After I have did a small test lab for Azure Virtual Desktop, it was time to play a little bit with MSIX App Attach functionality that Azure offers. However, after my virtual machine was created, when I went into the host pool to add an MSIX package, the following error code 400 appeared:
“MSIX Image path error: The MSIX Application metadata expand request failed on all session hosts that it was sent to. Error: virtual disk not found at…”
My first though was that the digital certificate was not installed properly so I went and install the MSIX certificate on my machine, but with no luck. After that I have tried and confirmed the following:
- domain joined AVD – checked
- AADS on tentant and RG – checked
- Sync between AADS and AAD – check
- Host pool for AVD configured – checked
- Azure Virtual Storage for MSIX app attach – checked
- All rights and permissions applied on VM, VS, App pool, etc – checked
- AVD VM with login on AD Account – check
- Azure Virtual Storage mapped via AAD on VM checked
- Azure Virtual Storage NTFS rights on VM – checked
- MFA Disabled
- MSIX app attach ready – FAIL
After some digging around, I have found the following troubleshooting video. I went again and checked all the permissions to be correctly applied on the blob and without any success. The one thing I didn’t want to add is a DC in my environment. To be honest, adding 130$ monthly for a simple DC was mind blowing for me, so I dig a bit deeper.
What I found out is that Azure, when it pushes the MSIX package to the machine, it is using the NT Authority/System account to do it. So we can test if this account has access to the blob share quite easily. First, download PSEXEC from Microsoft and copy it to your virtual machine. Next, open CMD as an administrator and type the following command:
psexec.exe -s -i powershell.exe
Once the new windows appears, type this command:
Test-path -path “yourtestpath”
If the return is false, it means that the System account does not have permissions to access the share. I have tried to modify the NTFS permissions by adding every possible group or entity but with no luck. After that, I realized that Azure is providing a script to connect to the storage blob by using a Storage Account key. All you need to do is navigate to the Storage on Azure and click on “Connect”, then select Storage account key:
Copy the script in a new ps1 on the virtual machine and open CDM as an administrator again. This time type the following:
psexec.exe -s -i cmd
In the new CDM window that appears, run the following command:
powershell.exe -executionpolicy bypass -file “yourfile.ps1”
Now if we do the previous steps and run the following command:
Test-path -path “yourtestpath”
The result should be TRUE
And now, if we navigate into Azure and add an MSIX package, everything should work:
As a disclaimer, this is not the perfect way to solve the problem, this should be investigated on an AAD level, but because of my limited time this worked quite fine for me.