Stage 1 — Prove It Runs

The goal of Stage 1 is a single, unambiguous fact: this application runs correctly inside a WebStream session. To establish that, deliver it as a full Virtual Desktop on the fulltrust policy — the most permissive built-in template — so nothing in the session envelope can interfere. Only after the app works end to end do you move on to isolating it.

Why a Virtual Desktop, and why fullTrust

A Virtual Desktop presents a normal Windows shell, so the app behaves exactly as it would on a physical machine — taskbar, Explorer, dialogs, and child processes all available. fulltrust removes file-system, network, clipboard, and child-process restrictions. Together they eliminate the platform as a source of failure, isolating any problem to the application itself.

Steps

  1. Install the application on the session host image so its executable path is valid in the session. See Publishing Your App.
  2. Publish the application in the admin console with its correct executable path and any arguments it normally needs. See Publish an Application.
  3. Create a Virtual Desktop workspace and assign the fulltrust policy set. See Virtual Desktop.
  4. Assign the workspace to a test group and sign in as a test user. Follow the Guided Walkthrough if you need the exact clicks.
  5. Launch the app from inside the desktop and exercise it fully.

Compatibility checklist

Confirm each of these works before leaving Stage 1. If any fails here — on fulltrust — it is an application or host-image problem, not a policy problem, and must be fixed before tightening anything.

CheckWhat to confirm
LaunchThe executable starts and reaches its main window without errors.
Licensing / activationAny licence check, activation, or online sign-in the app performs completes.
Child processesHelper processes, updaters, or spawned tools the app relies on start correctly.
File dialogsOpen and Save dialogs appear and can browse the paths the app expects.
PrintingIf the app prints, output is produced (print-to-PDF or a physical printer).
Network / activation endpointsAny backend, database, or licensing endpoint the app calls is reachable.
Core workflowThe primary end-to-end task a real user would perform succeeds.
Do not skip this stage

It is tempting to start on lowtrust or an App Collection to save time. Resist it. If you tighten policy or switch to single-app projection before the app is proven, you cannot tell whether a later failure is the app, the policy, or the delivery mode. Establish the baseline first.

Record your baseline

Note the exact executable path, arguments, and any host-image dependencies that made the app work. You will carry these forward unchanged into Stage 2 so the only thing that varies is the policy. When ready, continue to Stage 2 — Tighten the Policy.