Welcome to another blog post about AVD and security. To improve the security of your AVD environment remote apps are a very good way to achieve this. With the use of remote apps you can make sure that the end users don’t have access to the session host.
Microsoft recently announced the public preview of OneDrive as a remote app. This feature allow the user to access OneDrive while using another remote app. You can read the announcement here. This s a great way of denying users the access to the session host and only give remote apps.
- Since this is a preview feature you need a preview build of Windows 11. You need Windows 11 Insider Preview Enterprise multi-session, version 22H2, build 25905 or later.
- You need to install OneDrive per machine on your session hosts
- Configure OneDrive to launch with a remote app
- You need your host pool to be running in validation environment
- You need to install the latest version of FSLogix.
Get the correct preview version of Windows 11
Since OneDrive as a remote app is a preview feature, we need to use a specific version of Windows 11. You need to join the Insider program and enable the Dev build of Windows 11.
To enable the Insider program go to Windows Update and select Windows Insider Program.
You will get an error to enable optional diagnostic data.
Once you put the slider to On you can go back and Get started.
You will be prompted to Link an account to join the program.
Enter the e-mail address you want to use and the password.
Now that you have gone through the authentication process, its time to select the correct Insider Channel. For this preview feature to work you need to join the Dev channel.
You will be prompted to reboot the device.
Once you have rebooted your device and go back to Windows update you can see that it will download the correct Windows 11 build. You will be prompted to reboot the device one last time. We have completed the first prerequisite.
Install the latest version of FSLogix
One of the prerequisites is that you need the latest version installed of FSLogix. You can download the latest version here . Another way to install FSLogix is when you are using Nerdio is to use the scripted action Powershell script.
For this feature to work you need to install OneDrive per machine. Go to the OneDrive download website here. After download open a command prompt on your session host and run the following command.
You will get an UAC prompt and the installation will be done. You can check if the installation is done correct by checking the registry.
Configure OneDrive to launch with a remote app
For OneDrive to launch when you launch a remote app you need to create a specific registry key. To put the registry key in place I used a Nerdio scripted action. You need the following code.
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name OneDrive -PropertyType String -Value '"C:\Program Files\Microsoft OneDrive\OneDrive.exe" /background' -Force
Host Pool validation environment
Since this is a preview feature, you need to configure your host pool as a validation environment.
Remote App group
Since this feature is about OneDrive as a remote app launching with another remote app, we need a remote app group.
In this remote app group I have a couple of office apps published.
Now that we have all the prerequisites in place, it’s time to watch the magic happen.
Go to the avd client and launch a remote app. In this case I launch Word
When the app is launched you will see the remote Word icon but also the remote OneDrive icon in the taskbar.
There you go, OneDrive running as a remote app. This is a great way of adding more security to your AVD environment.
In case you have any questions about this, feel free to reach out.