Archive | App Volumes RSS feed for this section

App Volumes for Azure Virtual Desktop and Windows 365 Cloud PC

4 Dec

Recently the Apps on demand was released, essentially this an Azure market place offering from VMware aka Broadcom. You can deploy App Volumes manager virtual machine that runs Windows Server 2022 with App Volumes Manager pre-installed. Additionally, deploy Azure file share and database configuration.

What is an AppStack

An AppStack in VMware App Volumes is a virtual container that contains a set of applications packaged together. It’s used in virtual desktop environments such as (AVD and Windows 365) to dynamically deliver these applications to users. AppStacks are read-only, can be attached to user sessions transparently, and appear as if the applications are natively installed. They offer efficient application management, allowing for easy updates and maintenance without impacting the underlying system. This approach simplifies application lifecycle management and enhances user experience in virtualized desktop scenarios.

Prerequisites

You’ll need the following things ready before you can rollout App Volumes:

  • Azure Subscription: Have an active Microsoft Azure subscription. Azure Documentation
  • Azure Permissions: Ensure permissions to create virtual machines for App Volumes Manager, storage accounts, and file shares on Azure.
  • Access to On-Prem Active Directory: Required for identity and access control.
  • Azure Virtual Desktop Access: For remote connectivity.
  • Azure AD Connect: Install Azure AD Connect on the Active Directory Domain Controller.
  • Active Directory Configurations:
  • App Volumes License File: Download and install the App Volumes license file. App Volumes in Azure follows a Bring Your Own License model. VMware App Volumes Product Download Page
  • Download App Volumes Agent:
  • System Requirements Awareness: Familiarize yourself with the system requirements for using App Volumes. VMware App Volumes 4 Installation Guide
  • SQL Server Database for Production: For a production environment, ensure the availability of an existing SQL server database, as the default SQL Server Express Database is not recommended for production use.

My party came crashing on the requirement of Active Directory (AD) Domain Controller. In my entire Azure, Azure Virtual Desktop, Windows 365 Cloud PC and Microsoft Intune I have made deliberate choice to keep it with mordern management\authentication and follow the Microsoft best practice guidance. Though I am not able to complete the entire configurations due to AD I decided to share whatever configurations I manage to perform to deploy the AV Manager appliance within my Azure subscription for this blog post.

Starting in the Azure Portal

  • Access the Marketplace: Begin by navigating to the Microsoft Azure portal and clicking on ‘Marketplace’.
  • Find VMware App Volumes: Search for the ‘VMware App Volumes’ offer and click on it.
  • Select App Volumes Version: In the VMware App Volumes Azure Application page, choose the desired version from the Plan drop-down box.
  • Click ‘Create’

Deploy the Virtual Machine Appliance

  • Details: Select your Subscription and Resource group. You can also create a new resource group if needed.
  • Instance Details: Choose the Region and enter the name for your virtual machine. Set up the credentials for the local administrator. (#TIP – Ensure you deploy the Appliance where the session host pools are located)
  • Public IP Address: A new public IP address is created by default, but you can opt for an existing one or none at all. (#TIP – This allows accessing the App Volumes Manager over the internet )
  • DNS Prefix: If using a public IP address, consider creating a DNS prefix for easier access. (#TIP – Pick a friendly name I decided to leave it as defaults)
  • By default, a new virtual network and subnet are created. However, in my situation, I want to leverage the existing VNET and Subnet.
  • Database Selection: Choose between a Local SQL Server Express Database (not recommended for production) or a Remote SQL Server database. Enter the necessary database connection details. (#TIP – Explore for production use evaluate using the Azure SQL DB as its a managed SQL instance and you will not have the overhead of managing and maintaining a SQL Server)
  • File Share Configuration: Decide if you want Azure Marketplace to automatically provision storage with file shares or use existing storage. Configure accordingly. (#TIP – Same if you have Azure Dell or NetApp Files storage you can leverage that or using Azure storage account)
  • Tags: Add any desired tags. (#TIP – Ensure you add the tags as it will help you later during Billing and Automation)
  • Review and Launch Deployment: Review your setting Click ‘Create’ to start the deployment process.
  • Navigate to App Volumes Manager Admin UI: This is where you’ll configure Active Directory and other settings.
  • Configure Storage: If you opted out of automatic storage provisioning, manually configure the storage in the App Volumes Manager admin UI.
  • When you navigate to the Storage the newly created SMB shares are listed for templates and AppStacks stroage.

I will come back to this blog post once I learn more about the “No AD” mode as this will enable me to further integrate App Volumes into my Azure Virtual Desktop and Windows 365 Cloud PCs.

Resources deployed within the Azure Resource Group

Following resources are deployed within your Azure Resource Group for App Volumes

Whislist

I would like to see the following enhacements at a later day:

  • VMware aka Broadcom should evlaute a complete SaaS offering taking it to the next level instead of deploying an appliance and required to do alot of configuration. Just give me “as a Service” and the only responsiblity is to create/update and mange the applications with Entra ID Groups.
  • Microsoft Entra ID integration is a must

I hope you will find this helpful information for getting started with App Volumes for Windows 365 Cloud PC and Azure Virtual Desktop. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , ,

VMware App Volumes – Writable Volumes – Third-party Application Exclusions (snapvol.cfg)

17 Aug

Over the years, I’ve discovered a list of exclusions that can help with the smooth functioning of VMware App Volumes – Writable Volumes. Though these exclusions are just suggestions, each environment is unique, so take them at your own risk. Testing them in your environment before implementing them in production is essential.

Path/Process/File Exclusion (Snapvol.cfg)

In this blog, I am not outlining the steps on how to add the snapvol.cfg exclusion as my ex-colleague Daniel Bakshi outlines on a VMware blog post on how to do it step by step. I hope you will find this information useful if you encounter intermittent black screen issues.

Cisco AnyConnect

VPN – Cisco AnyConnect Secure Mobility Client v4.x – Cisco

#Cisco AnyConnect Exclusions
exclude_process_name=vpnui.exe
exclude_process_name=vpnagent.exe
exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\vpnagent

Crowdstrike Falcon Agent

Falcon Agent – The CrowdStrike Falcon® platform

#Crowdstrike Exclusions
exclude_process_name=CSFalconService.exe
exclude_process_name=CSFalconContainer.exe

Mcafee Antivirus aka Trellix

Antivirus Software – Trellix | Revolutionary Threat Detection and Response

#McAfee Provided Exclusions as per McAfee KB89553
exclude_process_path=\Program Files\McAfee
exclude_process_path=\Program Files\Common Files\McAfee
exclude_process_path=\Program Files (x86)\McAfee
exclude_process_path=\Program Files (x86)\Common Files\McAfee
exclude_process_path=\ProgramData\McAfee
exclude_path=\Windows\Temp\McAfeeLogs
exclude_process_name=MER.exe
exclude_process_name=webMERclient.exe
exclude_process_name=amtrace.exe
exclude_process_name=etltrace.exe
exclude_process_name=procmon.exe
exclude_process_name=procmon64.exe

Zscalar Client Connector

Zero trust client – Zscaler Client Connector

#ZScalar Exclusions
exclude_path=\ProgramData\Zscaler
exclude_path=\Program Files (x86)\Zscaler

BlueYonder Application

Popular supply chain applications – Blue Yonder | World’s Leading Supply Chain Management Solutions

#Exclusions to resolve issues with BlueYonder
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Classes\ProFloor.Application
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Classes\ProSpace.Application
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22FBECF5-10A3-11D2-9194-204C4F4F5020}
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E77716A-9680-4C0D-883E-74D49A2F4456}

VMware DEM

VMware Dynamic Enivornment Manager – Dynamic Environment Manager | Profile Management | VMware | AU

#VMware DEM
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware UEM

I hope you will find this helpful information for applying exclusions within the snapvol.cfg file. Please let me know if I have missed any steps or details, and I will be happy to update the post. I will gladly add more exclusions if you want to share them in the comments section.

Thanks,
Aresh Sarkari

Tags: , , ,

Making Microsoft Quick Assist work with VMware App Volumes – Writable Volumes

6 Sep

Microsoft Quick Assist is a tool widely used by service desk teams to take remote control of a computer and help end-users with a screen share. We noticed with the recent changes Microsoft made to Quick Assist, it stopped working when VMware App Volumes – Writable Volumes were present.

Error launching Quick Assist

We tried many steps of installing the Quick Assist offline using various Powershell commands, and nothing worked out. We also got to a point Quick Assist will launch without the Writable Volumes present or local admins with Writable Volumes. In the end, VMware Support GSS, with help from backend engineering, provided a working solution.

Solution (Workaround)

Step 1 – Download the offline version of the Quick Assist App from the Microsoft store and place all the files into C:\Temp\QuickAssist. Following are the steps to download the offline version of MS store apps.

Offline Files MS Quick Assist

Step 2 – Delete the old version of the Quick Assist App (Not part of the MS Store). Start Menu > Settings > Apps > Optional features > Microsoft Quick Assist > Uninstall. 

Uninstall Optional Features – Microsoft Quick Assist

Step 3 – Install the Offline version of the Microsoft Quick Assist package using PowerShell

PowerShell Add-AppxProvisionedPackage -PackagePath C:\Install\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense
PowerShell Install Appx Package

Step 4 – Install WebView2 component which is a pre-requisite for Quick Assist. Note this step is quite important and not something that has been emphazied alot.

  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
  C:\Install\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
Install Microsoft Edge WebView

Step 5 – Launch the Quick Assist App once. Make sure, without launching the app, don’t move to the next step. Please wait at least 10 mins on this step or/else reboot the template VM and launch the app

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app
Launching Quick Assist

Step 6 – Create an OS scheduled task to run at every logon. This will launch the Quick Assist and register at every logon.

schtasks /create /RU "SYSTEM" /TN RegisterQuickAssist /SC ONLOGON /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-AppxProvisionedPackage -PackagePath C:\Temp\QuickAssist\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense"
Schedule Task – Register of Microsoft Quick Assist at User Login

Step 7 – Take a snapshot of the golden image and the remaning steps will be performed in App Volumes files.

Step 8 – We need to prepare the template bundle of Writable Volumes (UIA+Profile) to contain a file startup_postsvc.bat with the following contents. Note Alter the file path if you decide to use something else.

  @echo off
  setlocal enabledelayedexpansion
  set WV_Path=none
  for /F "tokens=3" %%A in ('reg query HKLM\System\ControlSet001\Services\svservice\Parameters /v WritableVolume 2^>nul') do (
    set WV_Path=C:%%A
    fltmc attach bindflt !WV_PATH!
  )
  reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView" /v DisplayName >nul 2>&1
  if %ERRORLEVEL% NEQ 0 (
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
    start /wait C:\Temp\QuickAssist\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
  )

Here is the procedure to update the writable volume’s file – Update Writable Volumes (vmware.com). Zip all the files and push the changes using AV Manager > Writables > Update Writable Volumes

Additional Files for writable volumes startup

Step 9 – Validation login to the virtual desktop (Make sure the updated file – startup_postsvc.bat are pushed onto the WV). After a few seconds, the Microsoft Edge WebView2 Runtime component and Quick Assist should appear in Programs and Features.

PowerShell Get-AppxPackage *assist*

Step 10 – Launch Quick Assist via Start Menu or Explorer and Voila!

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app

If you encounter a similar issue, you can follow the above solution. I hope you will find this information useful if you encounter the same issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 3+ months.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

VMware App Volumes – Tales of the missing Writable Volumes backup

15 Aug

You have a large VMware App Volumes environment and have backed up your writable volumes using the capabilities provided in the App Volumes Manager. (You are doing the right thing!)

AV Manager – WV Backup Config

We decided to perform an audit on the backup of the writable volumes within the App Volumes Manager 2.18.10 and the VSAN Datastore. You can export all the writable volumes to a CSV using the API. My script here will provide you with a complete outlook for conducting your analysis. Now exclude your group entitlements from the list, leaving you with the total number of writable volumes within your environment. Ideally, you are after the same number of writable volumes on the VSAN datastore. (Of course, if everything is going well in the backup world!)

In my case, we observed more than 300+ missing writable volumes between the exported CSV and the VSAN datastore. Let the investigations begin – within the production.log, we could see the backup was happening, but the challenge of a large environment is impossible to track all the backup occurring just by looking at the logs. Feature request to VMW – A dedicated backup log showcases the entire environment’s status. We eventually ended up with a GSS case after few months of back and forth and the logs exchange, we finally got a working solution. This closed the mystery of the missing backup of the writable volumes.

Solution

Go the the SQL database of the App Volumes Manager. Select the DB and New Query.

AV Database – Microsoft SQL

Enter the following query and hit execute. Now this will change the default writable volumes batch size(writables_backup_batch_size) from 5 to 25. Note the value of the batch size was tweaked multiple times, we first went with 10, which drastically reduced the missing backup. However, a few were still missing and not getting backup. The final number for our environment was 25 got all the writable volumes backup.

INSERT INTO dbo.settings ("key", value, created_at, updated_at) 
VALUES ('writables_backup_batch_size', 25, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)

Disclaimer – This tweak was required for a large App Volumes environment. Please consult with VMware Support before making any changes to your setup or Database. If it works for me doesn’t mean it will work for you. The value can differ based on the size of the enivronment.

I hope you will find this helpful information on your VMware App Volumes backup strategy. Please let me know if you have observed any issues like these, and would like to share your story?

Thanks,
Aresh Sarkari

Tags: , , , , ,

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

10 Nov

Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:

  • What is Orphaned Writable Volumes?
  • Script to delete them from the App Volumes Managers

What is Orphaned Writable Volumes?

App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.

Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.

Script to delete them for App Volumes Manager

Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.

Pre-requisites

  • You need the App Volumes Manager URL
  • You need the username and password of the App Volumes Manager
  • You need to enter y/Y to proceed further with the deletion
  • The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)
###########################################################################
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0
###########################################################################

#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"

# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#Login AV Manager Body
$body = @{
    username = “$RESTAPIUser"
    password = “$RESTAPIPassword”
}

#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body

#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"

#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}

#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}

#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:" 
if ($confirmation -match "[yY]" ) {
    # proceed

# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id

#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {

# Writable Volumes deletion Parameters body
$jsonbody = @{
    bg = "0"
    volumes = "$WVOutputIDss"
} | ConvertTo-Json

#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"

}

#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content

}

GitHub scripts/del-writablevolume-status-orphaned at master · askaresh/scripts (github.com)

Observations

  • When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.
  • Once you press y/Y it will go ahead and delete the Orphaned writable volumes.

I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , ,

VMware EUC stack upgrade – Legacy? or Modernizing? or Middleground?

14 Sep

It was that time of the year to perform a VMware End-User Computing (EUC) stack upgrade on the environment, and I thought of sharing the overall thought process and decisions made along the way. It will be interesting to share with others who might be in a similar situation or process of developing their upgrade/migration strategies. In this post, we shall take a look into these topics:

  • Current versions of the VMware EUC Stack
  • What version numbers did we upgrade/migrated to?
  • Why did we migrate to these versions?
  • Wishlist (Someone Listening?)
  • Valuable links to reference during upgrade/migration

Current versions of the VMware EUC Stack

  • VMware Horizon 7.11 (Connection Server/Agents)
  • VMware Horizon Client 5.5
  • VMware App Volumes 2.18.1.x Manager/VMware App Volumes 2.18.5 Agent version
  • VMware Workspace ONE Access 20.01/Connector 1903 (Not in scope for the upgrade)
  • VMware Dynamic Environment Manager 9.10
  • VMware Unified Access Gateway 3.10

What versions numbers did we upgrade/migrated to?

  • VMware Horizon 7.13.1 (Connection Server/Agents)
  • VMware Horizon Client 5.5.2
  • VMware App Volumes 2.18.10.10 (Manager/Agents)
  • VMware Dynamic Environment Manager 2103
  • VMware Unified Access Gateway 2103.1

Why did we migrate to these versions?

The obvious question everyone might ask is the latest versions are Horizon 8.x and App Volumes 4.x why are you picking older versions for the upgrade? The short answer is the limitations and trade-off, and the following matrix tries to uncover in more detail.

Note – Not all customers might fall under the limitation category, or the limiting feature/functionality could be different in your case. By no means this should be your defacto reasons. Make sure to evaluate your situation and create a matrix to make a data-driven decision. If the project is greenfield/no-limitations applied, it’s a no-brainer to opt for the latest product releases.

ProductUpgrade DecisionVerison of Choice
VMware Horizon++ We had all the boxes ticked from a feature/functionality standpoint to be able to upgrade/migrate to Horizon 8.x version. (Instant Clones, Printing, UAG etc.). Infact everything worked well in the development environment
++ The latest vROPS Horizon Adapter 1.2/Horizon 8.x version doesn’t include the built-in Horizon reports. We use the reporting feature for all sorts of custom reporting on Horizon PODs. The older version of vROPS Horizon Adapter 6.7.1/Horizon 7.x has all the existing metrics and reporting available but doesn’t include support for Horizon 8.x on the support matrix
++ The no reporting on the Horizon Adapter 1.2 + limited metrics on RDSH limited our ability to move to the latest version of Horizon 8.x. Once the built-in reports\metrics and guidance is made available, we shall jump onto the latest version (n-1)		Horizon 7.13.1
VMware App Volumes++ Lack of Writable Volumes (UIA+Profile and UIA) migrations from 2.18.x to 4.x. Need official guidance or tool/script/guidance to upgrade all the wrtiable of the 2.18.x environment to 4.x. I am sure alot of enterprise customers will have plenty of Writable Volumes to migrate and don’t have the flexibility to start from scratch on a new version
++ VMware AppStack Migration fling is the perfect migration utility to migrate AppStacks 2.18.x to 4.x need something similar for Writable Volumes		App Volumes 2.18.10.10
VMware Dynamic Environment Manager++ This was the only piece of software that didn’t have interoperability or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)DEM 2103
VMware Unified Access Gateway++ The appliance has no interoperability issues with Horizon 7.13.1 or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)UAG 2103.1
Upgrade Decision Matrix

The above stack provides us with the required General Availability support until Q2 FY2022 and beyond.

Wishlist

I am looking forward to vROPS Horizon Adapter XX to include the built-in Horizon Reports/Additional Metrics for RDSH in the new version or provide detailed guidance on creating meaningful reports in future releases. Additionally, the App Volumes team releases tools and advice on migrating 4000’s+ Writable Volumes from 2.18.x to 4.x. Once the above is released, I plan to upgrade to the branch of Horizon 8.x and App Volumes 4.x releases version numbers.

Valuable links to reference during upgrades

Here is the cheat sheet for all the useful links to review and formulate an upgrade plan:

DescriptionLinks
VMware Product Interoperability MatrixProduct Interoperability Matrix (vmware.com)
Product DocumentationVMware Horizon Documentation
VMware App Volumes Documentation
VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Techzone Migrating Legacy Horizon Components to Modern Alternatives

View Composer –> Instant Clones
Security Server –> UAG
Persona –> DEM
Persistent Disk – FSLogix		Modernizing VDI for a New Horizon | VMware
App Volumes Upgrade considerationsVMware App Volumes 4 Installation and Upgrade Considerations | VMware
Fling Migrate App Volumes AppStack from 2.18.x to 4.xApp Volumes Migration Utility | VMware Flings
Supported Windows 10 versions based on Horizon AgentSupported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393) (vmware.com)
VMware EUC Stack Agent OrderAgent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (2118048) (vmware.com)
Supported Windows 10 versions based on App Volumes AgentVMware App Volumes and Microsoft Windows 10 Support
VMware Product Lifecycle – End of LifeProduct Lifecycle Matrix (vmware.com)
Reference Material

I hope you will find the above information useful in your enterprise upgrade/migrate strategy for VMware EUC Stack. I would love to hear your strategy and similar situations limiting your ability to migrate to the latest and greatest versions.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , ,

VMware App Volumes upgrade from 2.18.1 to 2.18.10 – Startup Failure – Unable to start App Volumes Manager

13 Sep

While upgrading from VMware App Volumes 2.18.1 to 2.18.10.10 version, the upgrade installer completes successfully. However, when you load the App Volumes Manager portal, you get the following error message – Startup Failure – Unable to start App Volumes Manager – Migrations are pending. To resolve this issue, run bin/rails db:migrate RAILS_ENV=production

Startup Failure

Cause

Upon quickly checking the App Volumes computer account (<Domain>\<MachineName>$ within SQL Server was missing the db_onwer permissions. Obviously, that caused the above error post-migration.

Note – This is a very corner case and not expected to see along on most of the App Volumes Migration/Upgrade scenarios. If you did come across one now you know how to remediate.

Resolution

Step 1 – Adding the missing db_owner permission back to the App Volumes Manager computer security account within SQL Server Management Studio

Step 2 – As the db:migration didn’t complete during the upgrade, we need to re-run the following command on the App Volumes Manager server. Open the CMD and change directory to the following path – C:\Program Files (x86)\CloudVolumes\Manager\ruby\bin and run the following command:

bundle exec rake db:migrate RAILS_ENV=production

You should see the following output:

Command Output

Step 3 – Restart the App Volumes Manager service, and now you will see the login page of the App Volumes Manager.

The mystery remains how did that permission go missing as the additional App Volumes Manager account had retained the db_owner role. But none the less the above steps came in handy with help from VMware support – Suman Rout luckily, has seen a similar issue before.

Lesson Learnt

  • Create a pre-upgrade task item on checking to making sure all the App Volumes Manager computer accounts within the SQL Server have the db_owner permissions.

I hope you will find these steps helpful to resolve missing SQL permissions causing upgrade issues during the App Volumes migration from 2.18.x to 2.18.10.10.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Script to install CrowdStrike Sensor and VMware App Volumes snapvol.cfg exclusions for CrowdStrike Sensor

20 Aug

If you are planning to deploy CrowdStrike Sensor (CS Sensor) within your virtual desktop (Windows 10) or server operating(Remote Desktop – Windows Server 2016), then continue reading. In this post, we will take a look into the following topics:

  • Scripted silent install of CrowdStrike Sensor
  • Process exclusions for VMware App Volumes – Writable Volumes (snapvol.cfg)

Script to install CrowdStrike Sensor

Pre-requisites:

  • Based on your requirements, a complete range of silent switches can be found here – How to Install CrowdStrike Falcon Sensor | Dell US
  • Create a folder called C:\Temp\Sensor and place all the CS Sensor EXE within this folder.
  • Make sure to read the installer log files after the install is completed.
  • We use the proxy details as the virtual machines don’t have direct internet access.
  • Look for the exit code = 0 = success
#############################################################################################
# Install Crowd Strike Sensor to the Golden Image on Windows 10 and Windows Server 2016/2019
# Look for Exit Code 0 = Success
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari - https://twitter.com/askaresh
#############################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Sensor Names
$CSSensorName = "WindowsSen*"

#The sensor installer Location
$TempInstallPath = "C:\Temp\Sensor"

#Log Files location
$CSSensorlogFile = "C:\Temp\Sensor\CSSensor.log"

###################################################################
#                    EXE Arguments Arrary for CS Sensor           #
###################################################################
# Modify any Installer switches related to the sensor here.
# Dell Article covering all silent switches 
# https://www.dell.com/support/kbdoc/en-us/000126124/how-to-install-crowdstrike-falcon-sensor
# Proxy switches if your endpoints dont have direct Internet Access
# Log Files w.r.t to installation is generated in C:\Temp\*

# Crowd Strike Sensor Arguments
$CSArguments = @(
    "/install"
    "/quiet"
    "/norestart"
    "CID=YOUDIDGUIDWILLGOHERE-EG"
    "ProvToken=YOURTOKENNUMBER"
    "GROUPING_TAGS=TAG1,TAG_VDI"
    "ProvWaitTime=3600000"
    "APP_PROXYNAME=proxy.whateverproxy.com"
    "APP_PROXYPORT=80"
    "VDI=1"
	"/log"
    $CSSensorlogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install Crowd Strike Sensor
Write-Host "Installing the Crowd Strike Sensor" -ForegroundColor Green
$CSSensorPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $CSSensorName}).Fullname
$CSSensorInstall = (Start-Process -Filepath $CSSensorPath -Wait -ArgumentList "$CSArguments" -PassThru)
$CSSensorInstall.ExitCode

Start-Sleep 20

Git Hub scripts/CSSensor-Install at master · askaresh/scripts (github.com)

Process exclusions for VMware App Volumes

It is advisable you add the CrowdStrike process exclusions within the VMware App Volumes – Writable Volumes templates on snapvol.cfg. Here is the detailed guidance on how to modify the snapvold.cfg – Using the VMware App Volumes snapvol.cfg File to Customize Writable Volumes | VMware End-User Computing Blog. These two processes are visible within the Task Manager.

#Crowdstrike Exclusions
exclude_process_name=CSFalconService.exe
exclude_process_name=CSFalconContainer.exe

A big thanks to Jishan for the numerous testing cycles! I hope you will find this script and exclusions useful to install the CrowsStrike Sensor. A small request if you further enhance the script or exclusions, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , ,

VMware App Volumes – AD Domain – LDAPS Configuration/Certificate Renewal

19 Aug

The Enterprise Root CA certificate was coming close to expiry, and we had to replace the certificate on VMware App Volumes Manager. In this blog post, we will take a look into the following topics:

  • How to identify the Microsoft Enterprise Root CA
  • How to generate the Root Certificate *.cer
  • Convert the certificate *.cer to *.pem format for App Volumes Manager
  • Replace the certificate within the App Volumes Manager
  • Configuring the App Volumes Manager for LDAPS

How to identify the Microsoft Enterprise Root CA

On any domain-joined box where you have the Active Directory administrative tools installed, open the adsiedit.msc and change the Naming Context to Configuration partition.

Adsiedit Connection

Navigate to the below path Under Certification Authorities, and you’ll find your Enterprise Root Certificate Authority server.

CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=askaresh,DC=dir
Active Directory – Configuration Partition

How to generate the Root Certificate *.cer

Log into the Root Certification Authority server with Administrator Account. Go to Start > Run > and type Cmd, and press on Enter button. Enter the following command:

certutil -ca.cert C:\Temp\rootca_cert.cer

Convert the certificate *.cer to *.pem format for App Volumes Manager

I typically use OpenSSL to convert all my certificates. Copy the rootca_cert.cer certificate into Folder – C:\OpenSSL-Win32\bin and run the following command to convert the certificate to PEM.

openssl x509 -in root_cer.cer -out adCA.pem

Note – We want the exported name to be adCA.pem as App Volumes Manager needs that name during setup.

Replace the certificate within the App Volumes Manager

Depending upon the number of AV Managers, you will have to repeat the steps:

  • Copy the adCA.pem on each App Volumes Manager server, to the /config directory where the App Volumes Manager is installed. The default installation location for App Volumes Manager is C:\Program Files (x86)\Cloud Volumes\Manager.
  • Restart the App Volumes Manager servers.

Configuring the App Volumes Manager for LDAPS

You only need to perform these steps on one App Volumes Manager per POD as the configurations are central on a SQL Database.

  • Login to the App Volumes Manager and go to Configuration – AD Domains – Select the Domain – Edit or New depending upon your requirements
  • Enter the Domain Name, Service Account Username, Service Account Password and Select Secure LDAPS. The port number is 636.
  • Click on Update
App Volumes Manager – AD Domains

I hope you will find these steps helpful to replace or configure the VMware App Volumes Manager with LDAPS.

Thanks,
Aresh Sarkari

Reference Links

Export Root Certification Authority Certificate – Windows Server | Microsoft Docs

Find the name of Enterprise Root CA server – Windows Server | Microsoft Docs

Configure CA Certificates in App Volumes Manager (vmware.com)

Tags: , , , , ,

VMware App Volumes Database – Annual Clean-up (Pruning old data)

22 Jul

The VMware App Volumes database archival tables grow constantly, and it can quickly outgrow the database size. To prevent this growth, it is advisable to perform regular pruning of the database. In our scenario, we prefer to perform this activity annually as we have sufficient space to accommodate the growth. There are mainly three tables that need pruning. (log_records, snapvol_timeseries and system_messages)

VMware has a detailed knowledge base article decribing Pruning the VMware App Volumes SQL database (2132454). However, if you are trying to delete many records at one time, you will get a full transaction log error. The below procedure will help you overcome this challenge.

Query to identify the entries older than 60 days:

SELECT * FROM log_records WHERE created_at < DATEADD(day, -60, GETDATE());
SELECT * FROM snapvol_timeseries WHERE created_at < DATEADD(day, -60, GETDATE());
SELECT * FROM system_messages WHERE created_at < DATEADD(day, -60, GETDATE());

The output of the query will be as follows:

Select SQL Query on AV DB

The challenge is if you ran the Delete query mention in the VMware KB it would work 100%. However, while deleting all the rows, the transaction log will run out of space. If you follow my procedure, the transaction log will still run out of space, but the amount of transaction logs flush you need to perform is minimized to a great extend.

This query will delete the rows in the batches of 10,000, allowing some room to perform the clean-up and no need to flush the transaction logs at every run. (In our scenario for 8 million records, I had to flush the transaction log twice.)

DECLARE @continue INT
DECLARE @rowcount INT
   
SET @continue = 1
WHILE @continue = 1
BEGIN
    PRINT GETDATE()
    SET ROWCOUNT 10000
    BEGIN TRANSACTION
    DELETE FROM log_records WHERE created_at < DATEADD(day, -60, GETDATE());
    DELETE FROM snapvol_timeseries WHERE created_at < DATEADD(day, -60, GETDATE());
    DELETE FROM system_messages WHERE created_at < DATEADD(day, -60, GETDATE());
    SET @rowcount = @@rowcount
    COMMIT
    PRINT GETDATE()
    IF @rowcount = 0
    BEGIN
        SET @continue = 0
    END
END

The output after the clean-up:

Delete SQL Query – AV DB

I hope you will find this SQL query helpful to perform App Volumes Database clean-up in a jiffy. My request if you further enhance the query or make it more creative, I hope you can share it back with me?

You can also follow the procedure to clean-up Horizon Events Database – VMware Horizon Events Database – Annual Clean-up (purge old data) | AskAresh

Thanks,
Aresh Sarkari

Tags: , , , ,

← Older Entries