MSIX App Attach with CIM

HOW TO: Use CIM for WVD App Attach

To use MSIX App Attach you need to extract an MSIX package to a VHD or a VHDx format to then mount the drive to the Virtual Machine. But there’s a third format that can be used, namely Composite Image Files System or .CIM in short. This is a new file system introduced by Microsoft to use in combination with MSIX App Attach. Why need a new file system? CIM provides better performance when compared to VHD(x). Microsoft preformed a comparison test between VHDX and CIM where they mounted 500 files in each format, each file being 300 MB. With the following results:

SpecsVHDCimFS
Average mount time356 ms255 ms
Average unmount time1615 ms36 ms
Memory consumptions6% (of 8 GB)2% (of 8 GB)
CPU (count spike)Maxed out multiple timesNo impact

As you can see the load on the machine with CIMFS is significantly lower than when compared to the mounting of VHD’s. This information was shared during the Windows Virtual Desktop masterclass. Microsoft host these sessions every few month and are free to follow, so make sure to sign up for the next one! The sessions are always packed with information and new announcements. That begin said let see how to create a CIM file.

Prerequisites

Creating CIM file

The MSIXMGR tool has some handy functionalities backed in. Extracting a MSIX to a VHDx there were many steps involved like creating a VHDx file, mounting and extracting the MSIX and dismounting the disk again. The MSIXMGR tool automates these steps. Now we are going to generate the CIM files but the same steps can be used for the creation of VHD(x) files.

  • Open Command prompt in elevated mode
  • Navigate to the MSIXMGR location (c:\temp\msixmgr)
  • Run the following command
msixmgr.exe -Unpack -packagePath "C:\Users\Stephan\Desktop\ CitrixReceiver_3.0.1.0_x64__v1hrd262mcs5e.msix" -destination c:\temp\output\CitrixReceiver_3.0.1.0_x64.cim -applyacls -create -vhdSize 100 -filetype “CIM” -rootDirectory apps

In c:\temp\output you will find all the different .cim files. You will need all the files for in order to make this work.

If you don’t want to use CIM and just a VHDx file you can use the same command but simply replace cim with VHD(x).

msixmgr.exe -Unpack -packagePath "C:\Users\Stephan\Desktop\ CitrixReceiver_3.0.1.0_x64__v1hrd262mcs5e.msix" -destination c:\temp\output\CitrixReceiver_3.0.1.0_x64.vhdx -applyacls -create -vhdSize 100 -filetype “VHDX” -rootDirectory apps

MSIX App Attach

Copy all the .cim files you created to the file share that have been set up for MSIX App Attach.

In the Azure Portal go to your host pool and select MSIX Packages. Choose Add and provide the UNC path to the cim file. In my case this is \\man-0\appattach\CitrixReceiver_3.0.1.0_x64.cim. Make sure to put the State on Active.

640640Add MSIX App Attach Package

Go to your Application Group settings. Here you have two options. The first option is to include the application in the Default Desktop application group. The application will be available to the users when he signs in. Or you can create a remote application group which will only provide the remote app. In my case I will be using the default desktop group. So select the group, choose Applications and choose Add. From the dropdown you can select the newly added application. In my case this is Citrix Workspace. Make sure the assign the application group to you users.

To test sign in on the host pool where you should now see the newly added application based!

Other resources

MSIX Filetype Association

Today I received a message from Richard regarding File Associations and MSIX packages. Great question, lets figure it out.

Hi Stephan,

I created an MSIX app attach for Workspace App and deployed/attached it to my WvD servers.

The Workspace app is visible/available when i login to WvD , i can launch the Citrix Workspace app so it is working. But….. if I connect to a citrix storefront server I get a .ICA file from the server but seems there is no extention relationship with the Workspace App……. and if i search for an app to my computer to open the ICA file the Workspace app does not appear in the available App list??

Richard

So its true that by default an MSIX package doesn’t have file associations by default. In this case installing Citrix workspace using my previous article won’t allow you to open .ica files. Furthermore, you wont be able to associate Workspace with any file extension.

.ica file association with Citrix workspace

So how to fix this? In order to associate your MSIX packages with file extensions you will need to edit the MSIX so called Manifest file. The Manifest file can be edited during the creation of the MSIX package, or you can edit your existing package. When you choose to edit the existing package you will see the option under Package information.

By opening the file you will see an XML file containing information about your package. In order to create file associations such as .ica association you will need to add additional information. Microsoft has created some documentation on how to do this. In our case this means adding the following config in the <Applications> section. Copy the xml code and paste it just before </Application>.

[cc lang=”xml”]




.ica




[/cc]

so it looks like this:

MSIX Manifest file

If you would redeploy your Citrix Workplace, you now should be able to open the .ica file.

Final result

Of course this will work for any file type associations that you would want to make in combination with any application you would want to use.

Update MSIX package with Intune

In my previous blog I showed how easy it was to package and deploy an application using MSIX and Intune. In this blog I want to show how easy it is to update and application. Applications evolve and time to time they get updated with the latest patches or security updates. To update applications with Intune can be challenging. Sometime you have to create a new deployment of an application. This requires you to first uninstall the application, otherwise you would get conflicts.

So for this blog I have the following situation. I have deployed the Citrix Receiver application to my users. The Citrix receiver was been updated and is now the Citrix Workspace application. I want to remove Citrix Receiver and replace this with the new Citrix Workspace application. Let me show you how easy this process is when you use MSIX.

So I have my test machines on which the Citrix Receiver MSIX is deployed.

CitrixReceiver

The fist step is to create a new MSIX package for the Citrix Workspace application. I wont go over all the steps (check out the previous blog). But here it is important that you name your package the same as the application you want to replace. So if you previously deployed an application with the name CitrixReceiver, create a new package with the name CitrixReceiver. Furthermore it is important that you increment the version of your package.

Update_MSIX
Update Name and Versions

When your MSIX package is ready and tested, you can upload it to Intune. Simply go to your previous deployment. In my case this was the CitrixReceiver deployment. Select Properties and go to App package File. Here you can select and upload the new version of your application.

Upload new version of your MSIX package

When the application is finished uploading Intune will redeploy the application to your clients.

MSIX updating to Workspace
Citrix Workspace App is finished updating

Recap

I showed you how easy it was for you to update an existing MSIX application with Intune, by simply redeploying it. Knowing how easy your application management can be, I would encourage everyone to give MSIX a try.

Deploy MSIX with Intune

I think we can all agree that application deployment is probably the most challenging part of an Intune implementation. The wide variety of Line of Business applications and different installation types can give you sleepless nights. It’s true that Microsoft has made some real improvements in application deployment with the support for most applications extensions. But there are always some applications that simply can’t be deployed with Intune or are very hard to deploy and manage.

With the introduction of MSIX I dare to say that you can now practically deploy any application successfully with Intune. In this blog I describe how you can create and deploy an MSIX package with Microsoft Intune.  In this blog I will cover:

  • Create a Self-Signed Certificate (testing purposes)
  • Deploy a certificate with Intune
  • Create a MSIX package
  • Deploy the MSIX package

Please note that in order to install MSIX packages you must enable Application Sideloading.

Create a self-signed certificate

Before you can deploy a MSIX package you need a certificate to sign your package. The signing of a package is a required step in the creation of the package. This is necessary because this is the only way you can assure that package is valid and came from a trusted provider. Preferably you should use a Code Signing certificate from a 3rd party provider. For now I use a self-signed certificate so that the deployment can be tested, but for you production environment I wouldn’t recommend this.

To create a self-signed certificate, you can start PowerShell as an administrator from any VM. Enter the following cmd, where you replace <Your Organisation> with a name of your choosing:

New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject “CN=<Your Organisation>” -KeyAlgorithm RSA -KeyLength 2048 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert
Self_Signed-Certificate

To Export the certificate open certmgr, your certificate is located in the Personal Certificates folder. Select the certificate –> all Tasks –> Export. Choose Next –> Yes, Export the private Key –> Choose Next –> For Encryption choose AES265 and enter a Password –> Enter a save location –> and choose Finish. You now have the certificate with a pfx extension.

Export Certificate

We also need a certificate with the cer extension, so run the export Wizard again. Select the certificate –> all Tasks –> Export. Choose Next –> No, do not export the private key –> Choose Next –>   Enter a save location –> and choose Finish.

You now have the certificate to sign your MSIX package and you have a certificate to distribute it via Intune.

Deploy Certificate Using Intune

Before you can install the MSIX package on any machine the certificate to sign the application must be trusted by the machine. Otherwise the application wont start. To install the certificate on the machine we can use Intune to distribute the certificate.

From the Intune Management Portal go to –> Device Configuration –> Profiles and choose Create Profile. Here you enter the name and description of the Profile. For the platform you choose Windows 10 and later, for Profile type select Trusted certificate. In the new blade you select the .cer certificate that you exported. After you created the Profile you than assign the profile to a group with has a test device in it.

Certificate_Intune

Create a MSIX Package

For this blog I wanted to package an application that I had some trouble with in the past, the Citrix Receiver.

I have copied the Citrix Receiver installation file and the pfx certificate to the packaging VM and have launched the MSIX Packaging Tool. Here I want to create a new package, so I select ‘Application Package’.

MSIX_New_Package

Select Create package on this computer and choose Next.  The packaging tool will now check some prerequisites and make sure that the drivers are installed.

MSIX_Prereqs

In the next screen select the installation file. For now, I leave the installer arguments empty. For Signing preference, I select Sign with a certificate. This step is important. If you don’t select a certificate the application won’t be able to install.

MSIX_certificate

Now provide some information for you package. Give your package a Name and a Display name. The Publisher name is provided from the certificate. The display name must be the same as the certificate, if these values don’t match the application won’t install. The installation location is not a mandatory field but is recommended.

MSIX_Information

By clicking next you will now enter the installation stage. The installation of your application will now start.  You can just run through the installation as you normally would. When the installation is completed you can continue by clicking Next.

MSIX_Citrix_Installation

If the application requires any first launch tasks, they can now be performed otherwise press Next and continue Yes, move on. The package will now be created.

MSIX_Capturing

Finally provide a save location for the package and choose Create.

MSIX_Save_Package

Deploy MSIX with Intune

Now that the MSIX package is ready we can start deploying it with Intune. Simply go to the Intune management portal –> Client apps –> Add App. Here you select Line-of-business app. Here you can upload the MSIX package you created.

MSIX_Intune

When you click the app information blade you can see that most of the information is already filled out with the information from the MSIX package. After adding the app, just wait till the application is uploaded. The final step is to assign the application to a group.

After some time check your test machine to confirm that the application is deployed.

MSIX_Installation_Conformation

Recap

As you can see the packaging and distribution of an application with MSIX and Intune is really easy. But it doesn’t stop here, after you deployed one version of the application you might want to provide the application with an update. With MSIX this process is even easier. So in my next blog I will show you can can upgrade the Citrix Receiver application to the new Citrix Workspace application!