Add and manage app attach and MSIX app attach applications in Azure Virtual Desktop
Tip
A new version of app attach for Azure Virtual Desktop is available. Select a button at the top of this article to choose between app attach and MSIX app attach to see the relevant documentation.
App attach enables you to dynamically attach applications from an application package to a user session in Azure Virtual Desktop. Applications aren't installed locally on session hosts or images, enabling you to create fewer custom images for your session hosts, and reducing operational overhead and costs for your organization. Delivering applications with app attach also gives you greater control over which applications your users can access in a remote session.
MSIX app attach enables you to dynamically attach applications from an application package to a user session in Azure Virtual Desktop. Applications aren't installed locally on session hosts or images, making it easier to create custom images for your session hosts, and reducing operational overhead and costs for your organization. Delivering applications with MSIX app attach also gives you greater control over which applications your users can access in a remote session.
This article shows you how to add and manage applications with app attach in Azure Virtual Desktop using the Azure portal and Azure PowerShell. You can't add or manage app attach applications using Azure CLI. Before you start, make sure you read the overview for app attach and MSIX app attach in Azure Virtual Desktop.
This article shows you how to add and manage MSIX packages with MSIX app attach in Azure Virtual Desktop using the Azure portal and Azure PowerShell. You can't add or manage MSIX app attach applications using Azure CLI. Before you start, make sure you read the overview for app attach and MSIX app attach in Azure Virtual Desktop.
Important
You have to choose whether you want to use app attach or MSIX app attach with a host pool. You can't use both versions with the same host pool.
Prerequisites
In order to use app attach in Azure Virtual Desktop, you need the following things:
In order to use MSIX app attach in Azure Virtual Desktop, you need to meet the prerequisites:
An existing host pool with session hosts, an application group, and a workspace.
Your session hosts need to run a supported Windows client operating system and at least one of them must be powered on. Windows Server isn't supported.
- Your session hosts need to be joined to Microsoft Entra ID or an Active Directory Domain Services (AD DS) domain.
- Your session hosts need to be joined to an Active Directory Domain Services (AD DS) domain. Microsoft Entra ID isn't supported.
- User accounts need to be hybrid accounts (created in AD DS and synchronized to Microsoft Entra ID). Groups can be hybrid or Microsoft Entra ID groups.
An SMB file share in the same Azure region as your session hosts. All session hosts in the host pool must have read access with their computer account. This file share is used to store your application images. For more information on the requirements for the file share, see File share.
To use Azure Files when your session hosts joined to Microsoft Entra ID, you need to assign the Reader and Data Access Azure role-based access control (RBAC) role to both the Azure Virtual Desktop and Azure Virtual Desktop ARM Provider service principals. To learn how to assign an Azure RBAC role to the Azure Virtual Desktop service principals, see Assign RBAC roles to the Azure Virtual Desktop service principals.
- An SMB file share in the same Azure region as your session hosts. All session hosts in the host pool must have read access with their computer account. This file share is used to store your application images. For more information on the requirements for the file share, see File share.
- An MSIX or Appx disk image that you created from an application package and stored on the file share. For more information, see Create an image, where you can also download a prebuilt MSIX package for testing.
- An MSIX image that you created from an application package and stored on the file share. For more information, see Create an image, where you can also download a prebuilt MSIX package for testing.
To add MSIX images, you need the Desktop Virtualization Contributor Azure role-based access control (RBAC) role assigned on the resource group as a minimum. To assign users to the application group, you also need
Microsoft.Authorization/roleAssignments/write
permissions on the application group. Built-in RBAC roles that include this permission are User Access Administrator and Owner.If you want to use Azure PowerShell locally, see Use Azure PowerShell with Azure Virtual Desktop to make sure you have the Az.DesktopVirtualization and Microsoft Graph PowerShell modules installed. Alternatively, use the Azure Cloud Shell.
- You need to use version 4.2.1 of the Az.DesktopVirtualization PowerShell module, which contains the cmdlets that support app attach. You can download and install the Az.DesktopVirtualization PowerShell module from the PowerShell Gallery.
Important
All MSIX and Appx application packages include a certificate. You're responsible for making sure the certificates are trusted in your environment. Self-signed certificates are supported with the appropriate chain of trust.
You have to choose whether you want to use app attach or MSIX app attach with a host pool. You can't use both versions with the same package in the same host pool.
Important
All MSIX application packages include a certificate. You're responsible for making sure the certificates are trusted in your environment. Self-signed certificates are supported with the appropriate chain of trust.
Add an application
To add an application in an MSIX or Appx image to Azure Virtual Desktop as an app attach package, select the relevant tab for your scenario and follow the steps.
Here's how to add an MSIX or Appx image as an app attach package using the Azure portal:
Sign in to the Azure portal.
In the search bar, type Azure Virtual Desktop and select the matching service entry to go to the Azure Virtual Desktop overview.
Select App attach, then select + Create.
On the Basics tab, complete the following information:
Parameter Description Subscription Select the subscription you want to add an MSIX or Appx image to from the drop-down list. Resource group Select an existing resource group or select Create new and enter a name. Host pool Select an existing host pool from the drop-down list. Location Select the Azure region for your app attach package. Once you've completed this tab, select Next.
On the Image path tab, complete the following information:
Parameter Description Image path Select from Select from storage account if your image is stored in Azure Files or Input UNC to specify a UNC path. Subsequent fields depend on which option you select. Select from storage account Storage account Select the storage account your image is in. File share Select Select a file, then browse to the file share and directory your image is in. Check the box next to the image you want to add, for example MyApp.cim
, then select Select.MSIX package Select the MSIX or Appx package from the image. Input UNC UNC Enter the UNC path to your image file. MSIX package Select the MSIX or Appx package from the image. Either option Display name Enter a friendly name for your application. Version Check the expected version number is shown. Registration type Select the registration type you want to use. State Select the initial state for the package. Health check status on failure Select the status for the package if it fails to stage on a session host. This status is reported for AppAttachHealthCheck for the session host health check status. Once you've completed this tab, select Next.
Tip
Once you've completed this tab, you can continue to optionally assign the application to host pools, users and groups. Alternatively, if you want to configure assignments separately, select Review + create, then go to Assign an app attach package.
Optional: On the Assignments tab, complete the following information:
For Host pool, select which host pools you want to assign the application to. If you're already using MSIX app attach with a host pool, you can't select that host pool as you can't use both versions of app attach with the same host pool.
Select Add users or user groups, then search for and select the users or groups you want to assign the application to. Once you have finished, select Select.
Review the assignments you added, then select Next.
Optional: On the Tags tab, you can enter any name/value pairs you need, then select Review + create.
On the Review + create tab, ensure validation passes and review the information that is used during deployment, then select Create to add the application.
Assign an app attach package
You need to assign an app attach package to host pools as well as groups and users. Select the relevant tab for your scenario and follow the steps.
Note
User accounts need to be hybrid accounts (created in AD DS and synchronized to Azure AD), but groups do not.
Here's how to assign an application package to host pools, users and groups using the Azure portal:
Host pools
From the Azure Virtual Desktop overview, select App attach, then select the name of the app attach package you want to assign.
In the section Manage, select Host pools:
Select + Assign, then select one or more host pools from the drop-down list. Make sure that all session hosts in the host pool must have read access with their computer account, as listed in the prerequisites.
Select Add.
Groups and users
From the Azure Virtual Desktop overview, select App attach, then select the name of the app attach package you want to assign.
In the section Manage, select Users:
Select + Add, then select one or more groups and/or users from the list.
Select Select.
Note
Adding a package, setting it to active, and assigning it to a host pool and users automatically makes the application available in a desktop session. If you want to use RemoteApp, you'll need to add the application to a RemoteApp application group. For more information, see Publish an MSIX or Appx application with a RemoteApp application group. You can't add MSIX or Appx applications to the desktop application group with app attach.
Change registration type and state
You can manage your MSIX and Appx packages by changing their registration type and state. Select the relevant tab for your scenario and follow the steps.
Here's how to change a package's registration type and state using the Azure portal:
From the Azure Virtual Desktop overview, select App attach. You should see a list of all existing packages within the host pool.
Select the name of the package you want to change.
To change the registration type, select On-demand or Register at log on, then select Save.
To change the state, select Inactive or Active, then select Save.
Publish an MSIX or Appx application with a RemoteApp application group
You can make MSIX and Appx applications available to users by publishing them with a RemoteApp application group. You don't need to add applications to a desktop application group when using app attach as you only need to Assign an app attach package. The application you want to publish must be assigned to a host pool.
Here's how to add an application from the package you added in this article to a RemoteApp application group using the Azure portal:
From the Azure Virtual Desktop overview, select Application groups, then select the RemoteApp application group you want to add an application to.
Select Applications, select + Add. Make sure you have at least one session host powered on in the host pool the application group is assigned to.
On the Basics tab, complete the following information:
Parameter Value/Description Application source Select App Attach from the drop-down list. If you want to add applications from the Start menu or by specifying a file path, see Publish applications with RemoteApp. Package Select a package available for the host pool from the drop-down list. Regional packages are from app attach. Application Select an application from the drop-down list. Application identifier Enter a unique identifier for the application. Display name Enter a friendly name for the application that is to users. Description Enter a description for the application. Once you've completed this tab, select Next.
On the Icon tab, select Default to use the default icon for the application, or select File path to use a custom icon. For File path, select one of the following options:
Browse Azure Files to use an icon from an Azure file share. Select Select a storage account and select the storage account containing your icon file, then select Select icon file. Browse to the file share and directory your icon is in, check the box next to the icon you want to add, for example
MyApp.ico
, then select Select. You can also use a.png
file. For Icon index, specify the index number for the icon you want to use. This number is usually 0.UNC file path to use an icon from a file share. For Icon path, enter the UNC path to your icon file, for example
\\MyFileShare\MyApp.ico
. You can also use a.png
file. For Icon index, specify the index number for the icon you want to use. This number is usually 0.
Once you've completed this tab, select Review + add.
On the Review + add tab, ensure validation passes and review the information that is used to add the application, then select Add to add the application to the RemoteApp application group.
Update an existing package
You can update an existing package by supplying a new image containing the updated application. For more information, see New versions of applications.
To update an existing package in-place, select the relevant tab for your scenario and follow the steps.
Here's how to update an existing package using the Azure portal:
From the Azure Virtual Desktop overview, select App attach. You should see a list of all existing packages.
Select the package you want to update, then from the overview, select Update.
Enter the information for the updated package:
Subscription and Resource group are prepopulated with the values for the current package.
Select the Host pool for which you want to update the package.
Select the image path from Select from storage account or Input UNC. Subsequent fields depend on which option you select.
- For Select from storage account, select the Storage account containing the updated image. Select Select a file, then browse to the file share and directory your image is in. Check the box next to the image you want to add, for example
MyApp.cim
, then select Select. - For Input UNC, enter the UNC path to your image file.
- For Select from storage account, select the Storage account containing the updated image. Select Select a file, then browse to the file share and directory your image is in. Check the box next to the image you want to add, for example
For MSIX package, select the MSIX or Appx package from the image.
Once you've completed the fields, select Update.
Remove an app attach package
You can remove an app attach package that you no longer need. You don't need to unassign host pools or users and groups first. Select the relevant tab for your scenario and follow the steps.
Tip
You can also remove an application in an MSIX package published as a RemoteApp from an application group the same way as other application types. For more information, see Remove applications.
Here's how to remove an app attach package using the Azure portal:
From the Azure Virtual Desktop overview, select App attach. You should see a list of all existing packages.
Check the box next to the name of the package you want to remove, then select Remove. The package is also removed from any host pools it's assigned to.
Add an MSIX image to a host pool
To add an MSIX image to a host pool, select the relevant tab for your scenario and follow the steps.
Here's how to add an MSIX image using the Azure portal:
Sign in to the Azure portal.
In the search bar, type Azure Virtual Desktop and select the matching service entry to go to the Azure Virtual Desktop overview.
Select Host pools, then select the name of the host pool you want to add an MSIX image to.
From the host pool overview, select MSIX packages, then select + Add.
For MSIX image path, enter a valid UNC path pointing to the MSIX image on the file share, for example,
\\fileshare\Apps\MyApp\MyApp.cim
, then select Add, which checks the path is valid.Once the path has been verified, more fields appear. Complete the following information:
Parameter Description MSIX package Select the relevant MSIX package name from the drop-down menu. Package applications This shows App and isn't configurable. Display name Enter a friendly name for your package. Version Check the expected version number is shown. Registration type Select the registration type you want to use. State Select the initial state for the package. Once you've completed the fields, select Add.
Change registration type and state
You can manage MSIX packages in your host pool by changing their registration type and state. Select the relevant tab for your scenario and follow the steps.
Here's how to change a package's registration type and state using the Azure portal:
From the Azure Virtual Desktop overview, select Host pools, then select the name of the host pool the MSIX package is added to.
From the host pool overview, select MSIX packages. You should see a list of all existing MSIX packages within the host pool.
Select the name of the MSIX package you want to change.
To change the registration type, select On-demand or Register at log on, then select Save.
To change the state, select Inactive or Active, then select Save.
Publish an MSIX application
You can make MSIX applications available to users as part of a desktop or RemoteApp application group. A desktop application group makes the applications available in a user's start menu, whereas a RemoteApp application group means a user can stream them individually. For more information about application groups, see Terminology. Select the relevant tab for your scenario and follow the steps.
Here's how to add an application from the package you added in this article to a RemoteApp application group using the Azure portal:
From the Azure Virtual Desktop overview, select Application groups, then select the Desktop or RemoteApp application group you want to add an application to.
Select Applications, select + Add. Make sure you have at least one session host powered on in the host pool the application group is assigned to.
On the Basics tab, the options you see depend on whether your application group is for a Desktop or a RemoteApp:
For a Desktop application group, complete the following information:
Parameter Value/Description Application source MSIX package is automatically selected and greyed out. Package Select a package available for the host pool from the drop-down list. Application identifier Enter a unique identifier for the application. Display name Enter a friendly name for the application that is to users. Description Enter a description for the application. Once you've completed this tab, select Review + add.
For a RemoteApp application group, complete the following information:
Parameter Value/Description Application source Select App Attach from the drop-down list. If you want to add applications from the Start menu or by specifying a file path, see Publish applications with RemoteApp. Package Select a package available for the host pool from the drop-down list. Host pool packages are from MSIX app attach. Application Select an application from the drop-down list. Application identifier Enter a unique identifier for the application. Display name Enter a friendly name for the application that is to users. Description Enter a description for the application. Once you've completed this tab, select Next.
On the Icon tab, select Default to use the default icon for the application, or select File path to use a custom icon. For File path, select one of the following options:
Browse Azure Files to use an icon from an Azure file share. Select Select a storage account and select the storage account containing your icon file, then select Select icon file. Browse to the file share and directory your icon is in, check the box next to the icon you want to add, for example
MyApp.ico
, then select Select. You can also use a.png
file. For Icon index, specify the index number for the icon you want to use. This number is usually 0.UNC file path to use an icon from a file share. For Icon path, enter the UNC path to your icon file, for example
\\MyFileShare\MyApp.ico
. You can also use a.png
file. For Icon index, specify the index number for the icon you want to use. This number is usually 0.
Once you've completed this tab, select Review + add.
On the Review + add tab, ensure validation passes and review the information that is used to add the application, then select Add to add the application to the application group.
Remove an MSIX package
You can remove an MSIX package that you no longer need. Select the relevant tab for your scenario and follow the steps.
Tip
You can also remove only an application in an MSIX package from an application group the same way as other application types. For more information, see Remove applications.
Here's how to remove an MSIX package from your host pool using the Azure portal:
From the Azure Virtual Desktop overview, select Host pools, then select the name of the host pool the MSIX package is added to.
From the host pool overview, select MSIX packages. You should see a list of all existing MSIX packages within the host pool.
Check the box next to the name of the MSIX package you want to remove, then select Remove.
Disable automatic updates
We recommend that you disable automatic updates for MSIX and Appx applications. To disable automatic updates, you need set the following registry values on your session hosts:
We recommend that you disable automatic updates for MSIX applications. To disable automatic updates, you need set the following registry values on your session hosts:
Key: HKLM\Software\Policies\Microsoft\WindowsStore
- Type: DWORD
- Name: AutoDownload
- Value: 2
- Description: Disables Microsoft Store automatic update.
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
- Type: DWORD
- Name: PreInstalledAppsEnabled
- Value: 0
- Description: Disables content delivery automatic download.
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug
- Type: DWORD
- Name: ContentDeliveryAllowedOverride
- Value: 2
- Description: Disables content delivery automatic download.
You can set these registry values using Group Policy or Intune, depending on how your session hosts are managed. You can also set them by running the following PowerShell commands as an administrator on each session host, but if you do this, you should also set them in your operating system image:
# Disable Microsoft Store automatic update
If (!(Test-Path "HKLM:\Software\Policies\Microsoft\WindowsStore")) {
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsStore" -Force
}
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsStore" -Name AutoDownload -PropertyType DWORD -Value 2 -Force
# Disable content delivery automatic download
If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager")) {
New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Force
}
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name PreInstalledAppsEnabled -PropertyType DWORD -Value 0 -Force
# Disables content delivery automatic download
If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug")) {
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug" -Force
}
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug" -Name ContentDeliveryAllowedOverride -PropertyType DWORD -Value 2 -Force
Next steps
Learn how to publish applications from the start menu or a file path with RemoteApp. For more information, see Publish applications.