MSIX Filetype Association

Today I received a message from Richard regarding File Associations and MSIX packages. Great question, lets figure it out.

Hi Stephan,

I created an MSIX app attach for Workspace App and deployed/attached it to my WvD servers.

The Workspace app is visible/available when i login to WvD , i can launch the Citrix Workspace app so it is working. But….. if I connect to a citrix storefront server I get a .ICA file from the server but seems there is no extention relationship with the Workspace App……. and if i search for an app to my computer to open the ICA file the Workspace app does not appear in the available App list??

Richard

So its true that by default an MSIX package doesn’t have file associations by default. In this case installing Citrix workspace using my previous article won’t allow you to open .ica files. Furthermore, you wont be able to associate Workspace with any file extension.

.ica file association with Citrix workspace

So how to fix this? In order to associate your MSIX packages with file extensions you will need to edit the MSIX so called Manifest file. The Manifest file can be edited during the creation of the MSIX package, or you can edit your existing package. When you choose to edit the existing package you will see the option under Package information.

By opening the file you will see an XML file containing information about your package. In order to create file associations such as .ica association you will need to add additional information. Microsoft has created some documentation on how to do this. In our case this means adding the following config in the <Applications> section. Copy the xml code and paste it just before </Application>.

      <Extensions>
        <uap:Extension Category="windows.fileTypeAssociation">
          <uap3:FileTypeAssociation Name="citrix">
            <uap:SupportedFileTypes>
              <uap:FileType>.ica</uap:FileType>
            </uap:SupportedFileTypes>
          </uap3:FileTypeAssociation>
        </uap:Extension>
      </Extensions>

so it looks like this:

MSIX Manifest file

If you would redeploy your Citrix Workplace, you now should be able to open the .ica file.

Final result

Of course this will work for any file type associations that you would want to make in combination with any application you would want to use.

Windows Virtual Desktop as trusted location for Conditional Access

When using Windows Virtual Desktop the public IP of which you are NATed to the internet changes consistently. In some cases you would want to have the traffic origination the WVD hosts to use the same public IP adress. So that it can be whitelisted to use some external service, or so that it can be used as a trusted location for Conditional Access. This way users can connect to Windows Virtual Desktop and be prompted for MFA, but once they are signed in, in a managed environment they aren’t prompted for MFA again.

Traditionally you could accomplish this setup by using an Azure Load Balancer. I didn’t find this very easy to implement, luckily Microsoft introduced a new service called Virtual NAT Gateway which make this a lot easier to implement. By using a Virtual NAT Gateway you can NAT your outbound connections through one, or more Public IP addresses. This way all the VM’s within a certain subnet of your virtual network will use a dedicated public IP to make outbound connections.

Please note that the Virtual NAT Gateway is still in preview, so I wouldn’t recommend using this in production environments.

To get started you will need a Virtual Network with some subnets, with a Virtual Machine deployed in that Virtual Network.

To create a NAT gateway, you select create resource and look for NAT Gateway.

Select your subscription, resource group and give the NAT Gateway a name and continue to the next step.

Here you can create or select a public IP address, if you need more one PIP you can also choose to create a whole range of PIPs. Notice that the SKU and assignment are Standard and Static, this means that the PIP you select won’t change over time.

Select a virtual network with the subnet(s) you want to associate the NAT Gateway, add tags and Create the NAT Gateway.

After the deployment is ready you can verify your settings by logging into the VM and checking your public IP on a website like https://www.myip.com/

You could then add this IP as a trusted location to use with Conditional Access so users wont have to two-factor authenticate within a WVD session.

Update MSIX package with Intune

In my previous blog I showed how easy it was to package and deploy an application using MSIX and Intune. In this blog I want to show how easy it is to update and application. Applications evolve and time to time they get updated with the latest patches or security updates. To update applications with Intune can be challenging. Sometime you have to create a new deployment of an application. This requires you to first uninstall the application, otherwise you would get conflicts.

So for this blog I have the following situation. I have deployed the Citrix Receiver application to my users. The Citrix receiver was been updated and is now the Citrix Workspace application. I want to remove Citrix Receiver and replace this with the new Citrix Workspace application. Let me show you how easy this process is when you use MSIX.

So I have my test machines on which the Citrix Receiver MSIX is deployed.

CitrixReceiver

The fist step is to create a new MSIX package for the Citrix Workspace application. I wont go over all the steps (check out the previous blog). But here it is important that you name your package the same as the application you want to replace. So if you previously deployed an application with the name CitrixReceiver, create a new package with the name CitrixReceiver. Furthermore it is important that you increment the version of your package.

Update_MSIX
Update Name and Versions

When your MSIX package is ready and tested, you can upload it to Intune. Simply go to your previous deployment. In my case this was the CitrixReceiver deployment. Select Properties and go to App package File. Here you can select and upload the new version of your application.

Upload new version of your MSIX package

When the application is finished uploading Intune will redeploy the application to your clients.

MSIX updating to Workspace
Citrix Workspace App is finished updating

Recap

I showed you how easy it was for you to update an existing MSIX application with Intune, by simply redeploying it. Knowing how easy your application management can be, I would encourage everyone to give MSIX a try.

Deploy MSIX with Intune

I think we can all agree that application deployment is probably the most challenging part of an Intune implementation. The wide variety of Line of Business applications and different installation types can give you sleepless nights. It’s true that Microsoft has made some real improvements in application deployment with the support for most applications extensions. But there are always some applications that simply can’t be deployed with Intune or are very hard to deploy and manage.

With the introduction of MSIX I dare to say that you can now practically deploy any application successfully with Intune. In this blog I describe how you can create and deploy an MSIX package with Microsoft Intune.  In this blog I will cover:

  • Create a Self-Signed Certificate (testing purposes)
  • Deploy a certificate with Intune
  • Create a MSIX package
  • Deploy the MSIX package

Please note that in order to install MSIX packages you must enable Application Sideloading.

Create a self-signed certificate

Before you can deploy a MSIX package you need a certificate to sign your package. The signing of a package is a required step in the creation of the package. This is necessary because this is the only way you can assure that package is valid and came from a trusted provider. Preferably you should use a Code Signing certificate from a 3rd party provider. For now I use a self-signed certificate so that the deployment can be tested, but for you production environment I wouldn’t recommend this.

To create a self-signed certificate, you can start PowerShell as an administrator from any VM. Enter the following cmd, where you replace <Your Organisation> with a name of your choosing:

New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject “CN=<Your Organisation>” -KeyAlgorithm RSA -KeyLength 2048 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert
Self_Signed-Certificate

To Export the certificate open certmgr, your certificate is located in the Personal Certificates folder. Select the certificate –> all Tasks –> Export. Choose Next –> Yes, Export the private Key –> Choose Next –> For Encryption choose AES265 and enter a Password –> Enter a save location –> and choose Finish. You now have the certificate with a pfx extension.

Export Certificate

We also need a certificate with the cer extension, so run the export Wizard again. Select the certificate –> all Tasks –> Export. Choose Next –> No, do not export the private key –> Choose Next –>   Enter a save location –> and choose Finish.

You now have the certificate to sign your MSIX package and you have a certificate to distribute it via Intune.

Deploy Certificate Using Intune

Before you can install the MSIX package on any machine the certificate to sign the application must be trusted by the machine. Otherwise the application wont start. To install the certificate on the machine we can use Intune to distribute the certificate.

From the Intune Management Portal go to –> Device Configuration –> Profiles and choose Create Profile. Here you enter the name and description of the Profile. For the platform you choose Windows 10 and later, for Profile type select Trusted certificate. In the new blade you select the .cer certificate that you exported. After you created the Profile you than assign the profile to a group with has a test device in it.

Certificate_Intune

Create a MSIX Package

For this blog I wanted to package an application that I had some trouble with in the past, the Citrix Receiver.

I have copied the Citrix Receiver installation file and the pfx certificate to the packaging VM and have launched the MSIX Packaging Tool. Here I want to create a new package, so I select ‘Application Package’.

MSIX_New_Package

Select Create package on this computer and choose Next.  The packaging tool will now check some prerequisites and make sure that the drivers are installed.

MSIX_Prereqs

In the next screen select the installation file. For now, I leave the installer arguments empty. For Signing preference, I select Sign with a certificate. This step is important. If you don’t select a certificate the application won’t be able to install.

MSIX_certificate

Now provide some information for you package. Give your package a Name and a Display name. The Publisher name is provided from the certificate. The display name must be the same as the certificate, if these values don’t match the application won’t install. The installation location is not a mandatory field but is recommended.

MSIX_Information

By clicking next you will now enter the installation stage. The installation of your application will now start.  You can just run through the installation as you normally would. When the installation is completed you can continue by clicking Next.

MSIX_Citrix_Installation

If the application requires any first launch tasks, they can now be performed otherwise press Next and continue Yes, move on. The package will now be created.

MSIX_Capturing

Finally provide a save location for the package and choose Create.

MSIX_Save_Package

Deploy MSIX with Intune

Now that the MSIX package is ready we can start deploying it with Intune. Simply go to the Intune management portal –> Client apps –> Add App. Here you select Line-of-business app. Here you can upload the MSIX package you created.

MSIX_Intune

When you click the app information blade you can see that most of the information is already filled out with the information from the MSIX package. After adding the app, just wait till the application is uploaded. The final step is to assign the application to a group.

After some time check your test machine to confirm that the application is deployed.

MSIX_Installation_Conformation

Recap

As you can see the packaging and distribution of an application with MSIX and Intune is really easy. But it doesn’t stop here, after you deployed one version of the application you might want to provide the application with an update. With MSIX this process is even easier. So in my next blog I will show you can can upgrade the Citrix Receiver application to the new Citrix Workspace application!

Windows Virtual Desktop Management Tools

Windows Virtual Desktop is probably one of the most anticipated new products of Microsoft. If you haven’t heard from it, I would suggest that you start catching up ;). With the announcement of Scott Manchester GA (General Availability) just became a little bit closer.

There are plenty of blogs about how to set up a WVD tenant and sessions hosts, so I don’ want to go into detail on how to set it up. But if you have set up a WVD tenant you must have noted the lack of management tools. Or actually the absents of management tools, you can’t even find WVD in the Azure portal. Everything is managed with PowerShell, which can be a bit challenging. Microsoft did provide some management options for you but you will have to deploy them manually. They also require you to have an App service plan, which of course will cost you money, but you won’t have to use PowerShell for you management. Nevertheless I hope Microsoft will include these managements functionalities in the Azure Portal, but for now this is your best option.

WVD Management UX

The first management tool I would like to share is the WVD Management UX. The Managment UX helps you to preform basic management tasks. In here you can:

  • Create a New Host Pool
  • Add New Hosts to a Host Pool
  • Allow or block new connections to a host.(If you would like to drain the server for maintenance)
  • Create App groups. You can create App groups for Desktops or you can create App groups for RemoteApp
  • Assign permissions to App groups

Even though this may seem somewhat limited there are some extra functions you can use. However, these basic management tasks will help you a lot in doing day to day management for WVD.

WVD Management UX

If you want to use the WVD Management UX you can deploy it via the Github repository from Microsoft. The deployment will create an App service plan S1-Standard which will cost you around 70 euro/dollar each month.

WVD Diagnostics Tool

The second tool Microsoft has provided is the Diagnostics tool and it has just been released. With the introduction of WVD Microsoft also introduced some new RDS roles. We all know the Connections broker, Gateway, Session Hosts and we all know it was very hard to troubleshoot failing connections. Therefore Microsoft introduced the new Diagnotics role, which is also fully managed by Microsoft.

New Diagnostics role in WVD

Starting with the preview it was only possible to view the diagnostics using PowerShell, luckily Microsoft has made an App so you can troubleshoot using your browser. With the new Diagnostics app you can do the following:

  • Look up diagnostic activities (management, connection, or feed) for a single user over a period of one week.
  • Gather session host information for connection activities from your Log Analytics workspace.
  • Review virtual machine (VM) performance details for a particular host.
  • See which users are signed in to the session host.
  • Send message to active users on a specific session host.
  • Sign users out of a session host.

Unfortunately these functions aren’t available in the Management UX, you’ll have to deploy another application with an new app service plan. Which will cost you 70 euro/dollar extra each month, plus the additional storage for the log files. The deployment is pretty straightforward, Microsoft will guide you through the steps.

Example of diagnostics logging
Example of VM diagnostics
Here you can log off users and send them messages.

Azure Files with ACLs

Azure files is a file share as a service that you host on Azure. You can mount the file share to a server so that you get an extra file share without having to physically extend the storage of that server. This is especially handy when you want to go through the transition of moving from IAAS to SAAS. In a cloud only environment Azure files would be preferable over and VM which is configured as a file server. Azure Files is also the preferred location for saving your FSLogix profile containers, when using Windows Virtual Desktop.

All in all this sounds pretty good, but Azure files also had a downside. Azure Files had until now no support for Access Control Lists, meaning that setting more advanced permissions on files and folders was not possible. Until now! Microsoft announced the General Availability of the support of ACL’s on Azure File shares. This enables you to set advanced permissions on files and folders.

To make this work, this is what you need:

  • Set up Azure AD Domain Services
  • A Virtual Machine that is joined to Azure Active Directory Domain Services. Active Directory is not supported!
  • A Storage Account where you enable Azure Active Directory Domain Services (Azure AD DS) for the Identity-based Directory Service for Azure File Authentication
  • Set the general permissions to the share. You can compare this with the share settings in Windows.

You need Azure AD Domain Services for you authentication, since the file share make use of Kerberos authentication and your Azure AD doesn’t support Kerberos.

Azure File authentication

You can create a new storage account or use an existing storage account. All you need to do is configure Identity-based Directory Service for Azure File Authentication to Azure Active Directory Domain Services (Azure AD DS).

Set the authentication option to AADDS

Set the Access permissions on the share. You can compare this with the share settings in Windows, where you would set global share permissions and then set NTFS permissions for more detailed permissions. Microsoft introduced three new roles for this.

  • Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

After that just mount your share to the VM and you can set permissions!

Configure Windows 10 Web sign in

With the arrival of Windows 10 1809, Microsoft introduced a new way to sign in to your PC. Besides a pin, password or biometric authentication they introduced Web-sign in . This feature enables Windows logon support for identity provides like SAML. Web sign-in enables you to set multifactor authentication before signing in to Windows. Even though you cannot set the Web-sign-in as the default authentication method yet, I’m sure that this will become possible in the future.

In this blog I will show you how to enable Web sign-in, using Intune. This is what you need:

  • A test device with Windows 10 1809.
  • The test device needs to be Azure AD Joined.
  • An Azure AD group with the test device as member.
  • An Intune license assigned to a user. I’m using a test user with an EMS E5 License, but any Intune license will do.

To enable Web sign-in you will need to create a Device configuration Profile. So, sign into the Azure Portal and go to the Intune blade, where you select “Device Configuration” and “Profiles”.

Click “Create Profile”. Enter a name and for Platform choose Windows 10 and later. For Profile Type you will need to select Custom.

At the OMA-URI Settings click add and enter the following values (reference link):

Name: Web Sign In
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data Type: Integer
Value: 1

Click OK and click OK at the OMA-URI settings, finally choose create. The policy is now created.

Now you will need to assign the policy to a group with your test device(s).

Testing the policy

Wait before the policy is applied to your test machine. This could take a while but try to reboot your test device occasionally this could help. After you see the policy is applied you can go to the logon screen of your device. If you choose Sign-in options, you should see a new icon for Web sign-in.

Select the Icon and choose Sign in. This will take you to the web sign-in page of Microsoft where you need to authenticate with your password. If you require MFA there will also be an MFA challenge at this point.

When you passes the MFA challenge the user will be signed in.

I think this feature has a lot of potential. I often get the question whether it is possible to enable MFA for Windows. However the feature is not ready yet. I find the sign in process slow if you are used to a pin or facial recognition. Further more Web sign-in is not supported in the Multi Factor Unlock feature with Windows Hello For Business.

Enabling Microsoft teams for Microsoft 365 F1 users

Recently I had to implement the Microsoft 365 F1 plan for a case. The idea was to first create a demo so that I could show the different features. One of the things I wanted to show was Microsoft Teams. So, I created a couple of test users and assigned them licenses. Some got the Microsoft 365 F1 license, others got an E3 license. I wanted to create some teams and assign members to the teams. Everything went well until I used a Microsoft 365 F1 user to log in to teams.microsoft.com. Suddenly I got the message: You’re missing out! Ask your admin to enable Microsoft Teams for

This was unexpected for me since I already made some teams successfully using accounts which had an E3 license. Furthermore, Microsoft Teams is available for F1 users. After some searching it became clear to me that you must enable Teams for F1 users.

This is how you enable Teams for Microsoft 365 F1 users (please note that the Teams admin center is being moved to the new Microsoft Teams & Skype for Business admin center.  So, things could have changed):

Log in to admin center and go to Settings and select Services & add-ins.

Select Microsoft Teams.

 

Under Settings by User/License type use the drop-down menu to select Deskless Worker (Kiosk).

Here you can turn on Microsoft Teams

After enabling Teams for Deskless Worker (kiosk) the user with the Microsoft 365 F1 license could open.

Office 365 Proplus 2019 not suppoted in 2019 VDI environments

EDIT: Microsoft announced that Office ProPlus will be supported on Windows Server 2019  
https://www.microsoft.com/en-us/microsoft-365/blog/2019/07/01/improving-office-app-experience-virtual-environments/

One of the biggest announcements of Ignite was the Windows Virtual Desktop. There have been many articles about this new product, and it looks very promising. It enables a full Windows 10 desktop environment which is, among other things, optimized for Office Pro Plus. Microsoft is really committing towards this new product, which means that support of other environments decreases.

In the presentation of Sandeep Patnaik and Gama Aguilar-Gamez they talked about Office 365 ProPlus deployments in persistent and non-persistent virtualized environments. One of the announcements they made, was that Office 365 ProPlus 2019 will not be supported on Windows server 2019. So, if you plan to update your RDS environment to Windows server 2019 and plan to use Office 365 ProPlus 2019 Licenses you might want to think again.

Office 365 2019 ProPlus support matrix

You will be able to install the perpetual version of Office 2019 on Windows server 2019. However, you will not get all the nice features of Office 2019 as you will get with Office 365 ProPlus 2019. So, if you want to use Office 365 ProPlus 2019 on an virtual environment you must move over to Windows Virtual Desktop, or stay at Windows server 2016 which will be fully supported till 2025.

Remove User from all online groups

Recently I needed to get an overview of the group memerships for an user. More specifically the group memberships of all the online groups. I figured that it probably pretty easy to get an overview since for Active Directory you can use Get-ADPrincipalGroupMembership. So I my guess was that there would be a similar command for the online groups, something like Get-MsolPrincipalGroupMembership or maybe Get-AzureADPrinicpalGroupMembership. To my surprise it turned out that there is no similar command for Get-AdPrincipalGroupMembership for online groups.

Either way I still needed the overview and to remove to user from all of its groups. So I created a PowerShell script to scan all the groups for that user. If the user was a member in the group it would be removed.

I wanted to share the script since I think it can come in handy in a lot of occasions. So I put in a little bit of extra effort to create a script that can provide an overview of all the groups and remove the groups.

You can download the script here.

Before you can use the script you will need to connect to Exchange online.

You can use .\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” to get an overview of all the groups that the user is a member of.

If you want to remove the user from all those groups you can use .\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” -Remove $true

If you have any questions about the script please leave a comment.

&lt;#
.SYNOPSIS
This script will output all de distribtion and security groups a user is member of.
With the switch -Remove the script will remove the user from those groups.

.NOTES
Author: Stephan van de Kruis
First Creation Date: 2018-02-04
.EXAMPLE
.\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName "example@domain.com"
.\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName "example@domain.com" -Remove $true

.PARAMETER UserPrincipalName
The UserPrincipalName of a user (e.g. 'example@domain.com')

#&gt;

[CmdLetBinding()]
param(
[Parameter(Mandatory = $true)]
[String]$UserPrincipalName,

[Parameter(Mandatory = $false)]
[boolean]$Remove = $true
)

####
#Look for user in distribution and security groups
####

if(!$Remove){
try {
$OnlineUser = Get-MsolUser -UserPrincipalName $UserPrincipalName
$DistributionGroups = Get-DistributionGroup -ResultSize 5000 | Where-Object {$_.IsDirSynced -eq $False}

foreach ($DistributionGroup in $DistributionGroups) {
if(Get-DistributionGroupMember -Identity $DistributionGroup.Name | Where-Object PrimarySmtpAddress -eq $UserPrincipalName) {
Write-Output "Info: Found $($OnlineUser.DisplayName) in group $($DistributionGroup.Name)"
}
}
}
catch {
Write-Output "An error occurred"
Write-Output $_.Exception.Message
}

try {
$SecurityGroups = Get-MsolGroup -GroupType Security -MaxResults 5000 | Where-Object {$_.LastDirSyncTime -eq $null}

foreach ($SecurityGroup in $SecurityGroups){
if (Get-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId | Where-Object ObjectId -eq $OnlineUser.ObjectId ){
Write-Output "Info: Found $($OnlineUser.DisplayName) in group $($DistributionGroup.Name)"
}
}
}
catch {
Write-Output "An error occurred"
Write-Output $_.Exception.Message
}
}

####
#Removing user from distribition and security groups
####
if($Remove){

try {
$OnlineUser = Get-MsolUser -UserPrincipalName $UserPrincipalName
$DistributionGroups = Get-DistributionGroup -ResultSize 5000 | Where-Object {$_.IsDirSynced -eq $False}

foreach ($DistributionGroup in $DistributionGroups) {
if(Get-DistributionGroupMember -Identity $DistributionGroup.Name | Where-Object PrimarySmtpAddress -eq $UserPrincipalName) {
Remove-DistributionGroupMember -Identity $DistributionGroup.Name -Member $OnlineUser.UserPrincipalName -BypassSecurityGroupManagerCheck -Confirm:$false
Write-Output "Info: $($OnlineUser.DisplayName) removed from the online group $($DistributionGroup.Name)"
}
}
}
catch {
Write-Output "Error: Removing the user from the distribution group failed"
Write-Output $_.Exception.Message
}

try {
$SecurityGroups = Get-MsolGroup -GroupType Security -MaxResults 5000 | Where-Object {$_.LastDirSyncTime -eq $null}

foreach ($SecurityGroup in $SecurityGroups){
if (Get-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId | Where-Object ObjectId -eq $OnlineUser.ObjectId ){
Remove-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId -GroupMemberObjectId $OnlineUser.ObjectId -GroupMemberType User
Write-Output "Info: $($OnlineUser.DisplayName) removed from online group $($Securitygroup.DisplayName)"
}
}
}
catch {
Write-Output "Error: Removing the user from the security groups failed"
Write-Output $_.Exception.Message
}
}