prove that.
Thanks for the help!
Here's an important update:
It seems I can resolve this issue by using a VHDX disk instead of CIM. I followed the exact same process/setup for the two types, I just changed the format when using MSIXMGR. I can launch the remote app with no issues, and I confirmed that the app is NOT installed locally.
No clue why the CIM format would be the issue here. Any suggestions?
Let me help troubleshoot this like I would with a colleague! App Attach can be tricky, and I totally get the frustration when it's not working as expected.
From what you've described, you've got most of the basics covered - the packaging and conversion steps look good. But there are a few things that often trip people up with App Attach that we should check:
- Quick question - when you say it only works if installed locally first, what exactly happens when you try to launch the app without local installation? Do you get any specific error messages?
- One common gotcha: Have you checked if the certificate is properly deployed to ALL session hosts? Sometimes even if it shows up in the certificate stores, there might be permission issues or it might not be fully trusted.
- For the MSIX package itself - did you include all the necessary dependencies when packaging? Sometimes apps need additional frameworks or runtimes that aren't immediately obvious.
- Also, just to verify - I assume you've set up the share for the .CIM file and configured the proper permissions for the users who need to access it?
If you could provide some more details about what exactly happens when you try to launch the app without local installation, that would help narrow down where things might be going wrong.
Regards: 블랙툰.store
Hi!
1. If the app is not installed locally, and I try to launch the app as a remote app (using the Windows App or the Remote Desktop app), I experience a frozen login screen, which never unfreezes. I attached a screenshot of it.
2. I have double checked that the certificate is installed in the directories I mentioned in the original post. But I am not ruling out the certificate as the possible issue. If other people have found issues related to their certificates, I would love to figure out how they found out or what they changed.
3. I'm currently testing with a super simple Windows Form app that just shows a text box. I was hoping to rule out a dependency-related issue but even this simple app has the issue. According to the AppManifest.xml, the only dependency is Windows.Desktop.
4. I am able to mount the fileshare using PSExec with no issues using this guide: Troubleshoot app attach - Azure Virtual Desktop | Microsoft Learn
AppAttach packages are running in SYSTEM context on the session hosts. So you could use PSEXEC and run CMD or PowerShell as SYSTEM on a session host, to verify access to the share hosting the packages.
I am able to mount the fileshare using PSExec with no issues using this guide: Troubleshoot app attach - Azure Virtual Desktop | Microsoft Learn
I did some testing with multiple versions of my app to see how it behaved, and these were my findings.
- I installed app version 1 on my VM and loaded it into app attach. Remote App launches as expected.
- I installed app version 2 on my VM (did not put into app attach). Remote App will not launch.
- I uninstalled app version 2 from my machine so just version 1 remained. Remote App launches as expected.
- I added app version 2 to app attach alongside version 1 (both set to active). Remote App does not launch.
- I removed app version 2 from app attach. Remote App still does not launch.
- It seems I broke the environment here, these packages didn't seem to detach properly.
- I manually removed the apps/mounted drives from the machine and reinstalled app version 1. Remote App launches as expected.
And when I say "does not launch" I'm referring to the frozen login that I described in my original question.
Not sure if that's helpful or not. It was at least interesting to see that the Remote App didn't launch when app attach had version 1, and the machine had version 2 installed.
Please to consider on below:
- Self-Signed Certificate: While self-signed certificates can work, they can sometimes cause issues. It might be worth trying a certificate from a trusted Certificate Authority (CA) to see if that resolves the problem.
- Permissions: Double-check that all necessary permissions are correctly set up. Ensure that the session hosts have the correct access to the Azure Files Storage Account and that the necessary SMB share permissions are in place.
- Mounting the MSIX Image: Verify that the MSIX image is being mounted correctly on the session hosts. You can use the Mount-CimDiskImage PowerShell command to manually mount the image and check if it's accessible.
- Testing Outside Azure Virtual Desktop: Try testing the MSIX package outside of Azure Virtual Desktop to see if the issue persists. This can help isolate whether the problem is with the App Attach setup or something else.
- Logs and Diagnostics: Check the logs and diagnostics on the session hosts to see if there are any error messages or warnings that could provide more insight into what's going wrong.
Hi!
- Self-Signed Certificate: I will work towards getting this, I'll report back how it goes.
- Permissions/Mounting the MSIX Image: I believe all of the access permissions are setup correctly. I have verified in the VM Event Viewer (Applications and Services Logs > RemoteDesktopServices) that the RDAgent successfully completes the mounting, staging, and app registering processes without any errors. I'm leaning towards ruling this out as the issue, since I don't think any of that would have worked if the permissions weren't set up, unless I'm missing something.
- Testing Outside Azure Virtual Desktop: I am able to successfully install and launch the MSIX package on my local laptop (after saving the .CER file on my machine as well).
- Logs and Diagnostics: So far I haven't found anything solid to go off in the Event Viewer. Let me know if you're referring to another place I need to look!
I have been closely watching these 4 Event Viewer locations:- Applications and Services Logs > RemoteDesktopServices
- Applications and Services Logs > Microsoft > Windows
- AppXDeployment
- AppxXDeployment-Server
- AppxDeployment-Server-UndockedDeh
