Archive
App-V 5 and Citrix Integration: New Whitepaper
Ever since the summer (TechEd) I have been promising customers we would have a white paper coming on this. Well, we have just published a new App-V 5.0 and Citrix
integration overview white paper.
Whitepaper Title: App-V 5.0 and Citrix Integration overview
Abstract: This whitepaper is designed to provide administrators with guidance for combining Microsoft’s App-V 5.0 and Citrix solutions. It discusses the benefits of an App-V 5.0 and Citrix combined solution, and includes recommendations for Citrix images, App-V cache management, App-V management with Citrix, and other factors that impact user experience and administrative effort. Whether you are using XenApp or XenDesktop, this paper will be a must read!
It is available to download here
(Direct Link – http://download.microsoft.com/download/C/4/1/C416F9FD-1B51-4E1D-9DBE-87C12AB329A2/App-V5_and_Citrix_Integration_Overview.docx)
Refreshing my Windows Store Applications
If you are like me you may be doing a lot of reimaging for Windows 8.1 now that is has become generally available. If you are also like me, you have installed Windows 8 on multiple devices and sign in with the same Microsoft Account. In case you did not already know, here is how you can easily re-find all of your Windows store applications without having to go through an search for all of them again. You can reload all of your Windows Store “Modern UI” applications simply by logging onto the same Microsoft account. All of the applications you have already installed in your other devices that use the same Microsoft Account are tagged to your account to simplify reloading. So to quickly refresh all of you Windows store-based (modern) applications:
1. Open the Microsoft Store Application from the Start Screen.
2. Bring up the Application Menu by simply just right-clicking.
3. Select Your Applications and Install!
It’s as simple as that!
AppV: On Devirtualization
So, I am hanging out on the Technet Forums one Saturday night and I got inspired by a thread (http://social.technet.microsoft.com/Forums/en-US/9b136314-77be-4568-8bc6-6e2ed865f43e/this-document-could-not-be-opened-it-does-not-appear-to-be-a-crystal-report-document) to write this particular blog post. Yes, before I go any further, I will acknowledge the pathetic revelation of what I like to do on a Saturday night – because there is nothing more wild and crazy than hanging out on the forums. Anyway, I wanted to stress the importance of how you can use the sequencer as a troubleshooting mechanism to determine whether an issue with a problematic application is tied to the sequencing process or is an issue with virtualization (in general or with a particular virtualization subsystem.) So, it makes total sense that here I am late on a Friday revealing doing something I love to do – wax poetic about App-V on my blog!
So, if you encounter errors in your application and you suspect that an important asset was not captured during sequencing or you cannot eliminate whether or not a clean sequencing machine was used – you can always DEVIRTUALIZE! Devirtualization is a great step in troubleshooting as it helps you determine if an APPV package has all of the necessary file and registry assets. Here is what you need:
You will need a clean sequencing machine with . . .
- . . . the same version of the sequencer used to sequence the application.
- . . . any dependencies or middleware that the application needs to run (otherwise not included in the package.)
- . . . a troubleshooting toolkit (i.e. Process Monitor)
Once this is in place, copy the package to the sequencer machine and then launch the sequencer application. From the Tools menu, select “Expand Package to Local System.”
Select the APPV package. It will then expand the package to a local installation footprint. If the application was sequenced properly, then all of the file, registry configuration, environment variables, and extension points will “install” to the local operating system. Once the expansion has completed, you can then proceed to launch and test the application. If the application functions correctly, you know the problems you have encountered with the application are not a result of sequencing issues. You can then redirect your troubleshooting towards issues including but not limited to:
- Virtualization subsystems (Virtual COM, Virtual Objects, Virtual Services, VFS, etc.)
- Incompatibilities with virtualization as a whole (drivers, COM+, etc.)
- Information that could have been captured incorrectly in the FSMetadata.xml file (Short Names, Directory Opacity)
- Registry Opacity
- Static Dependencies
If the application fails to launch or function as expected after de-virtualization, then you can proceed to troubleshoot using your troubleshooting toolkit. Usually Process Monitor is quick to isolate these issues (missing files or registry entries.) However, you should always inspect the native equivalent of the extension points as well.
App-V 5: On that issue with Firefox where you cannot save preferences
If you have had a chance to sequence Firefox within App-V 5, you probably have encountered an issue where none of your preferences seem to be retained after exiting Firefox. Anything from loaded plug-ins, to tab preferences, to even the home page seem to always revert back to the default. This scenario is pretty easy to reproduce with a clean sequencer template and the default App-V sequencer exclusions. I used Firefox 18.0.2 installer to demonstrate this issue.
What is happening?
A user launches Firefox and proceeds to set all of their customizations (Home Page, Tab settings, etc.) with in the options menu (using the Firefox menu on the top left corner.)
After making these changes, exit out of Firefox (ensure the actual process terminates) and re-launch the application. All of those changes within the options menu are gone and you have been reverted back to the “first-launch” Firefox experience. A repeat process and it happens again. And again.
Troubleshooting what is actually happening
So for me, capturing two separate process monitor traces usually helps me sort this out. I started a Process Monitor trace to capture launching Firefox and saving a simple preference. Then I stopped the capture, saved it, and re-launched process monitor in order to capture the exit and re-launch for Firefox. I do this a lot and I will work from the middle. My initial guess was that the issue with saving the preferences actually happened on exit. Before I looked at the process monitor trace, I needed to know how these preferences are actually being stored (in the registry, within a file, etc.)
I found that the preferences are being saved in a file called prefs.js. Interesting. So I pulled up the first process monitor PML I captured and filtered for a path that contained prefs.js.
I found numerous CreateFile, QueryBasicInformation, and CloseFile operations on prefs.js as I was walking the trace through the normal VFS hook/walk functions (Integration symbolic link, “gold” package store, user-mode VFS, etc.) The CreateFile operations seemed to be normal when the desired access was READ, READ EA, SYNCHRONIZE and are successful. However, as I moved on down at the time I started changing settings and clicking OK, I saw that a CreateFile to the same Prefs.js file was failing with ACCESS DENIED. This time the desired access also included a GENERIC WRITE. Odd, these should normally be supported too.
Looking at the second trace where I captured closing and reopening Firefox, I found numerous instances of the failed writes to the prefs.js file. This prefs.js file was located beneath the user’s roaming %APPDATA% folder.
So again, what exactly is happening and why?
This requires a little bit of background. As you may have discovered, virtual assets in App-V (files, folders, registry keys, etc.) are not made invisible. They are not isolated in the sense they are in human readable formats – yet they are still state separated. When processes are hooked by App-V, they still see things virtually as they would in previous versions of App-V. It’s just the job of App-V behind the scenes to redirect everything to the appropriate location.
When you look at the file layouts of an AppV Package from within native explorer, you will see a read-only package beneath the %PROGRAMDATA%AppV folder. If you look inside C:Program Files, you will not see the Mozilla Firefox subdirectory. However, if you configure Explorer to launch inside an App-V bubble, you can view the VFS directly as the application sees it. All you have to do is first configure explorer to launch inside a separate process. In any explorer folder window pull up “Folder and Search Options,” select the View tab, and check the box to “Launch Folder Windows in a Separate Process.”
Then using the /APPVVE or /APPVPID extension launch a command prompt inside the virtual environment you would like to view. Then you can spawn an explorer process inside the App-V bubble.
In the figure below, the same folder is viewed with the top window coming from a native explorer process and the bottom from an explorer process running inside the virtual environment of Firefox.
Now using the same bottom window running in the virtual environment, I navigate over to that particular directory where the prefs.js file is.
I open and try to modify it. It prompts me to save it into a different location. The issue reproduces in this manner as well.
While running this process, we are viewing the true virtual package view in which we are combining and merging the view of two different namespaces. The base package or “GOLD Package” and the “User Store” (within the User Profile in %LOCALAPPDATA%.)
While this demonstration was long, I did it to demonstrate something implemented in the complex App-V 5 VFS is a component known as the VFS COW (Copy-on-Write) filter. The COW manages per-user data and package wide data that are stored per-user (in the case of applications that are targeted to the user.) Writes are redirected from the base package location to a COW location inside the user’s profile. This makes it possible for users to have different views of the same package and all changes are isolated between users. It also prevents users from tampering with App-V packages from outside the virtual environment yet it will STILL allow Anti-Virus applications to scan and REMOVE viruses from a virtual application should the rare case in which one would arrive via an App-V package. The mappings maintained inside the registry as shown here for FireFox (based on its GUID.)
One particular item that is also a feature of the COW are the COW Exclusions. Copy-on-Write functionality will not occur for certain file types. In the case of Firefox, it is not a problem with it writing to a COW location, but the file type in which it is trying to write. Files with extensions of EXE, CMD, MSI, COM, BAT, JS, VBS, DLL, and others cannot be modified because it will trigger a new instance of these files within the user’s profile and these extensions are normally associated with executable code or scripts.
How to resolve?
You have a few options here. You can simply exclude the folder containing the file from sequencing or you could take advantage of user state management solutions that work with App-V (UE-V, RES, AppSense, FlexProfiles, etc.)
Is this a Bug?
In the context of App-V, no. Is this a victim of the design of App-V 5? Before you rush to judgment, let me offer you this scenario and that might shed light on who you should be directing your potential outrage against. This particular issue boils down to one simple thing – Firefox saving preferences to a JS file. It is never a good idea for enterprises to have applications that are executable (or executable scripts) to reside in the context of the user’s profile. This is why most enterprises resent Google Chrome and other applications that install executable code into user profile locations. Historically, the AppData folders were also targets of AdWare and Spyware.
The feed of Windows Azure Pack Gallery Resources and SCVMM Service Templates which are compatible with the RTM releases is now LIVE
Windows Azure pack information can be found here: http://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack/default.aspx#fbid=w0JHn-YWZV6
The Windows Azure Pack is a collection of Windows Azure technologies available to Microsoft customers at no additional cost. Once installed in your datacenter, the Windows Azure Pack integrates with System Center and Windows Server to help provide a self-service portal for managing services such as websites, Virtual Machines, and Service Bus; a portal for administrators to manage resource clouds; scalable web hosting; and more.
The feed of Windows Azure Pack Gallery Resources and SCVMM Service Templates which are compatible with the RTM releases is now LIVE at:
http://www.microsoft.com/web/webpi/partners/servicemodels.xml
This release includes more than 40 deployable templates to get you started including:
- SharePoint 2013
- SharePoint Foundation 2010
- Microsoft SQL Server 2013
- IIS
- Domain Controller
- Windows Server 2012 R2 HA Network Gateway
- Windows Server 2012 R2
- Windows Server 2012
- BlogEngine.NET
- Database Servers
- MySQL Server (Windows and Linux)
- Oracle Self Service Kit
- Linux applications including
- CentOS6 LAMP
- Drupla
- Joomla
- WordPress CentOS6
- Samples to enhance authoring
- Custom Script
- Custom Script with Environment Variables
- Linux Generic
- Service Template Example Kit
- and more
For information on how to use this feed and import items in the Windows Azure Pack you can use the following resources:
- Downloading and Installing Windows Azure Pack Gallery Resource:
- Video: Using the Service Models Web Platform Installer Feed – https://www.youtube.com/watch?v=eAvOUNqqYfc&feature=youtu.be
- Technet: Downloading and Installing Windows Azure Pack Gallery Resource – http://social.technet.microsoft.com/wiki/contents/articles/20194.downloading-and-installing-windows-azure-pack-gallery-resource.aspx
- Video: Virtual Hard Disk Requirements for the Virtual Machine Role Gallery – https://youtu.be/eAvOUNqqYfc
- Technet: System Center 2012 R2 Virtual Machine Role Authoring Guide – http://social.technet.microsoft.com/wiki/contents/articles/18272.system-center-2012-r2-virtual-machine-role-authoring-guide.aspx
I’m going to make this blunt . . .
Are you an App-V Guru? Are you good with traveling? Do you work well with customers? Are you agile when it comes to developing client solutions. Do you remain adept on ever-changing industry standards?
MCS (Microsoft Consulting Services) is hiring! Contact me for more information! 🙂
Holy Massive Cloud Software/Resource Release Batman!!
So, Microsoft had a bunch of new releases this week! Windows 8.1, Windows Server 2012 R2, a Bing Facelift. With all that has been going on in the past couple of weeks, it easy to miss something. For those of us who live in the world of virtualization and cloud, some additional (very handy) software and resources have been made available to make our lives much easier in the field.
For starters, we released some well-needed guidance for our VDI folks out there:
Desktop Hosting Reference Architecture Guide
http://www.microsoft.com/en-us/download/details.aspx?id=39285
DaaS (Desktops as a Service) continues to grow – especially in worlds where one-to-many virtual desktops are desired for the reduction of overall density and real estate consumption. In addition, something our internal field engineers have been perfecting over the past few years has also been made public – a performance and optimization guide for the Windows 7 operating system in a virtual desktop (VDI) environment.
Performance Optimization Guidelines for Windows 7 Desktop Virtualization
A Big Release for the BYOD (Bring-your-own-Device) Space, Stronger Security Options for Azure, and Free Stuff!
http://www.microsoft.com/en-us/news/press/2013/oct13/10-07hybridcloudpr.aspx?wt.mc_id=PR_Blog
When you read the above link, you will also learn Microsoft now has Remote Desktop apps for iOS, Mac OS X and Android! Talk about burying the lead! Yes, with the release of Windows Server 2012 R2, we are introducing new Microsoft Remote Desktop end-user applications for iOS, Mac OS X and Android. Just like our modern apps for Windows and Windows RT these provide easy access to virtual machine based desktops, session based desktops and RemoteApp programs, as well as the ability to remote to a PC. With Windows Server 2012 R2 Remote Desktop Services we continue to improve the management and deployment, solutions economics, and end-user experience for virtual desktop and server based computing experiences. In particular, new storage capabilities like tiered storage spaces and online VHD de-dupe dramatically reshape the economics of delivering a remote desktop services solutions. And now these new apps extend a rich Windows experience to a new range of devices.
Except of course WP8 for right now 😦
Azure Updates!
The Windows Azure Multi-Factor Authentication Server (the on-premise version of PhoneFactor) is supported for use with RD Gateway and will function with RDWeb/RDG in an Azure VM, see http://technet.microsoft.com/en-us/library/dn394287.aspx for the most current documentation.
Also there is the Windows Azure Multi-Factor Authentication for Windows Azure Active Directory (http://technet.microsoft.com/en-us/library/jj713614.aspx – the hosted version of PhoneFactor) does not natively integrate with RD Gateway.
Free E-Books from Microsoft!
Finally, a wealth of free books have been released from MS Press revolving around public, private, and hybrid cloud scenarios.
App-V: On Application Compatibility and Shims with Regards to Applications Virtualized with App-V 4.x and 5.x
While the origins of Softgrid may have revolved around addressing some application compatibility issues, the primary tenets of using Softgrid then (and App-V now) still are to provide on-demand application delivery, “installation-footprint-free” assets, as well as application-to-application isolation. This does not include being a solution for application compatibility. The old notion of “If you can’t fix it with shims, you can just use App-V and sequence it on XP! – Then run it on Windows 7 or 8” is not true. If this solved one of your application issues when migrating to Windows 7 or 8 – it was only a case of luck. App-V has not, does not, and will not fix App-to-OS bugs.
So where does App-V fit into the Application Compatibility Process?
Application Virtualization is a packaging technology that contains both state separation and isolation. But it alone, does not remediate compatibility issues. Laying out the industry accepted AppCompat process, virtualization/sequencing is considered a form of packaging.
The sequencing of applications for a target operating system should occur only after that application has been verified for operating system compatibility directly or through remediation. Yes, that remediation may include a shim containing compatibility fixes.
But I heard you can’t shim App-V applications!
You heard wrong. If you must shim that internal custom LOB application for which you can no longer locate the source code, you can certainly apply the same shim to an application running natively or virtualized so long as you have deployed the shim locally. This is so the Application Experience service can work with the fixes properly. I, personally believe in Shims as a last resort, especially with App-V. Remember, some global compatibility flags (__COMPAT_LAYER) can also be applied to App-V applications as environment variables. Zarbie mentioned this a while back in one of his blogs: (http://blogs.technet.com/b/virtualworld/archive/2010/04/13/the-requested-operation-requires-elevation-2c-000002e4.aspx.) You should always look for the simplest of solutions first.
But for that application that may require several fixes, there have been many questions and requests regarding guidance on how shims developed to address compatibility issues (also known as AppCompat Shims) can be implemented with App-V.
Using the Stock Viewer application that comes with the ACT, I will demonstrate both the relationship of how most compatibility issues affect App-V packages as well as how we apply compatibility shims to App-V packages. The well-known Stock Viewer Demo App (from the ACT) is a great teaching tool to demonstrate applying some of the issues that will rear their ugly head exactly the same way in a virtual App-V application the same way they would in a native application. So if we wanted to implement the ElevateCreateProcess, ForceAdminAccess, LocalMappeObject, and VirtualizeHKCRLite fixes into an application virtualized with App-V, we would go about it the same way we would using a normal local installation of the Stock Viewer application along with the rest of the ACT. I create my shim as follows:
1. Start the Compatibility Administrator application (COMPATADMIN.)
2. Click yes to the UAC prompt.
3. In the left pane click Custom Databases and then select “New Database(1) [Untitled_1].”
4. On the toolbar, click Fix.
5. In the Create new Application Fix wizard, on the Program information page, in name, type StockViewer, in Location, type c:Program FilesMicrosoft Application Compatibility ToolkitCompatibility Administrator (32-bit)Demo ApplicationStockViewerStockViewer.exe, and then click Next.
6. On Compatibility Modes page select None for Operating Systems Modes, and then click Next .
7. On the Compatibility Modes page, click Next.
8. On the Compatibility Fixes page, check ElevateCreateProcess, ForceAdminAccess, LocalMappedObject, VirtualizeHKCRLite, and then click Next.
9. On the Matching Information page, click Finish .
10. On the toolbar, click Save.
11. In the Database Name dialog box, type StockViewerFixes, and then click OK.
12. On the Save Database browse window, in filename, type C:SDBShareStockViewerFixes, and then click Save.
So now we have a shim StockViewerFixes.sdb that can later be applied with a simple command:
sdbinst.exe -q
The –q installs it in quiet mode.
Shims and App-V 4.6
When Stock Viewer is virtualized and executed as a standard user, you will find that the user encounters the same initial launch error virtualized as it would when it is installed natively.
Permission Denied
You must be an administrator to run this application.
So if we wanted to apply this shim to the computers local database, we could do so by quietly deploying the shim (using sdbinst as an administrator.) Then you would want to add in a Service Inclusion for the Application Experience service (AeLookupSvc) in the App-V Client Configuration so the Application Experience service can work inside the App-V virtual environment and ensure all shims are applied properly. I discussed Service Inclusions last year in the following blog: http://blogs.technet.com/b/gladiatormsft/archive/2012/08/01/app-v-4-6-using-service-and-process-inclusions.aspx
Service Inclusions can be useful not only for Anti-Virus applications, but other key services as well. For example, this is how we allow for AppLocker to work with virtualized applications. For the Application Experience service, you would need to create the service inclusion for the service – AeLookupSvc by simply creating a string value (REG_SZ) under the following key:
X86
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid<version>ClientAppFSServiceInclusions
X64
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid<version>ClientAppFSServiceInclusions
Value: AeLookupSvc1
Data: AeLookupSvc
The main challenge will be if you want to deploy the shim “on-the-fly” when you deploy the application. My good friend and idol Chris Jackson mentioned this a while back in his Technet Magazine article:
http://technet.microsoft.com/en-us/magazine/ff458340.aspx
He mentions the use of a pre-launch script in the OSD file to apply a shim using sdbinst. This works well except that it requires administrator access and the command will be running in the security context of the user. Also note that he also addressed the problem with using a centralized shim database due to problems with elevation and the AppV Bubble. The use of creating a Service Inclusion for the AE Lookup service addresses this issue now.
Shims and App-V 5
With App-V 5, the process is more straight-forward. You can use individual shims or a centrally managed shim database without the need to have a service inclusion included due to the new App-V file system and hook model. You even have better options of applying the shim for each virtualized application individually by taking advantage of the more advanced App-V script model. Since the desired workflow is to be able to apply the shim without unnecessarily elevating the security context of the user or application itself, you can apply the shim using the AddPackage event within the deploymentconfig.XML file. This will run under the context of the SYSTEM account.
<MachineScripts>
<AddPackage>
<Path>sdbinst</Path>
<Arguments>-q stockviewerfixes.sdb </Arguments>
<Wait RollbackOnError=”true” Timeout=”15″/>
</AddPackage>
Likewise, you can reverse this when the package is removed by assigning a script on the RemovePackage event.
<MachineScripts>
<RemovePackage>
<Path>sdbinst</Path>
<Arguments>-u stockviewerfixes.sdb </Arguments>
<Wait RollbackOnError=”true” Timeout=”15″/>
</RemovePackage>
Bear in mind, these events will only occur when deploying using PowerShell. If you want to deploy this shim using the publishing server, you will want to target the machine and not the user and assign the shim installation to the PublishPackage event.
With Windows XP hitting end of life, there is a rapid increase in the movement to Windows 7, Windows 8, and Windows 8.1. While modernization of your legacy applications still should be your ultimate goal, remediating your application into a working solution that is both compatible and portable is, in many cases, the next best thing from a transitional perspective.
Special note for Those Updating 4.6 to SP2 or SP3 using the MSI instead of the EXE
If you have updated App-V 4.6 SP1 to SP2 or SP3 using only the MSI, please be aware that you will need to also ensure that the Visual C++ 2005 and 2008 updates (containing the critical Redistributable Package MFC Security Update) are also installed.
If you deploy using and ESD such as Configuration Manager, you may have noticed some quirky behavior post-deployment – especially with FTA (file-type-association) behavior. Before you do anything else make sure these run-times are updated.
The specific updates can be downloaded here:
KB2538242 from http://www.microsoft.com/en-us/download/details.aspx?id=26347
KB2538243 from http://www.microsoft.com/en-us/download/details.aspx?id=26368
If you are upgrading by using the EXE, this should happen automatically.
madvirtualizer
The Mad Virtualizer at Microsoft 