Last week I received a question from the communtiy, asking me if it’s possible to grant access to a specific application, installed on a Session Host of Host Pool A to users in a Host Pool B through Windows Virtual Desktop and I thought it could be a good topic for a new blog post!
First of all, the possible setting and use case:
Generally, we allow a user access to one or multiple resources on WVD, this can be a Desktop in a pooled or personal version or just the Remote App, if we just want to grant access to that app.
Desktops and Apps can be accessed through the specific clients (Remote Desktop Client) or through the Web Browser. The easiest way of granting access from within a WVD Session would be to:
- Install the application
- Deploy the app through a software deployment tool (e.g. Microsoft Endpoint Configuration Manager)
- Packaging and assignment of MSIX packages
- Install the Remote Desktop App within a Session Host to access an app from another Host Pool
Generally, I prefer to install the app or deploy it through our preferred software deployment tool, but in some cases this is simply not possible. An example could be a legacy application, which can only be installed on a specific machine.
In this blog I’ll cover the case, where an app can’t be reinstalled and we need to grant access somehow to that specific Host Pool, so we need to make sure the app is reachable from within that session of Session Host 01 (left side of the schema). The application (in my example Visual Studio Code) is installed on a Session Host of Host Pool 02.
Step1: Install the Remote Desktop App within Host Pool 01
Honestly, I thought this would produce any issues, but actually, the installation process went very well.
- Log on to the Session Host/s, where you want to install the app, make sure you are local Admin, when connecting (with Domain Admins, it experienced issues)
- I’ve downloaded the latest Remote Desktop App from the Microsoft site
Link here – 64 Bit | Link here – 32 Bit
- I followed the steps of the installation wizard and selected to install the app for all users of the machine (per-machine mode)
3. I finished the installation process and was able to find the app in the start menu.
Step 2: Create a new Application Group with the required app inside
The next step is pretty straight forward. We just need to create a new application group in our Host Pool 02 and assign the users to it.
- Navigate to Windows Virtual Desktop in your Azure tenant and select “Application Groups” – Click on Add to create a new one
2. Enter the Resource Group, select the Host Pool that contains the Session Host with your required application. Give the Application Group a name and continue.
3. Select the app/s you would like to add and click save and continue to the assignments
3. In my case I select only one user for test purposes. Keep in mind, you can also choose Azure AD Groups for more users.
4. Select the workspace you want to address the App Group to. Keep in mind “cross-workspace-assignments” are not supported. This means, you can´t add an App Group (containing apps from Host Pool B) and assign those resources to a Workspace that contains resources from Host Pool A.
5. Click on Review + create to complete the job and to create a new app group with proper assignment.
6. Finally, you’re able to see the Remote App within your existing session on Session Host A. But keep in mind, you can also see all the other connections your user has access to!
Alternative A: Use MSIX package of the Remote Desktop App
A very nice experiment I´ve started is to package the Remote Desktop App in the “per-machine” mode as a MSIX package to be used with App Attach. This simplifies the deployment and ensures, that not every user gets access to the app. In a small video demonstration, I’ll show you how to perform these steps.
But before you start make sure you fulfill the following prerequisites:
- At least Windows 10 2004 or the latest Insider Preview
- Hyper-V PowerShell Tools installed
- Installation of MSIX Packaging Tool through Microsoft Store – Link here
- MSIX Commander download – Link here
- Signing certificate created for MSIX (Self-Signed used in this demo / Needs to be imported on all Session Hosts, this app wants to be run on)
I hope this tutorial was helpful for you if you come across a situation like mentioned above! I just want to add that you have to keep in mind that this solution might work well technically, but there could be interferences with your connection or network latency. This needs to be validated depending on how many applications/connections you plan to implement this solution.
Like always I´m happy to help if you have any questions.
Feel free to reach out to me via Social Media or comment below!