App-V 4.6: Important Consideration for Streaming from DP when Migrating from Configuration Manager 2007 to 2012

If you are currently using Configuration Manager 2007 to distribute your App-V applications through virtual application advertisements *and* you stream from the distribution points *and* you are about to migrate from Configuration Manager 2007 to Configuration Manager 2012 – you will need to be aware of a very important registry setting introduced last year: LaunchIfNotFound.

The value is found in the following location:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5 ClientNetworkHttp or
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5 ClientNetworkHttp

Technically, what the value does is control the behavior of HTTP streaming when a connection to the HTTP server can be established and the package file no longer exists on the HTTP server. If the value does not exist or if it is not set to 1, the App-V client will not let you launch the application even if it is fully loaded into the cache. To prevent this from happening you would need to manually create this value and set it to 1 (it is a DWORD value.)  This behavior is no different from RTSP. File streaming will, however, launch the application – EVEN – if the value of RequireAuthorizationifCached is set to 1.

Configuration Manager Migration

Now that Config Manager 2012 has released and with SP1 on the horizon, many customers have begun the migration process or are in the process of migrating. So here is where it is important to be aware of this important configuration item. Let’s say you are in the process of migrating from Config Manager 2007 to 2012 and you configured your virtual application advertisements to stream from the distribution point. As part of the migration process, an administrator will likely move the App-V packages over to the Config Manager 2012 site (and/or a different distribution point) and then converts/upgrades some of their Config Manager DP’s hosting the virtual application packages and assigns them to the Config Manager 2012 site as DP’s.
Well, something interesting happens. The content on the distribution point will now be converted to the new Config Manager 2012 content format and the old Config Manager content structure and folders are changed.  During this time, the existing Config Manager Client systems could still be using Config Manager 2007 (as upgrading all clients may take a while in customer environments) and fail to launch – EVEN if fully cached. Another scenario would be even if the user is on the new client, the end user may be launching an existing application that was already on their system and was fully cached. Either way, the user could be stuck getting the following message when trying to launch an application:

The Application Virtualization Client could not launch <APPLICATION NAME>

The requested package does not exist on the server. Report the following error code to your System Administrator.

Error code: xxxxxx-xxxxxxxx-40000194

Why is this Happening?

Why are the launch failures failing even though the applications have been fully cached.  This occurs because when using HTTP streaming, the App-V client will perform an additional authentication check to confirm that the content folder is accessible. This is done even if the RequireAuthorizationIfCached setting was set to 0 on the client.

Similar issues can also occur when migrating from a traditional App-V management server infrastructure solution over to Config Manager 2012. Administrators would need to maintain dual content stores for HTTP streaming until all applications have been delivered via Config Manager 2012.
So, if you foresee yourself in these scenarios, it is advised to set the LaunchIfNotFound value to 1. This will require that you have at least HF3 for App-V 4.6 SP1 installed:

 http://support.microsoft.com/kb/2571168

Also note that LaunchIfNotFound  can be set at the package level and in the network subkey for the entire client. If the key is found in both the package and network registry keys, then the value of per-package LaunchIfNotFound will overwrite the client-wide LaunchIfNotFound value. 

App-V 4.6: Configuration when Using Proxy Servers with HTTP Streaming

How App-V uses proxy settings will vary depending on configuration values. The values related to proxy configuration can be found under the HTTP subkey of the App-V networking configuration in the registry here:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5 ClientNetworkHttp or
  HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5 ClientNetworkHttp

Simply put, you can sum up the options into this simple table below:

Value	ForceProxyAutoDetect	SkipProxyDetection
Use IE Proxy Settings	0	0
Auto-Detect Proxy Settings	1	0
Use No Proxy	Does not matter	1

Specific registry entries related to HTTP proxy configuration and their descriptions are below:

ForceProxyAutoDetect

Data Type: REG_DWORD
Default Value: 0
Possible Values: 0-1

When this value is set to 1, it forces auto proxy detection instead of using IE proxy settings. Requires a restart of the App-V client service.         

ConcurrentRequests

Data Type:  REG_DWORD
Default Value:  4
Possible Values:   1 – infinite

If the value is greater than 1, divides the Http streaming request into concurrent sub-requests for parallel streaming. Value must be greater than zero. Recommended setting is 4 (default).  Requires a restart of the App-V client service. 

SkipProxyDetection

Data Type:  REG_DWORD
Default Value:  0
Possible Values:   0 or 1

If the value is set to 1, App-V will not use IE proxy configuration. If 1, it overrides ForceProxyAutoDetect flag. Requires a restart of the App-V client service.   

FailedProxyAutoDetectRetryTimeout

Data Type:  REG_DWORD
Default Value:  60
Possible Values:   varies

Don’t try auto-proxy-detection if it failed in last ‘x’ seconds for the current user. Where ‘x’ is the value of this flag. Requires a restart of the App-V client service.      

ProxyCacheLife

Data Type:  REG_DWORD
Default Value:  60
Possible Values:  varies

The number of seconds the http proxy info is cached by App-V in memory for a user       Requires a restart of the App-V client service.       

 

You can get more specific information by enabling the SFTLIST.log file which helps with File/HTTP Streaming troubleshooting
 
Path : HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5ClientConfiguration
 
(KEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5ClientConfiguration if x64)
 
Value Name: TRAN  DWORD
 
Value data: 0 to 6
 
0 : NEVER (Does not open/create log file)
1: ALWAYS,  (Info that should always be emitted)
2: FATAL, (Serious system-wide errors )
3: ERROR,  (Serious errors related to one user or app)
4: WARN,   ( Print a Warning & keep on going)
5: INFO,   (Informational stuff)
6: VERBOSE,  ( Heavy-duty output for users)
7: DEBUG   ( Even more output )
 
 Logging for individual sub-modules can be handled by creating a dword value instead for each of the following Sub-Modules:
 
TRAN_HTTP – HTTP streaming traffic
TRAN_FILE – File streaming
TRAN_ASYN – requesting asynchronoze pacakge info such as FB2
TRAN_OOSR – Data header information
TRAN_CONF – configuration information
TRAN_PLCY – Policy information
TRAN_PACK – Package information
TRAN_MAIN – Main transport stream
 
 
The name of the log is SFTlist.log and its located under the install path of APPV (Ex: c:Program FilesMicrosoft Application Virtualization Clientsftlist.log)
 
This might help shed light on what specifically in the HTTP proxy communication is failing.

Windows ADK is now Available!

The Windows® Assessment and Deployment Kit (Windows ADK) is now Available for Download. This complete set of Windows 8 performance, migration, and deployment tools is live at the Download Center. You can download use the following link:

http://www.microsoft.com/en-us/download/details.aspx?id=30652

This is a huge bundle of may well-known tools so basically:

The Next Version of the Application Compatibility Toolkit is now Live!

The Next Version of the User State Migration Tool is now Live!

The Next Version of WinPE is now Live!

etc.

Well, you get the idea. The Windows ADK includes the following tools:

• Application Compatibility Toolkit (ACT)

• Deployment Tools (DISM, Windows SIM, etc.)

• User State Migration Tool (USMT)

• Volume Activation Management Tool (VAMT)

• Windows Performance Toolkit (WPT, PAL, XPERF)

• Windows Assessment Toolkit

• Windows Assessment Services

• Windows Preinstallation Environment (Windows PE) 

Software Update to block RSA keylengths <1024 has been Released to the Download Center

Today (August 14th) an update was released that, once applied, will block RSA certificates with keys less than 1024 bits. The software update was released to the Download Center.

The security advisory is located at http://technet.microsoft.com/security/advisory/2661254.
The KB article is available at http://support.microsoft.com/kb/2661254.
 
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012.

Please refer to the KB article for direct links to download the update for your supported version of Windows.

The Virtual Machine Servicing Tool 2012 is now available!

The latest version of the VMST has been released! The Virtual Machine Servicing Tool (VMST) 2012 coincides with System Center 2012 –Virtual Machine Manager (VMM), System Center 2012 Configuration Manager and Windows Server Update Services (WSUS) 3.0 SP2.

VMST 2012 is designed to help you reduce IT costs by providing a means to service your virtual machines, templates, and virtual hard disks offline with the latest operating system and application patches—without introducing vulnerabilities into your IT infrastructure.This has been a very popular solution accelerator from Microsoft and can be downloaded at the following URL:

http://www.microsoft.com/en-us/download/details.aspx?id=30470

You use different features in the Virtual Machine Servicing Tool to update offline virtual machines in a VMM library, a stopped virtual machine on a host, virtual machine templates, and to make updates directly to virtual hard disks (VHDs).

 

MED-V V1 Disaster Recovery

Disaster recovery in MED-V v1 is a very straight-forward and seamless process. Offline access is available for those clients who have already cached their MED-V client authentications. One of the first steps in ensuring a good disaster recovery plan for this version of MED-V is to establish continuity through offline access. This will assume all images that the users need will have been downloaded. Information on MED-V v1 credentials and offline access can be found here:

http://blogs.technet.com/b/medv/archive/2010/09/22/med-v-v1-connection-settings-and-credential-management.aspx

For the MED-V server, since the configuration is all XML-based, the process for backing up crucial data is very easy and does not even require a system state backup. In my MED-V v1 environments, I simply backup the XML configuration, the reporting database, and the server-side images. This process is outlined in the following article:

http://technet.microsoft.com/en-us/library/ff433607.aspx

The article is pretty straightforward on the key locations for images and configuration:

\Med-V\Med-V Server Images

\Program Files\Microsoft Enterprise Desktop\Servers\ConfigurationServer

It also goes through the restoration process which is just as straight forward. The article does not mention the reporting database. While true, reporting is an option in MED-V V1 and is not required for the server to be operational, most organizations still using MED-V v1 are making use of the reporting database. If the database is locally available on the MED-V server (i.e. though SQL Server Express) please ensure that you are backing up the database (defaults to “medv”) manually using SQL Management Studio Express or through whatever means your database administrators backup databases.

– Steve Thomas

Important Notice About a Forthcoming Update

If you are currently working with App-V, SCVMM, Hyper-V, SCCM, or any management environment leveraging certificates, it is important to be made aware of a very important update being released next week.

Next week a security fix will be widely distributed which will prevent use of certificates which use weak (less than 1024 bit) RSA keys. Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits. You could potentially run into issues as it may cause outages for those who have services that leverage IIS or any other application or service (client side or server side) if those services rely on those weak certificates. We have more information on this update and how it works at the PKI blog. Please refer to the following links:

http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

These articles will give you methods of getting in front of this issue with remediation options. If you are managing updates through SCCM or WSUS, please ensure that you have verified the key strengths of all of your certificates prior to deployment of this update.

UPDATE: 8-11-2012

I have received a lot of questions asking me to be a little more specific with regards to how specific products may or may not be affected. How this may affect your environment will depend on specifics of product usage. The articles from the PKI blog referenced above are very helpful in giving you methods of determining if you are using certificates with key lengths <1024 bits and how to go about remediating the issue. Specific examples regarding product usage revolves around mostly the leveraging of IIS-based services. In addition, other types of scenarios in our world of virtualization and manageability include:

• Using a certificate for RTSPS generated froma  web server template with a key length length less than 1024 bits.
• Using certificates for SSP in SCVMM 2008/R2 generated from a web server template with a key length less than 10-24 bits.
• Using Client or Server-side SSL for policy and image distribution in MED-V V1 using certificates with keys less than 1024 bits.

Most of the guidance in recent years always recommended to request certififcates with at least a keylength of 1024, especially, for example, in the guidance for SCCM Native Mode (Config Manager)

The public key infrastructure (PKI) certificates that are required for setting up secure communications in manageability and virtualization products must be created, installed, and managed independently from the products themselves. This means that there are often different IT administrative groups handling this in most organizations. This leads to many variances in deployment for the required certificates and you will need to consult your particular PKI deployment team to assist in assessing how this will affect you.

UPDATE: 8-14-2012

The security advisory is located at http://technet.microsoft.com/security/advisory/2661254.
The KB article is available at http://support.microsoft.com/kb/2661254.
 
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012.

Using Virtual PC with Windows 7: Be sure to use Integration Features when the Narrator Accessibility Feature is Enabled

There is an important item to be aware of if you are using Windows Virtual PC (VPC7) and you are also using the Windows Narrator Accessibility feature. The Narrator is an excellent aid for the visually impaired as it reads screen text and echoes verbally various actions. In addition, it will echo verbally what you are typing to ensure accuracy.

 

If you are running Windows 7using Virtual PC for legacy applications and are incorporating the narration feature, you will need to be aware of an important security item. Normally, when there is a secure field (such as password prompts) instead of echoing the keystroke, the narrator feature will say “hidden” instead. In the case of Windows Virtual PC, this will also be in effect when you type in the password for the guest operating system – IF – and this is a big IF – integration features are enabled.  If you are using MED-V to provision these virtual PC’s you will automatically be engaging integration features.
If you are not using MED-V or VPC integration features, you may run into a situation where the Windows 7 narrator will read the contents of the password upon entry into the guest. The Windows Narrator monitors the keyboard to read keystrokes. It also communicates with Windows to check if the field is a secure field or not. In case it is a password field, narrator will not read the keystrokes.  Normally, when the password is typed in the password dialog, the response from the narrator will always be “Hidden.” With integration features disabled, this translates to the Windows Narrator in the host as a simple sending of keys to a pane control.
The purpose of Virtual PC for Windows 7 was to provide a seamless integration experience through RemoteApp whether it be through simple Windows XP Mode – or through the MED-V enterprise provisioning solution. If you have users who will still need the Narrator Accessibility feature for their legacy applications, please ensure that integration features are enabled even if they are using VPC in full screen mode.

 

 

App-V 4.6: Using Service and Process Inclusions

App-V has a feature that can often answer many questions. Is there a way to allow anti-virus applications access to scan files in the virtual drive? How does AppLocker work with the virtual drive?  Is there a way in general to allow certain processes and services to interact with the virtual drive?

The answer is yes. Through the use of features known as “process inclusions” and “service inclusions” administrators can give specified services access to the virtual drive. Service inclusions exist for Windows Defender and the Anti-malware service if installed. AppLocker is also listed and this is how AppLocker is able to apply to App-V applications and scripts. Configuring service inclusions is a pretty easy process.

Simply create a string value (REG_SZ) under the following key:

X86

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid<version>ClientAppFSServiceInclusions

X64

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid<version>ClientAppFSServiceInclusions

The name can be anything but the value must represent the short name of the service (usually matching its registration name.) For example, the following built-in services may need access in some circumstances.

• Application Experience (AeLookupSvc)
• AppLocker (AppIDSvc)
• Group Policy Client (gpsvc)

Since the access is given based on name, it is actually granted to the services’ Process ID (PID.) This will mean any processes and services spawned by this service will have access as well.  Also be advised that there will be no security check for the service account being used to authenticate the service as it was designed for services that would be running under the local system context. Unless there are specific permissions on items in the virtual drive denying access all services granted inclusions will be able to access and interact with everything in the virtual drive.

In the case of anti-virus software, we actively discourage direct scanning of the read/write package volumes (PKG files) as it drastically affects performance and could lead to potential corruption. This is a cause for concern for many security administrators as malware could use the folders virtualized under these PKG files (especially the user volume) if left unprotected. This is another situation where service and process inclusions could come in very handy. For example, let’s say you were running Symantec Endpoint Protection and you want to be able to protect internal files within the virtual environment while excluding the *.PKG and *.FSD files externally.

In the case of most anti-virus applications, you would need to create both service and process inclusions. For example, SEP uses a service called “Symantec Endpoint Protection.” To include this service, you would use its registered service name “SepMasterService.”

1.)   Add a value called SepmasterService1 (REG_SZ) under HKLMSoftwareMicrosoftSoftgrid4.5ClientAppFSServiceInclusions (HKLMSoftwareWow6432NodeMicrosoftSoftgrid4.5ClientAppFSServiceInclusions if x64)

2.)   Give it a value of SepMasterService.

3.)   Add a value called ccSvcHst1 under HKLMSoftwareMicrosoftSoftgrid4.5ClientAppFSProcessInclusions (HKLMSoftwareWow6432NodeMicrosoftSoftgrid4.5ClientAppFSProcessInclusions if x64)

4.)   Give it a value of ccSvcHst.exe

5.)   Restart the App-V Client Service for this to take effect.

After the App-V client is restarted, my anti-virus software will now have access to the virtual drive. Your mileage may vary depending on version and type of anti-virus with regards to which services and processes to include. One item to note when these services access the virtual drive – directories below package roots will not be available until those packages are launched. 

Limitations on Process Inclusions

There are some stricter limitations on process inclusions. Since we are not dealing with the service control manager, only processes running in the local SYSTEM context can be used. The process must be already running at the time the App-V Client service is started. If there is more than one instance of a process running at the time of the inclusion check, all instances of the process are granted access to the virtual drive.