Building VM template using Assigned Access

This post has been republished via RSS; it originally appeared at: Data Center Security articles.

First published on TECHNET on Nov 30, 2017
Since it took me a couple of attempts to create VM templates for Azure portal management and Remote Desktop (in order to make them available for the TAP evaluation), I thought it best to share the process, so you can build your own customized image.

My goal is to create a PAW VM that offers user a kiosk experience which is dedicated to one application. When user connects to the VM, it only shows the Azure portal page or the RDP application, nothing else. To create a kiosk experience, I used Assigned Acces s. There are a few ways to configure it. I chose the Windows Configuration Designer downloaded from the Windows Store. You can follow the instructions here to create the package.

Creating provisioning package for Azure portal management


To build the Azure portal package, on the wizard page that defines the Kiosk account and app, select the App type: Classic Windows App, and the full path as % P rogramfiles %\ Internet explorer\iexplorer.exe -k portal.azure.com (note: don’t use quotes around the string, it doesn’t work). To apply the package, simply copied the package inside the VM, which is the online approach below.

Creating provisioning package for RDP


There are two RDP apps for Windows: classic app (mstsc.exe) and Remote Desktop from store. I like the store version for its simple user experience, and choose it for the template. It turns out that I learnt quite a bit from building the package for it:

  1. Store RDP app is not built-in, so I need to find the appx package to install it in the image. To save time, I used an internal copy. You can do this for any applications if it supports offline distribution . To install the Appx package:


Dism /add-provisionedAppxPackage /image:e:\ /PackagePath:<path to .appxbundle> /LicensePath:<path to license xml> /DependecyPackagePath:<adding dependency appx if needed>

Where e:\ is the mounted VHDX drive

  1. However, when testing the image above by logon, the app is not there. Apparently, if the app is not pinned to the Start menu, it gets removed during the first user logon, so I added the app to the start menu in the unattend xml file. (For details, see the unattend file section)

  2. Trying the same approach by applying the package online led me nowhere, that's how I learnt the offline approach, and it turns out to be a much simpler process. Because I simply modify the syspreped image without user logon, and I can skip sysprep later to make it a template.


Deploy package


As I have mentioned earlier, there are two ways to apply the (.ppkg) package:

  1. Online : copies the package file to the VM while it’s running and applied it by simply double-clicking the .ppkg file which applied automatically. After the VM reboots, you will see the kiosk mode experience which shows IE and only connects to the Azure portal page.


To turn this into a template, you can just sysprep the image. I did this by switching to a different user (local admin) where I ran sysprep.

  1. Offline : If you already have a syspreped image to start with, you can apply the package to the image by running


Dism /add- provisioningpackage / packagepath : <full path to ppkg file> /image=e:\

(where e:\ is the mounted VHDX file)

Now the VM image can be used as the template and you can follow the previous blog post to deploy it. If you are part of the TAP program, I have also made the image available for download.

Windows unattend file


To create PAW VM, you will need a Windows unattend file. I have shared a sample copy in a previous blog post . For the RDP VM template, I added the following to pin the app in the start menu:

[snippet slug=unattend-pin-rdp-in-start-menu line_numbers=false lang=bsh]

If you have ideas/requests for different images, you are welcome to share it with us .

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.