Stage 1 — Prove It Runs
The goal of Stage 1 is a single, unambiguous fact: this application runs correctly inside a WebStream session. To establish that, deliver it as a full Virtual Desktop on the fulltrust policy — the most permissive built-in template — so nothing in the session envelope can interfere. Only after the app works end to end do you move on to isolating it.
A Virtual Desktop presents a normal Windows shell, so the app behaves exactly as it would on a physical machine — taskbar, Explorer, dialogs, and child processes all available. fulltrust removes file-system, network, clipboard, and child-process restrictions. Together they eliminate the platform as a source of failure, isolating any problem to the application itself.
Steps
- Install the application on the session host image so its executable path is valid in the session. See Publishing Your App.
- Publish the application in the admin console with its correct executable path and any arguments it normally needs. See Publish an Application.
- Create a Virtual Desktop workspace and assign the
fulltrustpolicy set. See Virtual Desktop. - Assign the workspace to a test group and sign in as a test user. Follow the Guided Walkthrough if you need the exact clicks.
- Launch the app from inside the desktop and exercise it fully.
Compatibility checklist
Confirm each of these works before leaving Stage 1. If any fails here — on fulltrust — it is an application or host-image problem, not a policy problem, and must be fixed before tightening anything.
| Check | What to confirm |
|---|---|
| Launch | The executable starts and reaches its main window without errors. |
| Licensing / activation | Any licence check, activation, or online sign-in the app performs completes. |
| Child processes | Helper processes, updaters, or spawned tools the app relies on start correctly. |
| File dialogs | Open and Save dialogs appear and can browse the paths the app expects. |
| Printing | If the app prints, output is produced (print-to-PDF or a physical printer). |
| Network / activation endpoints | Any backend, database, or licensing endpoint the app calls is reachable. |
| Core workflow | The primary end-to-end task a real user would perform succeeds. |
It is tempting to start on lowtrust or an App Collection to save time. Resist it. If you tighten policy or switch to single-app projection before the app is proven, you cannot tell whether a later failure is the app, the policy, or the delivery mode. Establish the baseline first.
Record your baseline
Note the exact executable path, arguments, and any host-image dependencies that made the app work. You will carry these forward unchanged into Stage 2 so the only thing that varies is the policy. When ready, continue to Stage 2 — Tighten the Policy.