Deliver MSIX and AppAttach packaged applications (Preview)
The Citrix Personalization for App-V components have been enhanced to add support for launching applications contained in MSIX packages or MSIX packages mounted onto AppAttach disks.
This feature is supported in the Citrix Virtual Apps and Desktops service only. It is not possible to import MSIX packages and AppAttach disks into an on-prem CVAD instance. Staging of MSIX packages (and therefore launching) requires that side-loading is enabled on the VDA. Citrix does not attempt to enable this automatically. To enable side-loading, either configure the appropriate group policy in your environment or manually modify the registry key on you base images. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx DWORD value AllowAllTrustedApps=1
The Citrix Virtual Apps and Desktops service can now deliver packaged applications to your endpoints using the following methods:
- App-V Single admin management method (accessing App-V packages from a network share)
- App-V Dual admin management method (accessing packages from a Microsoft App-V Management Server)
- MSIX (accessing MSIX packages from a network share)
- MSIX AppAttach (accessing MSIX packages mounted onto an AppAttach disk from AzureFiles or an On-prem network share)
The process of registering application packages and Microsoft App-V Management, and Publishing Servers with the Application Library using the Citrix Virtual Apps and Desktops service differs slightly from registering packages using an on-premises deployment. However, the process of assigning applications to users and launching them on a user’s endpoint is identical.
Using packaged applications with Citrix Virtual Apps and Desktops service
Microsoft’s application packaging technology lets you deploy, update, and support applications as services. Users access applications without installing them on their own devices. Packaging subsystems and Microsoft User State Virtualization (USV) provide access to applications and data, regardless of location and connection to the internet. The following table lists supported versions.
|Packaging technology||Citrix Virtual Apps and Desktops Delivery Controller||Citrix Virtual Apps and Desktops VDA|
|App-V 5.0 and 5.0 SP1||XenDesktop 7 through current, XenApp 7.5 through current||7.0 through current|
|App-V 5.0 SP2||XenDesktop 7 through current, XenApp 7.5 through current||7.1 through current|
|App-V 5.0 SP3 and 5.1||XenDesktop 7.6 through current, XenApp 7.6 through current||7.6.300 through current|
|App-V (5.2) in Windows 10 1607 or later, Windows Server 2016, and Windows server 2019||XenDesktop 7.12 through current, XenApp 7.12 through current||7.12 through current |
|MSIX on Windows 10 and Windows Server 2019||CVAD Service 2106||2106 through current |
|AppAttach on Windows 10 20H2 or later||CVAD Service 2106||2106 through current |
 The Microsoft App-V (5.2) client is included as part of the OS on Windows 10 version 1607 and later, Windows Server 2016 and Windows Server 2019. On these systems the App-V client does not need to be installed separately, but it must be enabled with the PowerShell command
Enable-AppV. The App-V client is not included and cannot be installed on any Server OS later than Windows Server 2019 (based on Server Core).
 MSIX is not supported on any Windows Server based operating system later than Windows Server 2019 (based on Server Core). Multi-session versions of desktop OS’s from Windows 10 20H2 and later are only available when hosted in a Microsoft Azure environment.
 AppAttach is not supported on any Windows Server based operating systems. Multi-session versions of desktop OSs from Windows 10 20H2 onwards are only available when hosted in a Microsoft Azure environment.
Packaged application integration support includes using SMB shares or AzureFiles shares for applications. The HTTP protocol is not supported. If you are not familiar with App-V, MSIX, or AppAttach see the Microsoft documentation.
The following is a summary of the App-V components mentioned in this article:
- Management server. Provides a centralized console to manage App-V infrastructure and delivers virtual applications to both the App-V Desktop Client and a Remote Desktop Services Client. The App-V management server authenticates, requests, and provides the security, metering, monitoring, and data gathering required by the administrator. The server uses Active Directory and supporting tools to manage users and applications.
- Publishing server. Provides App-V clients with applications for specific users, and hosts the virtual application package for streaming. It fetches the packages from the management server.
- App-V Client. Retrieves virtual applications, publishes the applications on the client, and automatically sets up and manages virtual environments at runtime on Windows devices. You install or enable the App-V client on the VDA, where it stores user-specific virtual application settings such as registry and file changes in each user’s profile.
Applications are available seamlessly: the necessary runtime configuration and publishing is automatically taken care of by the VDA components in conjunction with the appropriate packaging technologies APIs. You can launch packaged applications from Server OS and Desktop OS Delivery Groups depending on the specific technology:
- Through Citrix Workspace app
- Simultaneously by multiple users on multiple devices
- Through Citrix StoreFront
Modified application properties are implemented when the application is started. For example, for applications with a modified display name or customized icon, the modification appears when users start the application. For App-V packages, application customizations saved in dynamic configuration files are also applied when the application is launched.
You can use App-V packages and dynamic configuration files created with the App-V sequencer and then located on either App-V servers or network shares.
App-V servers: Using applications from packages on App-V servers requires periodic refreshing of Studio’s snapshot view of the App-V server’s state. This incurs hardware, infrastructure, and administration overhead. The service management console in Citrix Cloud (Cloud Studio) and the App-V servers must remain synchronized, particularly for user permissions.
This is called the dual admin management method because App-V package and application access requires both Cloud Studio and the App-V server consoles. This method works best in closely coupled App-V and Citrix Cloud deployments. In this method, the management server handles the dynamic configuration files. When you use the dual admin management method, the Citrix App-V components manage the registration of the appropriate publishing server required for an application launch. This ensures that the publishing server is synchronized for the user at the appropriate time. The publishing server maintains other aspects of the package life cycle (like refresh on logon and connection groups) using the settings that it is configured with.
Network share: Packages and XML deployment configuration files placed on a network share remove Cloud Studio’s dependence on the App-V server and database infrastructure, reducing overhead. (You must install the Microsoft App-V client on each VDA.)
This is called the single admin management method because App-V package and application use only needs the Cloud Studio console. You identify packages on the network share and upload the metadata for one or more App-V packages from that location to the Site-level Application Library . In this method, the Citrix App-V components process the Deployment Configuration Files and User Configuration Files when the application is launched. When you use the single admin management method, the Citrix App-V components manage all aspects of the Package’s life cycle on the host machine. Packages are added to the machine at broker startup, or when a configuration change is detected (which can also be at session launch time). Packages are first published to individual users on demand ‘just in time’ when a launch request is received from the Citrix Workspace app.
Single Admin also manages the lifecycle of connection groups required to meet the Isolation Group configuration definitions made in Studio.
 Application Library is a Citrix term for a caching repository that stores information about application packages. The Application Library also stores information about MSIX packages and AppAttach disks, which can be thought about in the same way as single admin App-V.
In both management methods, if the VDA is configured to discard user data, the publishing (or synchronizing) must be redone at the next session launch.
You can use one or both management methods simultaneously. In other words, when you add applications to Delivery Groups, the applications can come from App-V packages located on App-V servers or on a network share.
If you are using both management methods simultaneously, and the App-V package has a dynamic configuration file in both locations, the file in the App-V server (dual management) is used.
When you select the App Packages node in the Cloud Studio navigation pane, the display shows App-V package names and sources. The source column indicates whether the packages are being referenced by the Single Admin or Dual Admin Library. When you select a package, the details pane lists the applications and shortcuts in the package.
Dynamic configuration files
App-V packages can be customized using dynamic configuration files, that when applied to the package, can be used to change its characteristics. For example, you can use them to define extra application shortcuts and behaviors. Citrix App-V supports both types of dynamic configuration file. File settings are applied when the application is launched:
- Deployment Configuration Files provide machine-wide configuration for all users. These files are expected to be named <packageFileName>_DeploymentConfig.xml and located in the same folder as the App-V package they apply to. Supported by single and dual admin management.
- User Configuration Files provide user-specific configuration which supports per-user customizations to the package. Single Admin supports user config files named in the following format: <packageFileName>_[UserSID | Username | GroupSID |GroupName_]UserConfig.xml and located in the same folder as the App-V package they apply to.
When multiple user config files exist for a particular package, they are applied with the following priority:
- User SID
- AD Group SID (First found wins)
- AD Group Name (First found wins)
MyAppVPackage_S-1-5-21-000000001-0000000001-000000001-001_UserConfig.xml MyAppVPackage_joeblogs_UserConfig.xml MyAppVPackage_S-1-5-32-547_UserConfig.xml MyAppVPackage_Power Users_UserConfig.xml MyAppVPackage_UserConfig.xml
The user-specific portion of the file name can also optionally occur at the end (for example MyAppVPackage_UserConfig_joeblogs.xml).
Dynamic configuration file location
In single admin management, the Citrix App-V components only process dynamic configuration files which are found in the same folder as their App-V package. When applications in the package are launched, any changes to the corresponding dynamic configuration files are reapplied. If your dynamic configuration files are located in a different location to their packages, use a mapping file to map packages to their deployment configuration files.
To create a mapping file
- Open a new text file.
For each dynamic configuration file, add a line which specifies the path to the package using the format <PackageGuid> : path.
F1f4fd78ef044176aad9082073a0c780 : c:\widows\file\packagedeploy.xml
- Save the file as ctxAppVDynamicConfigurations.cfg in the same folder as the package. The entire directory hierarchy on the same UNC share as the App-V package is searched recursively upwards for this file every time an application in the package is launched.
You cannot apply changes to Dynamic Deployment Configuration when there are user sessions with an application in the package open. You can apply changes to Dynamic User Configuration files if other users but not the current user have the an application from the package open.
When you use the App-V single admin method, creating isolation groups allow you to specify interdependent groups of applications that must run in the sandbox. This feature is similar, but not identical to, App-V connection groups. Instead of the mandatory and optional package terminology used by the App-V management server, Citrix uses automatic and explicit for package deployment options.
- When a user launches an App-V application (the primary application), the isolation groups are searched for other application packages that are marked for automatic inclusion. Those packages are downloaded and included in the isolation group automatically. You do not need to add them to the Delivery Group that contains the primary application.
- An application package in the isolation group that is marked for explicit inclusion is downloaded only if you have explicitly added that application to the same Delivery Group that contains the primary application.
This allows you to create isolation groups containing a mix of automatically included applications that are available globally to all users. Plus, the group can contain a set of plug-ins and other applications (that might have specific licensing constraints), which you can limit to a certain set of users (identified through Delivery Groups) without having to create more isolation groups.
For example, application “app-a” requires JRE 1.7 to run. You can create an isolation group containing app-a (with an explicit deployment type) and JRE 1.7 (with an automatic deployment type). Then, add those App-V packages to one or more Delivery Groups. When a user launches app-a, JRE 1.7 is automatically deployed with it.
You can add an application to more than one App-V isolation group. However, when a user launches that application, the first isolation group to which that application was added is always used. You cannot order or prioritize other isolation groups containing that application.
Load balancing App-V servers
Load balancing management and publishing servers using DNS Round-Robin is supported if you are using the dual admin management method. Load balancing the management server behind Netscaler, F5 (or similar) Virtual IP is not supported because of the way Studio needs to communicate with the Management Server via remote PowerShell. For more information, see this Citrix blog article.
Configuring IIS to host and stream App-V packages
To enable your IIS server to host and stream App-V packages, perform the following steps:
- Open the IIS Manager console. See https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v%3Dvs.90) for instructions.
- Right-click on the website instance you want to use and select Add Virtual directory.
- Type an alias name and the path to where your packages are physically stored on your network.
- Double-click on MIME Types in the central pane, and then right-click anywhere in the window and select Add.
- For file name extension type
.appv, select MIME Type
application/app-v, then click OK.
The following table summarizes the sequence of setup tasks for using App-V in Citrix Virtual Apps and Desktops using single- and dual admin management methods.
|Single admin||Dual admin||Task|
|X||Enable side loading|
|X||X||Packaging and placement|
|X||Configure App-V server addresses in Studio|
|X||X||Install software on VDA machines|
|X||Add App-V packages to the Application Library|
|X||Add App-V isolation groups (optional)|
|X||X||Add App-V applications to Delivery Groups|
Enable the App-V client subsystems by running the PowerShell command
Enable side loading
To stage MSIX packages or AppAttach disks, side loading must be enabled. To enable side loading, modify the following registry key on your base images (or apply the appropriate group policy):
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx DWORD value AllowAllTrustedApps=1
Packaging and placement
For either management method, create application packages using the appropriate sequencer. See the Microsoft documentation for details.
- For single admin management, make the packages, and their corresponding dynamic configuration files (App-V), available on a UNC or SMB shared network location, or on an Azure Files Share. Ensure that the Studio administrator who adds applications to Delivery Groups has at least read access to that location.
- For dual admin management, publish the packages on the App-V management server from a UNC path. (Publishing from HTTP URLs is not supported.)
Regardless of whether packages are on the App-V server or on a network share, ensure the packages have appropriate security permissions to allow the Studio administrator to access them. Network shares must be shared with “Authenticated users” to ensure that both the VDA and the Administrator performing the upload to the CVAD service have read access by default.
Add packaged applications to Citrix Cloud
Use the CVAD Remote PowerShell SDK and Citrix Applicaton Package Discovery Module to import the application packages from on-premises UNC/SMB shares and Azure files to your Citrix Virtual Apps and Desktops service.
The following procedure is valid for adding packages or AppAttach Disks from network shares and adding all published App-V packages from the Microsoft App-V Management Server (dual admin management). With the dual admin management method, you must manage the added App-V packages within the CVAD service and on your App-V Management Servers.
If you previously used GPO policy settings to manage publishing server settings, the GPO settings override any App-V integration settings, including cmdlet settings. This can result in App-V application launch failure. Citrix recommends that you remove all GPO policy settings and then use the SDK to configure those settings.
- Download the CVAD Remote PowerShell SDK and the Citrix Application Package Discovery module as described in Citrix Virtual Apps and Desktops service SDKs and APIs.
- Add the packages to the Application Library in Citrix Cloud using one of the following methods.
To add App-V packages from a network share, run the PowerShell cmdlet
Import-AppVPackageToCloud. For example:
Import-AppVPackageToCloud –PackagePath \\FileServer.MyDomain.com\Share\Notepad++.appv
For cmdlet help, type
To add App-V packages from a Microsoft App-V Management Server, run the PowerShell cmdlet
Import-AppVDualAdminToCloud. For example:
Import-AppVDualAdminToCloud – ManagementSrvUrl AppVMgtSrv.MyDomain.com – PublishingServerUrl AppVPubSrv.MyDomain.com:8001
Note: Both parameters must specify the fully qualified domain name of the server and the Publishing Server must include the port.
For cmdlet help, type
Note: This command imports all published App-V packages from the Microsoft App-V Management Server including management and publishing server meta-data to Citrix Cloud and treats them in the same way as App-V packages discovered using Dual Admin management method in an on-prem environment. If the configuration of the Management Server changes (e.g. new packages are published) the command must be re-run to refresh the meta-data held by AppLibrary.
Note: The command
Import-AppVPackagesFromManagementServerToClouddiscovers App-V packages from a management server and imports them using the single admin management method. It remains included for backwards compatibility but is not recommended for use.
To add MSIX packages from a network share, run the PowerShell cmdlet: Import-MsixPackageToCloud. For example:
Import-MsixPackageToCloud –PackagePath \\FileServer.MyDomain.com\Notepad++.msix
For cmdlet help, type
To add MSIX packages from an AppAttach disk on a network share, run the PowerShell cmdlet
Import-MsixAppAttachToCloud. For example:
Import- MsixAppAttachToCloud –VhdPath \\FileServer.MyDomain.com\Notepad++.vhd
For cmdlet help, type
To add AppAttach disks from an AzureFiles share, run the PowerShell cmdlet
Import-MsixAppAttachToCloud, ensure that the UNC Path is the path exposed by AzureFiles, and that identity-based access is properly configured. For example:
Import- MsixAppAttachToCloud –VhdPath \\FileServer.MyDomain.com\Notepad++.vhd
For cmdlet help, type
- Sign in to Citrix Cloud. Select the target customer. After the script runs successfully, the application packages are added to the Application Library in Citrix Cloud.
Remove application packages from Citrix Cloud
Removing a package from the Application Library removes it from the Cloud Studio Packages node display. However, it does not remove its applications from Delivery Groups, and those applications can still be launched. The package remains in its physical network location. (This effect differs from removing an application from a Delivery Group.)
- Select Configuration > Packages in the Cloud Studio navigation pane.
- Select one or more packages to be removed.
- Select Remove Package in the Actions pane.
Citrix recommends using the PowerShell cmdlets to update App-V server addresses if those servers use non default property values. See the SDK documentation for details. These properties are used on the VDAs to connect to App-V publishing servers.
Install software on VDA machines
Machines containing VDAs must have two sets of software installed to support App-V: one from Microsoft and the other from Citrix.
Microsoft App-V client
This software retrieves virtual applications, publishes the applications on the client, and automatically sets up and manages virtual environments at runtime on Windows devices. The App-V client stores user-specific virtual application settings, such as registry and file changes in each user’s profile.
The App-V client is available from Microsoft. Install a client on each machine containing a VDA, or on the master image that is used in a machine catalog to create VMs. Note: Windows 10 (1607 or greater), Windows Server 2016, and Windows Server 2019 already include the App-V client. On those OSs only, enable the App-V client by running the PowerShell Enable-AppV cmdlet (no parameters). The Get-AppVStatus cmdlet retrieves the current enablement status.
After you install the App-V client, with Administrator permissions, run the PowerShell Get-AppvClientConfiguration cmdlet, and ensure that EnablePackageScripts is set to 1. If it is not set to 1, run Set-AppvClientConfiguration -EnablePackageScripts $true.
Citrix App-V components
The Citrix App-V component software is excluded by default when you install a VDA.
You can control this default behavior during VDA installation. In the graphical interface, select the Citrix Personalization for App-V - VDA check box on the Additional Components page. In the command line interface, use the /includeadditional “Citrix Personalization for App-V – VDA” option.
If you do not include the Citrix App-V components during VDA installation, but later want to use App-V applications: In the Windows machine’s Programs and Features list, right-click the Citrix Virtual Delivery Agent entry and then select Change. A wizard launches. In the wizard, enable the option that installs and enables App-V publishing components.
Add, edit, or remove App-V isolation groups
Add an App-V isolation group
- Select Package Publishing in the Studio navigation pane.
- Select Add Isolation Group in the Actions pane.
- In the Add Isolation Group Settings dialog box, type a name and description for the isolation group.
- From the Available Packages list, select the applications you want to add to the isolation group, and then click the right arrow. The selected applications should now appear in the Packages in Isolation Group list. In the Deployment drop-down next to each application, select either Explicit or Automatic. You can also use the up and down arrows to change the order of applications in the list.
- When you are done, click OK.
Edit an App-V isolation group
- Select Package Publishing from the Studio navigation pane.
- Select the Isolation Groups tab in the middle pane and then select the isolation group you want to edit.
- Select Edit Isolation Group in the Actions pane.
- In the Edit Isolation Group Settings dialog box, change the isolation group name or description, add or remove applications, change their deployment type, or change the application order.
- When you are done, click OK.
Remove an App-V isolation group
Removing an isolation group does not remove the application packages. It removes only the grouping.
- Select Package Publishing from the Studio navigation pane.
- Select the Isolation Groups tab in the middle pane and then select the isolation group you want to remove.
- Select Remove Isolation Group from the Actions pane.
- Confirm the removal.
Add packaged applications to Delivery Groups
The following procedure focuses on how to add packaged applications to Delivery Groups. For complete details about creating a Delivery Group, see Create Delivery Groups.
Step 1: Choose whether you want to create a new Delivery Group or add App-V applications to an existing Delivery Group:
To create a Delivery Group containing App-V applications:
- Select Delivery Groups in the Studio navigation pane.
- Select Create Delivery Group in the Actions pane.
- On successive pages of the wizard, specify a machine catalog and users.
To add packaged applications to existing Delivery Groups:
- Select Applications in the Studio navigation pane.
- Select Add Applications in the Actions pane.
- Select one or more Delivery Groups where the packaged applications will be added.
Step 2: On the Applications page of the wizard, click the Add drop-down to display application sources. Select Packages.
Step 3: On the Add Packaged Applications page, choose the App-V source: the App-V server or the Application Library. The resulting display includes the application names plus their package names and package versions. Select the check boxes next to the applications or application shortcuts you want to add. Then click OK.
Step 4: Complete the wizard.
Good to know:
- If you change a packaged application’s properties when adding them to a Delivery Group, the changes are made when the application is started. For example, if you modify an application’s display name or icon when adding it to the group, the change appears when a user starts the application.
- If you use dynamic configuration files to customize the properties of a packaged application, those properties override any changes you made when adding them to a Delivery Group.
- If you later edit a Delivery Group containing packaged applications, there is no change in application performance if you change the group’s delivery type from desktops and applications to applications only.
- When you remove a previously published (single admin) App-V package from a Delivery Group, Citrix App-V client components attempt to clean up, unpublish, and remove any packages that are no longer in use by the single admin management method.
- If you are using a hybrid deployment—with packages delivered by the single admin management method and an App-V publishing server, managed either by dual admin or by another mechanism (such as Group policy)—it is not possible to determine which (now potentially redundant) packages came from which source. In this case, cleanup is not attempted.
Issues that can occur only when using the dual admin method are marked (DUAL).
App-V applications only launch in one browser version.
If you publish multiple sequenced versions of the same browser app, only one version of the app is able to launch at a time per user on the VDA. The same thing occurs even if Citrix components are not involved and the user starts the sequenced apps from desktop shortcuts which point to different paths.
Whichever browser version a user launches first, determines the browser version which runs subsequently for them. For example, when Firefox detects a second launch of itself, it prefers to create an instance of the already running process, rather than create a new process. Other browsers may behave in the same way.
You can make the application launch in the intended Firefox browser version, by adding the command line parameter -no-remote to the shortcut’s launch command. Other browsers offer the same or similar facility.
You must be using XenApp 7.17 or higher to take advantage of the shortcut enumeration feature. You must also change the package in both versions of the app to get this bi-directional behavior.
App-V applications do not launch.
- (DUAL) Is the publishing server running?
- (DUAL) Do the App-V packages have appropriate security permissions so that users can access them?
- (DUAL) On the VDA, ensure that Temp is pointing to the correct location, and that there is enough space available in the Temp directory.
- (DUAL) On the App-V publishing server, run
Get-AppvPublishingServer \*to display the list of publishing servers.
- (DUAL) On the App-V publishing server, ensure that UserRefreshonLogon is set to False.
- (DUAL) On the App-V publishing server, as an administrator, run Set-AppvPublishingServer and set UserRefreshonLogon to False.
- Is a supported version of the App-V client installed on the VDA? Does the VDA have the enable package scripts setting enabled?
- On the machine containing the App-V client and VDA, from the Registry editor (regedit), go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\AppV. Ensure that the AppVServers key has the following value format: AppVManagementServer+metadata;PublishingServer (for example:
- On the machine or master image containing the App-V client and VDA, check that the PowerShell ExecutionPolicy is set to RemoteSigned. The App-V client provided by Microsoft is not signed, and this ExecutionPolicy allows PowerShell to run unsigned local scripts and cmdlets. Use one of the following two methods to set the ExecutionPolicy: (1) As an administrator, enter the cmdlet: Set-ExecutionPolicy RemoteSigned, or (2) From Group Policy settings, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell> Turn on Script Execution.
- If the error “RegistrationManager.AttemptRegistrationWithSingleDdc: Failed to register” appears, use the MaxReceivedMessageSize property on the appropriate binding element to increase Max Receivable message size in the configuration of the Delivery Controller and/or the Broker Agent on the VDA.
If these steps do not resolve the issues, enable and examine the logs.
The application launch logs are located at: %LOCALAPPDATA%\Citrix\CtxAppvLogs. LOCALAPPDATA resolves to the local folder for the logged-on user. Check the local folder of the user for whom the application launch failed.
To enable Studio and VDA logs used for App-V, you must have administrator privileges. You will also need a text editor such as Notepad.
To enable VDA logs:
- Create the folder C:\CtxAppvLogs.
- Go to C:\Program Files\Citrix\ Virtual Desktop Agent. Open CtxAppvCommon.dll.config in a text editor and uncomment the following line: <add key =”LogFileName” value=”C:\CtxAppvLogs\log.txt”/>
- Uncomment the line and set the value field to 1: <add key =”EnableLauncherLogs” value=”1”/>
- Restart the machine to start logging.