Archive

Archive for August, 2012

App-V 4.6: Important Consideration for Streaming from DP when Migrating from Configuration Manager 2007 to 2012


If you are currently using Configuration Manager 2007 to distribute your App-V applications through virtual application advertisements *and* you stream from the distribution points *and* you are about to migrate from Configuration Manager 2007 to Configuration Manager 2012 – you will need to be aware of a very important registry setting introduced last year: LaunchIfNotFound.

The value is found in the following location:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5 ClientNetworkHttp or
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5 ClientNetworkHttp

Technically, what the value does is control the behavior of HTTP streaming when a connection to the HTTP server can be established and the package file no longer exists on the HTTP server. If the value does not exist or if it is not set to 1, the App-V client will not let you launch the application even if it is fully loaded into the cache. To prevent this from happening you would need to manually create this value and set it to 1 (it is a DWORD value.)  This behavior is no different from RTSP. File streaming will, however, launch the application – EVEN – if the value of RequireAuthorizationifCached is set to 1.

Configuration Manager Migration

Now that Config Manager 2012 has released and with SP1 on the horizon, many customers have begun the migration process or are in the process of migrating. So here is where it is important to be aware of this important configuration item. Let’s say you are in the process of migrating from Config Manager 2007 to 2012 and you configured your virtual application advertisements to stream from the distribution point. As part of the migration process, an administrator will likely move the App-V packages over to the Config Manager 2012 site (and/or a different distribution point) and then converts/upgrades some of their Config Manager DP’s hosting the virtual application packages and assigns them to the Config Manager 2012 site as DP’s.
Well, something interesting happens. The content on the distribution point will now be converted to the new Config Manager 2012 content format and the old Config Manager content structure and folders are changed.  During this time, the existing Config Manager Client systems could still be using Config Manager 2007 (as upgrading all clients may take a while in customer environments) and fail to launch – EVEN if fully cached. Another scenario would be even if the user is on the new client, the end user may be launching an existing application that was already on their system and was fully cached. Either way, the user could be stuck getting the following message when trying to launch an application:

The Application Virtualization Client could not launch <APPLICATION NAME>

The requested package does not exist on the server. Report the following error code to your System Administrator.

Error code: xxxxxx-xxxxxxxx-40000194

Why is this Happening?

Why are the launch failures failing even though the applications have been fully cached.  This occurs because when using HTTP streaming, the App-V client will perform an additional authentication check to confirm that the content folder is accessible. This is done even if the RequireAuthorizationIfCached setting was set to 0 on the client.

Similar issues can also occur when migrating from a traditional App-V management server infrastructure solution over to Config Manager 2012. Administrators would need to maintain dual content stores for HTTP streaming until all applications have been delivered via Config Manager 2012.
So, if you foresee yourself in these scenarios, it is advised to set the LaunchIfNotFound value to 1. This will require that you have at least HF3 for App-V 4.6 SP1 installed:

 http://support.microsoft.com/kb/2571168

Also note that LaunchIfNotFound  can be set at the package level and in the network subkey for the entire client. If the key is found in both the package and network registry keys, then the value of per-package LaunchIfNotFound will overwrite the client-wide LaunchIfNotFound value. 

Advertisements

App-V 4.6: Configuration when Using Proxy Servers with HTTP Streaming


How App-V uses proxy settings will vary depending on configuration values. The values related to proxy configuration can be found under the HTTP subkey of the App-V networking configuration in the registry here:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5 ClientNetworkHttp or
    HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5 ClientNetworkHttp

Simply put, you can sum up the options into this simple table below:

Value ForceProxyAutoDetect  SkipProxyDetection
Use IE Proxy Settings 0 0
Auto-Detect Proxy Settings 1 0
Use No Proxy Does not matter 1

Specific registry entries related to HTTP proxy configuration and their descriptions are below:

ForceProxyAutoDetect

Data Type: REG_DWORD
Default Value: 0
Possible Values: 0-1

When this value is set to 1, it forces auto proxy detection instead of using IE proxy settings. Requires a restart of the App-V client service.         

ConcurrentRequests

Data Type:  REG_DWORD
Default Value:  4
Possible Values:   1 – infinite

If the value is greater than 1, divides the Http streaming request into concurrent sub-requests for parallel streaming. Value must be greater than zero. Recommended setting is 4 (default).  Requires a restart of the App-V client service. 

SkipProxyDetection

Data Type:  REG_DWORD
Default Value:  0
Possible Values:   0 or 1

If the value is set to 1, App-V will not use IE proxy configuration. If 1, it overrides ForceProxyAutoDetect flag. Requires a restart of the App-V client service.   

FailedProxyAutoDetectRetryTimeout

Data Type:  REG_DWORD
Default Value:  60
Possible Values:   varies

Don’t try auto-proxy-detection if it failed in last ‘x’ seconds for the current user. Where ‘x’ is the value of this flag. Requires a restart of the App-V client service.      

ProxyCacheLife

Data Type:  REG_DWORD
Default Value:  60
Possible Values:  varies

The number of seconds the http proxy info is cached by App-V in memory for a user       Requires a restart of the App-V client service.       

 

You can get more specific information by enabling the SFTLIST.log file which helps with File/HTTP Streaming troubleshooting
 
Path : HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5ClientConfiguration
 
(KEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5ClientConfiguration if x64)
 
Value Name: TRAN  DWORD
 
Value data: 0 to 6
 
0 : NEVER (Does not open/create log file)
1: ALWAYS,  (Info that should always be emitted)
2: FATAL, (Serious system-wide errors )
3: ERROR,  (Serious errors related to one user or app)
4: WARN,   ( Print a Warning & keep on going)
5: INFO,   (Informational stuff)
6: VERBOSE,  ( Heavy-duty output for users)
7: DEBUG   ( Even more output )
 
 Logging for individual sub-modules can be handled by creating a dword value instead for each of the following Sub-Modules:
 
TRAN_HTTP – HTTP streaming traffic
TRAN_FILE – File streaming
TRAN_ASYN – requesting asynchronoze pacakge info such as FB2
TRAN_OOSR – Data header information
TRAN_CONF – configuration information
TRAN_PLCY – Policy information
TRAN_PACK – Package information
TRAN_MAIN – Main transport stream
 
 
The name of the log is SFTlist.log and its located under the install path of APPV (Ex: c:Program FilesMicrosoft Application Virtualization Clientsftlist.log)
 
This might help shed light on what specifically in the HTTP proxy communication is failing.

Categories: Uncategorized Tags: , , , ,

Windows ADK is now Available!

August 19, 2012 1 comment

The Windows® Assessment and Deployment Kit (Windows ADK) is now Available for Download. This complete set of Windows 8 performance, migration, and deployment tools is live at the Download Center. You can download use the following link:

http://www.microsoft.com/en-us/download/details.aspx?id=30652

This is a huge bundle of may well-known tools so basically:

The Next Version of the Application Compatibility Toolkit is now Live!

The Next Version of the User State Migration Tool is now Live!

The Next Version of WinPE is now Live!

etc.

Well, you get the idea. The Windows ADK includes the following tools:

• Application Compatibility Toolkit (ACT)

• Deployment Tools (DISM, Windows SIM, etc.)

• User State Migration Tool (USMT)

• Volume Activation Management Tool (VAMT)

• Windows Performance Toolkit (WPT, PAL, XPERF)

• Windows Assessment Toolkit

• Windows Assessment Services

• Windows Preinstallation Environment (Windows PE) 

Categories: Uncategorized Tags: , , , , , ,

Software Update to block RSA keylengths <1024 has been Released to the Download Center

August 14, 2012 2 comments

Today (August 14th) an update was released that, once applied, will block RSA certificates with keys less than 1024 bits. The software update was released to the Download Center.

The security advisory is located at http://technet.microsoft.com/security/advisory/2661254.
The KB article is available at http://support.microsoft.com/kb/2661254.
 
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012.

Please refer to the KB article for direct links to download the update for your supported version of Windows.

The Virtual Machine Servicing Tool 2012 is now available!

August 13, 2012 10 comments

The latest version of the VMST has been released! The Virtual Machine Servicing Tool (VMST) 2012 coincides with System Center 2012 –Virtual Machine Manager (VMM), System Center 2012 Configuration Manager and Windows Server Update Services (WSUS) 3.0 SP2.

VMST 2012 is designed to help you reduce IT costs by providing a means to service your virtual machines, templates, and virtual hard disks offline with the latest operating system and application patches—without introducing vulnerabilities into your IT infrastructure.This has been a very popular solution accelerator from Microsoft and can be downloaded at the following URL:

http://www.microsoft.com/en-us/download/details.aspx?id=30470

You use different features in the Virtual Machine Servicing Tool to update offline virtual machines in a VMM library, a stopped virtual machine on a host, virtual machine templates, and to make updates directly to virtual hard disks (VHDs).

 

Categories: Uncategorized Tags: , , , , , ,

MED-V V1 Disaster Recovery


Disaster recovery in MED-V v1 is a very straight-forward and seamless process. Offline access is available for those clients who have already cached their MED-V client authentications. One of the first steps in ensuring a good disaster recovery plan for this version of MED-V is to establish continuity through offline access. This will assume all images that the users need will have been downloaded. Information on MED-V v1 credentials and offline access can be found here:

http://blogs.technet.com/b/medv/archive/2010/09/22/med-v-v1-connection-settings-and-credential-management.aspx

For the MED-V server, since the configuration is all XML-based, the process for backing up crucial data is very easy and does not even require a system state backup. In my MED-V v1 environments, I simply backup the XML configuration, the reporting database, and the server-side images. This process is outlined in the following article:

http://technet.microsoft.com/en-us/library/ff433607.aspx

The article is pretty straightforward on the key locations for images and configuration:

\Med-V\Med-V Server Images

\Program Files\Microsoft Enterprise Desktop\Servers\ConfigurationServer

It also goes through the restoration process which is just as straight forward. The article does not mention the reporting database. While true, reporting is an option in MED-V V1 and is not required for the server to be operational, most organizations still using MED-V v1 are making use of the reporting database. If the database is locally available on the MED-V server (i.e. though SQL Server Express) please ensure that you are backing up the database (defaults to “medv”) manually using SQL Management Studio Express or through whatever means your database administrators backup databases.

– Steve Thomas

Categories: MED-V, Virtualization, VPC Tags: , , ,

Important Notice About a Forthcoming Update

August 9, 2012 3 comments

If you are currently working with App-V, SCVMM, Hyper-V, SCCM, or any management environment leveraging certificates, it is important to be made aware of a very important update being released next week.

Next week a security fix will be widely distributed which will prevent use of certificates which use weak (less than 1024 bit) RSA keys. Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits. You could potentially run into issues as it may cause outages for those who have services that leverage IIS or any other application or service (client side or server side) if those services rely on those weak certificates. We have more information on this update and how it works at the PKI blog. Please refer to the following links:

http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

These articles will give you methods of getting in front of this issue with remediation options. If you are managing updates through SCCM or WSUS, please ensure that you have verified the key strengths of all of your certificates prior to deployment of this update.

UPDATE: 8-11-2012

I have received a lot of questions asking me to be a little more specific with regards to how specific products may or may not be affected. How this may affect your environment will depend on specifics of product usage. The articles from the PKI blog referenced above are very helpful in giving you methods of determining if you are using certificates with key lengths <1024 bits and how to go about remediating the issue. Specific examples regarding product usage revolves around mostly the leveraging of IIS-based services. In addition, other types of scenarios in our world of virtualization and manageability include:

  • Using a certificate for RTSPS generated froma  web server template with a key length length less than 1024 bits.
  • Using certificates for SSP in SCVMM 2008/R2 generated from a web server template with a key length less than 10-24 bits.
  • Using Client or Server-side SSL for policy and image distribution in MED-V V1 using certificates with keys less than 1024 bits.

Most of the guidance in recent years always recommended to request certififcates with at least a keylength of 1024, especially, for example, in the guidance for SCCM Native Mode (Config Manager)

The public key infrastructure (PKI) certificates that are required for setting up secure communications in manageability and virtualization products must be created, installed, and managed independently from the products themselves. This means that there are often different IT administrative groups handling this in most organizations. This leads to many variances in deployment for the required certificates and you will need to consult your particular PKI deployment team to assist in assessing how this will affect you.

UPDATE: 8-14-2012

The security advisory is located at http://technet.microsoft.com/security/advisory/2661254.
The KB article is available at http://support.microsoft.com/kb/2661254.
 
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012.