App-V 5: On the LocationProvider and the IgnoreLocationProvider Feature

In a previous blog entry, (http://blogs.technet.com/b/gladiatormsft/archive/2014/12/10/app-v-5-on-the-packagesourceroot.aspx) I discussed the PackageSourceRoot override and how it can be used to control source content locations for packages. There is another option for overriding source content locations for App-V packages: the LocationProvider registry value located in HKEY_LOCAL_MACHINESOFTWAREMicrosoftAppVClientStreaming.

This registry value is not designed to be changed or adjusted manually. It is simply a configuration item that denotes the COM interface and its subsequent registration. When this value is empty, that means there is no LocationProvider interface registered. If one is registered {by GUID} than whatever its setting for the package source root per package takes precedent over the PackageSourceRoot registry setting or other per-package settings. This is how the Configuration Manager client hooks into the App-V client. It uses the COM provider called the VAppLaunchManager which essentially takes over package management with an event-driven methodology.

From the context of how is overrides the PackageSourceRoot, think of this as being a replacement for the manual registry setting of the OverrideURL setting done in previous versions of App-V and SCCM integration. If the application has not been streamed or fully loaded, the App-V Streaming Subsystem will reference this interface to retrieve the Override URL for the package (i.e. the SCCM Distribution Point) from which the package will stream from. This will happen under each time there is a:

• First connection to a package.

• Reconnection after a previous session was closed or a user has logged off.

• Change in the network (move to new network, network interface reset, etc.)

The interface will be registered initially once the clients receives the first targeted advertisement of an App-V 5 virtual application from Configuration Manager. This is a much improved experience from the implementation of Configuration Manager 2007 and App-V 4.6 as existing packages will remain on the client

Now this brings up another likely question: Can you create exceptions to clients being controlled by the Configuration Manager client or some other ISV that might leverage the LocationProvider interface? Let’s say you have a subset of computers within a collection that you not only do not want receiving virtual advertisements from Configuration Manager, but you may also desire managing the applications by way of another mean altogether. In previous implementations of Configuration Manager and App-V integration, field resources came up with using custom policy exceptions (see Rob York’s old blog here: http://blogs.technet.com/b/virtualworld/archive/2010/07/07/using-sccm-local-policy-to-selectively-restrict-app-v-integration.aspx) and this worked.

So if you wanted to globally manage all of your resource physical machines, virtual machines, and devices through Configuration Manager (including the delivery of virtual applications) except for possibly a subset of machines in which you may want to manage the applications in a stand-alone fashion (i.e. RDS Servers, etc.) – how do you go about setting that exception in App-V 5? You could probably easily go about the same process – but what if you wanted to use Configuration Manager to publish the applications but still take advantage of the PackageSourceRoot? Why? Well, for reasons such as:

• Having multiple App-V delivery systems but would like to reduce duplicity on content between content servers and distribution servers.

• You want to manage affinity with content locations out-of-band from Configuration Manager

• You want to provide streaming high availability with better failover than the distribution point failovers in Configuration Manager (which are not instantaneous as load-balanced shares.)  

You can have this by setting the value IgnoreLocationProvider to 0x1 (DWORD) in HKEY_LOCAL_MACHINESOFTWAREMicrosoftAppVClientStreaming. This setting will force the client to ignore the path returned by the LocationProvider interface and instead use the Package Source Root. This was first introduced in App-V 5 SP2 but it was somewhat problematic. The feature works well now in Service Pack 3.

Windows XP: April 8th – Almost Here!

For the past couple of years, Microsoft has been advising customers of the planned end of extended support date for Windows XP. We’ve even been using a countdown clock on the Windows XP page (http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx ) In fact, you’ve probably also been made aware of or have seen first-hand the end of notifications that are now popping up on Windows XP machines. You may have also recently read this as well:

http://blogs.windows.com/windows/b/windowsexperience/archive/2014/03/03/new-windows-xp-data-transfer-tool-and-end-of-support-notifications.aspx

The update KB 2934207 (Information Here – http://support.microsoft.com/kb/2934207) also adds in a notification prompt (which some in the press have affectionately referred to it as the “Death Notice.”)

If you are not seeing this update, it is likely because your Windows XP machine is being managed by WSUS, or Configuration Manager, or through the cloud with Windows Intune. Only Windows XP machines (Windows XP Home and Professional editions) who receive updates via WindowsMicrosoft Update will see these notifications.

If for some reason you are receiving these notices and you would like to disable them, you can do so in the registry under the one of the following keys:

HKLMSOFTWAREMicrosoftWindowsCurrentVersion

or

HKCUSoftwareMicrosoftWindowsCurrentVersion

Set the value of DisableEOSNotification (DWORD) to 1 to disable notifications. ) enables it.

Regardless of this change, the fact remains that end of all support except for custom support agreements is still April 8, 2014. If you are still running Windows XP in *ANY* form (physical desktops, VDI, MED-V, etc.) this affects you. Without a CSA, you will receive no further security updates and you run a risk of being vulnerable after that date. Also bear in mind that if you are virtualizing Internet Explorer 6, 7, or 8 with any non-Microsoft application virtualization solution, you will be indirectly affected as well.

Consumers, and Small-to-Midsize customers looking to update, can receive special offers and discounts via out Get2Modern page here: http://www.microsoft.com/en-us/windows/business/retiring-xp.aspx

A Custom Support Agreement (CSA) requires a Premier Services Agreement with Microsoft. If you are current an enterprise customer with a Premier contract, we have been making some changes to the Windows XP Custom Support Standard Program, which provides critical security updates, technical assistance and continued support for the product after April 8^th. Please contact your Technical Account Manager (TAM) for more information.

Please note. This applies to Windows XP and NOT Windows XP Embedded. Windows XP Embedded is a different operating system designed for specialized OEM embedded devices and it has always ran on a different support lifecycle ending in 2016, which has been in place for a while in spite of what you may have read in articles out there on the Internet.

The Case of the Mysterious Open SFT Handle

Here is another interesting one-off issue that was happening on a few machines in one of my customer’s environments. They were using App-V 4.6 with Configuration Manager 2012 managing the packages. The virtual applications were distributed fully cached to the clients (download and execute.) The problem was that the download to the cache would never be able to progress beyond 99% thus the application would never become available to the client.  This was happening on all virtual applications for the affected clients. The Configuration Manager CAS.LOG showed the following:
 
Download completed for content Content_74cfa5bd-d3981-21fc-2316-4c3e8659f7a690.1 under context System      ContentAccess   12/5/2012 11:15:35 AM   4460 (0x116C)
CreateFileW failed for c:windowsccmcache11xxxxxxxx.sft      ContentAccess   12/5/2012 11:15:35 AM   4460 (0x116C)
???? failed; 0x80070020 ContentAccess   12/5/2012 11:15:35 AM   4460 (0x116C)
?????t failed; 0x80070020       ContentAccess   12/5/2012 11:15:35 AM   4460 (0x116C)
????????? failed; 0x80070020    ContentAccess   12/5/2012 11:15:35 AM   4460 (0x116C)

The specific HREF error code 80070020 translates to “The process cannot access the file because it is being used by another process.”

Process Explorer to the Rescue

Using Process Explorer (found here: http://technet.microsoft.com/en-us/sysinternals/bb896653) we found that the “System” process had an open handle to all of the various SFT files in the CCM cache (C:Windowsccmcache11xxxxxxxx.sft.) Using MSConfig and disabling all 3rd-party services and startup items (as well as the Configuration Manager client service (SMS Agent Host) we still found that the system STILL had an open handle to all of these SFT files in the CCM cache. Further investigation of the stack revealed there was a mini-filter driver attaching to the SFT files. The filter was identified in Process Explorer as AppVFltrPort. This corresponded to the SFTVIEW.SYS file. This file was part of the Microsoft Application Virtualization SFT View application (that is available from http://www.microsoft.com/en-us/download/details.aspx?id=8897).  It has a mini-filter driver that attaches to SFT files even when you are not using the program.  The problem shows up as soon as something uses the file system near (one level down) to a SFT file on a client computer. 

Uninstall SFTVIEW from Clients

In the above case, the solution was to simply uninstall SFTVIEW or disengage the AppVFltrPort driver. The SFTVIEW tool was meant to be installed outside of production until you are ready for deployment onto content stores. The purpose of having this application on content stores is to provide read-only access to on-access anti-virus scanners so they can scan the contents of the SFT files. If you are looking to view content information or extract meta-data from SFT files, use the SFT Parser instead when working on clients. You can get that here: http://www.microsoft.com/en-us/download/details.aspx?id=12350. If you want anti-virus scanners to be able to scan the App-V client cache, use Service Inclusions instead. More information on Service Inclusions can be found here: http://blogs.technet.com/b/gladiatormsft/archive/2012/08/01/app-v-4-6-using-service-and-process-inclusions.aspx

A special note for those downloading Windows Server Update Services 3.0 Service Pack 2 (KB2734608)

Official information about this update is available here:

http://support.microsoft.com/kb/2734608

This update to WSUS 3.0 SP2 is very significant in that it adds operating system patching support for Windows 8 and Windows Server 2012 WSUS clients. In addition, it also fixes minor issues with KB2720211 (which is included in this update). For stand-alone WSUS environments this update also includes the updated version of the Windows Update Agent (WUA): 7.6.7600.256 which addresses security vulnerabilities of the Windows Update client component.

When KB2734608 is installed and you are leveraging the WSUS server engine as a Software Update Point in Configuration Manager, you may notice that when the new catalog is downloaded, the changes in that catalog structure may trigger some unexpected changes in the existing patch management database. Some existing patches may show as Invalid and may require to be re-download and re-distributed throughout the Configuration Manager hierarchy. It is highly likely that some enterprise administrators may not desire this.  

A Hotfix to the Rescue!

To prevent these actions from occurring, Microsoft released the hotfix (KB2783466.) This hotfix has to be applied to all Configuration Manager SUP/WSUS systems if  the KB2734608 was applied and preferably before the next Patch Tuesday cycle (December 11^th, 2012). If you have not applied the hotfix KB2734608, then applying this hotfix prevents the unnecessary re-downloading and re-distribution of existing patches. Official information about the hotfix can be found here:

http://support.microsoft.com/kb/2783466

Information Regarding the Updated Windows Update Agent

As described above, the KB2734608 update includes a new version of the Windows Update Agent. On standard WSUS systems, they will push out the new updated Windows Update Agent automatically to clients once the KB2734608 is installed. However, for Configuration Manager 2007 systems, the Windows Update Agent is not leveraged in the same way as standalone WSUS systems; therefore the update does not occur automatically. The security issue addressed by the Windows Update Agent update does not impact Configuration Manager, as Configuration Manager does not download their content through the Windows Update Agent. It only leverages the WU APIs for scanning and installation. The update binaries delivered through the Configuration Manager Software Update component are delivered directly from the distribution point, not through a WUA call to WU/MU or WSUS for content. There is no vulnerability exposure here for Configuration Manager Software Update Management clients, thus no need to update the Windows Update Agent to this version.

However if customers would like to upgrade WUA to the latest revision it is recommended to create software distribution command line only package from Configuration Manager  using the following command to initiate update process:

wuauclt /detectnow

This package will have to be applied to all managed systems.

App-V 4.6: Important Consideration for Streaming from DP when Migrating from Configuration Manager 2007 to 2012

If you are currently using Configuration Manager 2007 to distribute your App-V applications through virtual application advertisements *and* you stream from the distribution points *and* you are about to migrate from Configuration Manager 2007 to Configuration Manager 2012 – you will need to be aware of a very important registry setting introduced last year: LaunchIfNotFound.

The value is found in the following location:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftGrid4.5 ClientNetworkHttp or
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftSoftGrid4.5 ClientNetworkHttp

Technically, what the value does is control the behavior of HTTP streaming when a connection to the HTTP server can be established and the package file no longer exists on the HTTP server. If the value does not exist or if it is not set to 1, the App-V client will not let you launch the application even if it is fully loaded into the cache. To prevent this from happening you would need to manually create this value and set it to 1 (it is a DWORD value.)  This behavior is no different from RTSP. File streaming will, however, launch the application – EVEN – if the value of RequireAuthorizationifCached is set to 1.

Configuration Manager Migration

Now that Config Manager 2012 has released and with SP1 on the horizon, many customers have begun the migration process or are in the process of migrating. So here is where it is important to be aware of this important configuration item. Let’s say you are in the process of migrating from Config Manager 2007 to 2012 and you configured your virtual application advertisements to stream from the distribution point. As part of the migration process, an administrator will likely move the App-V packages over to the Config Manager 2012 site (and/or a different distribution point) and then converts/upgrades some of their Config Manager DP’s hosting the virtual application packages and assigns them to the Config Manager 2012 site as DP’s.
Well, something interesting happens. The content on the distribution point will now be converted to the new Config Manager 2012 content format and the old Config Manager content structure and folders are changed.  During this time, the existing Config Manager Client systems could still be using Config Manager 2007 (as upgrading all clients may take a while in customer environments) and fail to launch – EVEN if fully cached. Another scenario would be even if the user is on the new client, the end user may be launching an existing application that was already on their system and was fully cached. Either way, the user could be stuck getting the following message when trying to launch an application:

The Application Virtualization Client could not launch <APPLICATION NAME>

The requested package does not exist on the server. Report the following error code to your System Administrator.

Error code: xxxxxx-xxxxxxxx-40000194

Why is this Happening?

Why are the launch failures failing even though the applications have been fully cached.  This occurs because when using HTTP streaming, the App-V client will perform an additional authentication check to confirm that the content folder is accessible. This is done even if the RequireAuthorizationIfCached setting was set to 0 on the client.

Similar issues can also occur when migrating from a traditional App-V management server infrastructure solution over to Config Manager 2012. Administrators would need to maintain dual content stores for HTTP streaming until all applications have been delivered via Config Manager 2012.
So, if you foresee yourself in these scenarios, it is advised to set the LaunchIfNotFound value to 1. This will require that you have at least HF3 for App-V 4.6 SP1 installed:

 http://support.microsoft.com/kb/2571168

Also note that LaunchIfNotFound  can be set at the package level and in the network subkey for the entire client. If the key is found in both the package and network registry keys, then the value of per-package LaunchIfNotFound will overwrite the client-wide LaunchIfNotFound value. 

Software Update to block RSA keylengths <1024 has been Released to the Download Center

Today (August 14th) an update was released that, once applied, will block RSA certificates with keys less than 1024 bits. The software update was released to the Download Center.

The security advisory is located at http://technet.microsoft.com/security/advisory/2661254.
The KB article is available at http://support.microsoft.com/kb/2661254.
 
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012.

Please refer to the KB article for direct links to download the update for your supported version of Windows.

The Virtual Machine Servicing Tool 2012 is now available!

The latest version of the VMST has been released! The Virtual Machine Servicing Tool (VMST) 2012 coincides with System Center 2012 –Virtual Machine Manager (VMM), System Center 2012 Configuration Manager and Windows Server Update Services (WSUS) 3.0 SP2.

VMST 2012 is designed to help you reduce IT costs by providing a means to service your virtual machines, templates, and virtual hard disks offline with the latest operating system and application patches—without introducing vulnerabilities into your IT infrastructure.This has been a very popular solution accelerator from Microsoft and can be downloaded at the following URL:

http://www.microsoft.com/en-us/download/details.aspx?id=30470

You use different features in the Virtual Machine Servicing Tool to update offline virtual machines in a VMM library, a stopped virtual machine on a host, virtual machine templates, and to make updates directly to virtual hard disks (VHDs).

 

App-V: Error when you attempt to launch an application: xxxxxx-xxxxxx0a-00000124

Scenario:

Users receive the following error message when attempting to launch an application virtualized by App-V:

The Application Virtualization Client could not launch APPLICATION_NAME”
This action cannot continue because the package must be upgraded. Shutdown all the application that are part of this package and try again.
 
Error code: xxxxxx-xxxxxx0a-00000124

This error can occur under one of the following conditions:

1. An application was left running during an App-V management server upgrade from a pre-4.5 version to 4.5 or later. During an App-V upgrade, the client will continue to operate in disconnected operations mode using cached authorizations. Susbsequent cached launches will resume in online mode post upgrade. It is at this point you may see the above error message.

2. A new version of the application is currently advertised via a ConfigMgr 2007 (SCCM) virtual advertisement that has not been downloaded/streamed yet.

In the case of #1 being the issue, rebooting the computer and/or restarting the App-V client service may clear up the problem.  If that does not work then running the following command should resolve the issue:

      SFTMIME UNLOAD APP:application

Unloading the application in the Client UI will also suffice.

In the case of #2 being the issue, verifying through configuration manager the status of the updated package advertisement is an important step. Bear in mind that if you are currently working on a Terminal Server/RDS Server running the App-V client managed by Config manager, any instances of the application currently launched and in use will need to be shut down first.

Check polling policies, CCM cache, maintenance window settings, etc. as well.

Also note that the error string differs from a similar error with the exact same code:

This application cannot be imported because it is in use.

Close all instances of this application and any others that use the same package, and then try again.

Error code: xxxxxx-xxxxxx0A-00000124

Error when you Attempt to Delete a Package using the XenApp Connector for Configuration Manager 2007 R2

The following issue may occur when you are using the XenApp Connector for Configuration Manager 2007. When you click to delete a package under the System Center Configuration Manager node – Site Database – Computer Management – Software Distribution – XenApp Publications, you get the following error:

ConfigMgr cannot delete the specified object. Please verify that you have delete access to the selected object and refresh the ConfigMgr Administrator console to verify that another administrator has not moved or deleted the object.

This error occurs in spite of the permissions being correct. In addition, the SmsAdminUI.log will show the following error:

  [3][8/31/2011 1:21:04 PM] :Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryExceptionrnFailure deleting management objectrn   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Delete(ReportProgress progressReport)

   at Microsoft.ConfigurationManagement.AdminConsole.ConsoleView.ConsoleFormView.DeleteResultItems(Object sender, ActionDescription actionDescription, Status status, IResultObject selectedResultObject, PropertyDataUpdated dataUpdatedDelegate)rnConfigMgr Error Object:

instance of SMS_ExtendedStatus

{

      CauseInfo = “4”;

      Description = “CSspPkgProgram: Unknown offer error!”;

      ErrorCode = 2152205061;

      File = “c:\qfe\nts_sms_fre\sms\siteserver\sdk_provider\smsprov\ssppkgprogram.cpp”;

      Line = 541;

      Operation = “DeleteInstance”;

      ParameterInfo = “SMS_Program.PackageID=”SBT00153″,ProgramName=”Microsoft Office Professional 2007″”;

      ProviderName = “WinMgmt”;

      StatusCode = 2147749889;

This can happen if the assets related to this XenApp package are deleted but the database record has not been deleted. These packages are stored in the same manner as other packages and advertisements. You can connect to the SQL Configuration Manager database and  run a SQL statement to delete these records. You will need to know the Advertisement and Package ID’s.  You can find this information out for sure by running a SQL Profiler trace while reproducing the issue as shown in the following profiler trace output:

 

Once you know what needs to be removed, you will need to run the SQL scripts to remove the entries. If you only need to worry about the package, we can simply ignore the advertisement steps and use the package steps.

To remove the stale advertisements, run the following SQL statement:

Select * from programoffers where offerid = ‘advertismentID’

Delete from programoffers where offerid = ‘advertismentID’

 – where advertisementID refers to the ID you found in the above trace.

To remove the stale packages, run the following SQL statement:

Select * from smspackages where pkgid = ‘PackageID’

Delete from smspackages where pkgid = ‘PackageID’

 – where PackageID refers to the ID you found in the above trace.

Once these are deleted, additional SQL triggers will remove the other remaining references and entries related to these records in other tables.

SCCM 2007 R2/R3: Error when Streaming App-V Virtual Application from Distribution Point: 4xxxxxx-xxxxxx0a-00003004

On an App-V Client managed by Configuration Manager (SCCM), you may receive the following error when trying to launch a virtual application configured to stream from a distribution point.

The Application Virtualization Client does not support the authentication scheme requested by the server. Report the following error code to your System Administrator.

Error code: 4604EE8-24601B0A-00003004

You may get this error whether or not the application is 100 percent cached or not. In addition you will see one or more of the following errors in the SFTLOG.TXT:

[09/20/2010 11:14:57:287 AMGR WRN] {tid=58C}
Attempting Transport Connection
URL: http://serverfqdn:80/SMS_DP_SMSPKGD$/VirtualAppStreaming/<PKGID>/{GUID}/package.sft
Error: 24603B0A-40000191

[09/20/2010 11:14:57:366 TRAY ERR] {tid=58C:usr=username}
The Application Virtualization Client could not launch ApplicationName

The Application Virtualization Client does not support the authentication scheme requested by the server. Report the following error code to your System Administrator.

Error code: 4604EE8-24601B0A-00003004

The cause of this is the Client is trying to authorize the application upon launching in the same manner as it “checks for updates” in a traditional App-V server-based environment. This is due to the RequiereAuthorizationifCached client value being still set to 1.

To resolve this issue, make the following registry change and restart the App-V Client service:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client\Configuration
 
RequireAuthorizationifCached = 0