AZ-140 Windows Virtual Desktop on Microsoft Azure – *NEW* – Manage User Environments and Apps part 1

1. Apps Management Options

When it comes to the Windows Virtual Desktop applications management options, which means how we will manage the applications and to which users these applications shall be available. We have three main options. The first one is the normal one, which is using the virtual machine image or the golden image that you use to provision in the host pools. So in this option you will create a virtual machine image, custom image, you will spin it, you will install all of the applications for all the users on that image and then you can use different images for different teams. So if you want, for example, some applications to be available for the HR team only and some for the engineers only, you cannot have that in the same image.

So you will have to create different images and to create different host pools. This actually raises the issue that you will have an increasing number of gold images or customized images to maintain and to manage. And thus we have these two more options. One of them is the FSLogix application masking and the second is Msix Appetite.So with the FSLogix application masking, the thing that you will do differently this time is you will create a virtual machine image, only one single image with all the applications for all the users. So you will have your customized virtual machine image, you install the applications, all of the applications and you will have that one single image.

The trick here is you will then use the application masking if it’s logic’s application masking to ensure that the right applications are visible only to the right users. So these tools allow you to do some masking so you can give the applications to the proper or to the eligible LPO. The third option is using Msix App attach and this is one of the highly recommended management options to be used and the reason is it provides you with dynamic application delivery. So only authorized users can see or access applications and the applications are made available on a pair user basis, which means the applications will only be made visible and will be actually attached to the virtual machine that the user is accessing only once he signs in.

2. FSLogix Application Masking

One of the application management options is the FSLogix application masking. And the way this option works is with installing multiple applications into a single image and then showing the applications only to the users who have access to them. So you maintain only one image, you install all of the applications. So one user can see the applications that you can see on the A slide, for example, and another one can see a different set of applications based on a specific criteria. So this is how the FSLogix application masking works. There are many benefits for this option. So the application management works without sequencing, snapshotting, packaging or even virtualizations when you are using the FSLogix application masking and all the applications are installed in one base image, which means only the applications a user is entitled to are revealed to the user.

Application entitlements can be changed in real time. It works actually not only for the apps, even for the fonts, the plugins and more. And it has excellent application compatibility. The greatest benefit of this is actually you will be able to massively reduce the number of gold images to maintain because you have one image with all the apps and you use the masking to show a set of apps to a set of users based on a criteria. And this is how it works. So, when it comes to the deployment or the implementation of Sfslogix application masking, the process has four main steps. The first one is to create your rule set where you set your criteria in which it is based, like on the criteria, which users or which teams will have access to which applications.

Once you set the rule set, you can test it so you can make sure it works fine. And after that you can assign the rule set to an entity. And this entity could be a user, so you can specify a username in your active directory. It could be a group assessment process, network location assignment, computer assignment or environment variable assignment. So you can assign it to different entities. Once you assign it, you are good to go and you can deploy your rule set. So this is the process of the implementation for the FSLogix application application masking. I have included for you the how to guide the implementation guide for the FSLogix application masking for the WVD environment and you can find it in the resources section of this lecture.

3. Deliver Applications Using MSIX app attach Introduction

In a Windows virtual desktop application. Deployment. Msix Appetache can create separation between user data, the operating system and the applications. Which means you can use Msix App attach to separate applications from primary host pool images or the custom images. This reduces the time it takes for a user to sign in, as well as the infrastructure requirements and the cost. In this lecture I will introduce you to Msix and MSI X advertise technologies which we will later use to deliver applications for WVD users. Let me start first with Msix in general. So what is Msix? Msix is a Windows app package format that provides a modern packaging experience to all Windows applications. You can prepare your applications in Msix package format, which uses container technology to improve the fidelity of application installation and uninstallation which isolates the applications from the rest of the operating system for security.

So it uses this MSI X containers and applications prepared in MSI X format run in a lightweight container, as you can see on the slides. And Msix apps write its own virtual registry and application data folder. So all MSI X apps process runs inside that container. So this is what is unique about the MSI X and the MSI X technology. What should be interesting to you is that all MSI X applications write to their own registry and application data folder. This is the unique value proposition, I believe in this situation. And of course they can read the global registry through the operating system as well. There is a tool for Msix and that is called the MSI X packaging tool. So this is the tool you can use to create MSI X application package from any of the following installers that you can see in the slides.

You can use either an interactive user interface available for that packaging tool or a command line to convert. So, now that we know what is Msix, let’s narrow down the scope and focus more on the technology that matters to us, that matters to the Windows Virtual desktop, to the Azure Virtual Desktop and that is the Msix App attach. So this is a Microsoft application delivery technology that enables you to separate applications and their state from the operating system and to assign the applications to the users dynamically. Which means when a user opens an application when he opens an application, the application files are accessed from a VHD disk, so the user is not even aware that the application isn’t locally installed.

Msix Average is different from mugler MSI X that we have explained in that it’s made especially for Windows Virtual Desktop. What benefits does the MSI Xab attach provide? First, MSI Xab attach separate application files from the operating system, which means for you, if the device needs a reset or reimage, these applications won’t require reinstallation. A second benefit would be you don’t need additional infrastructure servers to deploy the Msix app packages you can use, for example, Azure files to host a virtual hard disk PhD that contains the MSI X package.

And the third one, you can combine MSI Xabertash with FSLogix profile containers and this is the recommended way to do it actually. This will help you to isolate user profiles and on a separate VHD or VHDX as well as the applications using the MSX. So let’s see how the Msix abbattache fits in the WVD user sign in process so you can have a clearer understanding of this technology rule. First, from the Windows Virtual Desktop client, the user signs in and selects the host pool for which he or she have access. The process is similar to opening published remote app programs from the Windows Virtual Desktop environment.

Second, the user is assigned a virtual machine within the host pool on which a remote application or remote desktop session is created when the virtual list of plant interacts with that session. Third, if the user profile is configured, the FSLogix agent on the session host provides the user profile from the file share, so it attaches the user profile to the session host so the user has all their data ready. And this takes us to step four. Applications that are assigned to the user by the admin are read from the Windows Virtual Desktop so the applications you have configured using the Msix Abateache, and only if the user is assigned to have access to those applications.

These applications will be attached to the session as well, so the user can access them. Msix have attached applications then are registered to the virtual machine for the user from the attached Msix virtual disk. That virtual disk might be on infrastructure as a service file share, Azure files or even Azure NetApp files. So this is just to show you how the Msix app attach can work actually with the Fslogic technology as well, so it can deep attach the applications and even the user profile from the session host. These can be only assigned once the user signs in and then his profile and applications will be attached to the session.

4. MSIX app attach – Deployment Break Down

The process to deliver applications using Msix Advertise technology includes the following main steps or phases. The first one is to cover the prerequisites and just to put a few of them. This of course could depend on your own scenario. First one is Azure Virtual Desktop host pool with at least one active session host, which means you need to have already deployed your host pool and you have at least one active session host. So you can add the Msix applications to it. The second one, or the second prerequest, is a machine to prepare the image. This could be any machine. This could be a temporary machine that you have administrative permissions over that machine.

So it’s going to be a machine. It could be your personal laptop, for example, where you will prepare the image, the Msix image, which means you will prepare your Msix packages, you will expand them on a VHD image and then you will upload that image to the Azure file share so you can use it with your session hosts. And the third one is File share, of course for the Msix Avatash image that you have prepared using the machine in the previous point. So the setup process for Msix Avatash file share is largely the same as the setup process for FSLogix Profile file share with some different permissions for the assigned users.I have already explained the FSLogix Profile File share preparation and administrative tasks in the Storage section.

Please feel free to review that section if needed and to check the attached resource to this Lectures resources section as well for the official documentation from Microsoft for this matter as well. So all the steps have been explained in the Store section. You can review them and get back to the deployment breakdown if needed. So once you have the pre request covered, you can move to the next steps. And the first one would be to install the Msix package tool. So this is the tool that you will use to prepare your Msix packages. Once you have the packages ready, you can create the Msix image with the expanded applications and then you can upload the image to the file share that you have prepared in the prerequest phase. So you have the image, it is ready, you upload it to a file share so it can then be used in step five. You can add the image to the host pool.

So this is the host pool you have already created as per the previous section. So you have created your WV environment. You have a host pool that is active and you will need to add that image, the Msix image that you have uploaded to your file share, to that hospital. And this is why it is a prerequisite. The 6th step is publish the Msix app to an app group, so it needs to be added to an application group. The 7th step would be to assign the users to the application group. So the user whom you want to see these applications, to have access to these applications, to these Msix applications, you assign these users the access to the app group WVD environment. So this is the main process. In the next lectures, I will explain the area highlighted in the blue that you can see in the slide. And also it is very important to see the resources I have attached to this lecture resources section.

5. MSIX app attach – Deployment Part 1

Deploying applications using Msix Abatash is relatively easy. I will explain the process flow in a different manner than it is usually explained. I will go through the process in backwards which means I will start with the main easy steps, the simple steps and as we go through the process explanation I will start breaking down the steps for you. So the way you normally would deploy application without using the MSI except attach is you have your image, the golden image with the applications installed and then you assign if you want you can assign these applications into an application group so the user can have access to them. So you do that by going to the Azure Virtual desktop and then you go to Application groups and you can see we have two applications group and this is one for the remote applications.

If you click on that one you can see the assignments. So the assignment process is the same whether you are using like the normal way of every application on a custom image VM or if you are using MSI Xaviersh. You go to assignments in the application group and you assign the users who shall have access to the applications. So you can add of course more users by going to add and mention the users. This user for example Jack will have access to these applications. So he has access to access application. Microsoft Edge Paint PowerPoint But these applications are actually the applications on the VM image. If you go add and you try to add application you will see these are taken from the Start menu where you can specify which application to have access to.

So these are applications on the image. Already you have two options to add these applications either from the Start menu or from the file path. So where you specify the path for the file. Now you can see there is a third option and that is the MSI X package. If you click on that option it will take you to input some values so you can grab the applications from the MSI X package. So you select the package that you want and then you will have to select the application where you will have a list of the applications available on the VHDX file that you will upload to your file share as bears the deployment breakdown. So this is where you go to the Msix Abbott usage to select applications. It is as easy as this. You just go to your application group, you click on Add and you select the Msix package.

Normally you would have a separate application group and that would be by going to Application groups create and let me go there. So you basically select the resources group for example, and you select the hospital. This is why you need an active hospital and you give it a name. So let’s say this RG for example, for now and you go to applications the same actually window will pop up for you where you select this time Msix package and you select the applications. After that you can go to the assignment which we have seen also you can go once the application group is created. You can add users, remove users. It is the same process.

So how can we prepare the applications for the MSI X? Right now we have nothing. How we can prepare that? First these need to be added to the hospital. So if you go to hospitals, you will need the active and active hospital at least as per the requirements. And once you click on the host pool you can scroll down under Manage and there is Msix packages. This is where you add your VHDX file that you shall have prepared as we will see later. And you add that file to your host pool. You go to Msix package and you click on Add. Then you will have to give it a path Msix image path and this is the UPN path for the VHDX file that you have prepared with your Msix packages in it. And this path is actually the path to the file share which was also one of the requirements.

So the process is symbol. Once you have the VHDX file added to your host pool with the applications in it, you can then go and create your application group and add the applications. Speaking about the file share, I have one created already as per the requirements we have mentioned in the breakdown. So I’m going to a resource group right now. This is the storage account. It has all the requirements already implemented as we have done as per the FSLogix actually configuration you can review the storage section for that. So if you go for this storage account and you go to configuration you will see that it is identity access enabled. So I have done all the work already to save you the time. So if you go to overview and then we go back to the file services I have this file share and this file share contains the Vhtx file.

As you can see, I have done a test one with the Notepad plus in it so we can just play around with it. So this is actually the MSI Xvhdx and if I go here and I say Properties I will have the URL. So we mentioned you will need the paths, right? So let me just go here and paste. This is the URL. You’ll need the UPN path. It’s going to be like this. You just replace those symbols and this would be the best. This is the UPN file. This is the only thing that you will need to change as I have shown you. Now the question is this notepad plus VHDX. This is the VHDX file or the image for the MSI X avatash for the applications Msixix applications. So the question is how did we get this file? How have we created this file? And this will be answered in the next lecture.