Archive | Dynamic Environment Manager RSS feed for this section

Unable to use Privilege Elevation – VMware Dynamic Environment Manager

7 Mar

We were exploring the feature Privilege Elevation – VMware Dynamic Environment Manager (DEM) within our development environment, and for some odd reason, a specific feature and configuration wouldn’t work in our setup.

Disclaimer

The windows registry mentioned within this blog post is used within enterprise-grade secure environments. The hardening measure is part of CIS Benchmarks on Windows 10. If your machines aren’t hardened, the feature typically works out of the box. For example, in my home lab, I had no issues with the Privilege Elevation feature working.

Issue

Whenever we enable the feature and apply any settings, it will not work. It didn’t matter which configuration you picked. The error within the logs remains constant.

The error within the FlexEngine-ElevatedTasks.log

2022-02-21 13:02:30.122 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)
2022-02-22 11:22:02.960 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)
2022-02-28 18:23:19.736 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)

Cause

Provided by VMware – The additional configuration on LSA Protection causing issues with the VMware DEM agent (2103 Version). The windows registry key – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

RunAsPPL=1

Resolution

My team managed to open a VMware GSS case handled by GuruKripal (A very helpful support engineer), we had to provide numerous amount of logs, procmons and group policy export of the enivornment. After giving them the export of our CIS Benchmarked group policies, they could reproduce the issue. In the end, the VMware engineering team provided us with a newer build of DEM Agent (10.2.4.1023 x64.msi).

If you encounter a similar issue, you can raise a VMware support case to obtain the fix or/else, I was assured all future releases of DEM Agent would include the fix. I hope you will find this information useful if you encounter the issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 6+ months.

Thanks,
Aresh Sarkari

Tags: , , , , ,

VMware EUC stack upgrade – Legacy? or Modernizing? or Middleground?

14 Sep

It was that time of the year to perform a VMware End-User Computing (EUC) stack upgrade on the environment, and I thought of sharing the overall thought process and decisions made along the way. It will be interesting to share with others who might be in a similar situation or process of developing their upgrade/migration strategies. In this post, we shall take a look into these topics:

  • Current versions of the VMware EUC Stack
  • What version numbers did we upgrade/migrated to?
  • Why did we migrate to these versions?
  • Wishlist (Someone Listening?)
  • Valuable links to reference during upgrade/migration

Current versions of the VMware EUC Stack

  • VMware Horizon 7.11 (Connection Server/Agents)
  • VMware Horizon Client 5.5
  • VMware App Volumes 2.18.1.x Manager/VMware App Volumes 2.18.5 Agent version
  • VMware Workspace ONE Access 20.01/Connector 1903 (Not in scope for the upgrade)
  • VMware Dynamic Environment Manager 9.10
  • VMware Unified Access Gateway 3.10

What versions numbers did we upgrade/migrated to?

  • VMware Horizon 7.13.1 (Connection Server/Agents)
  • VMware Horizon Client 5.5.2
  • VMware App Volumes 2.18.10.10 (Manager/Agents)
  • VMware Dynamic Environment Manager 2103
  • VMware Unified Access Gateway 2103.1

Why did we migrate to these versions?

The obvious question everyone might ask is the latest versions are Horizon 8.x and App Volumes 4.x why are you picking older versions for the upgrade? The short answer is the limitations and trade-off, and the following matrix tries to uncover in more detail.

Note – Not all customers might fall under the limitation category, or the limiting feature/functionality could be different in your case. By no means this should be your defacto reasons. Make sure to evaluate your situation and create a matrix to make a data-driven decision. If the project is greenfield/no-limitations applied, it’s a no-brainer to opt for the latest product releases.

ProductUpgrade DecisionVerison of Choice
VMware Horizon++ We had all the boxes ticked from a feature/functionality standpoint to be able to upgrade/migrate to Horizon 8.x version. (Instant Clones, Printing, UAG etc.). Infact everything worked well in the development environment
++ The latest vROPS Horizon Adapter 1.2/Horizon 8.x version doesn’t include the built-in Horizon reports. We use the reporting feature for all sorts of custom reporting on Horizon PODs. The older version of vROPS Horizon Adapter 6.7.1/Horizon 7.x has all the existing metrics and reporting available but doesn’t include support for Horizon 8.x on the support matrix
++ The no reporting on the Horizon Adapter 1.2 + limited metrics on RDSH limited our ability to move to the latest version of Horizon 8.x. Once the built-in reports\metrics and guidance is made available, we shall jump onto the latest version (n-1)		Horizon 7.13.1
VMware App Volumes++ Lack of Writable Volumes (UIA+Profile and UIA) migrations from 2.18.x to 4.x. Need official guidance or tool/script/guidance to upgrade all the wrtiable of the 2.18.x environment to 4.x. I am sure alot of enterprise customers will have plenty of Writable Volumes to migrate and don’t have the flexibility to start from scratch on a new version
++ VMware AppStack Migration fling is the perfect migration utility to migrate AppStacks 2.18.x to 4.x need something similar for Writable Volumes		App Volumes 2.18.10.10
VMware Dynamic Environment Manager++ This was the only piece of software that didn’t have interoperability or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)DEM 2103
VMware Unified Access Gateway++ The appliance has no interoperability issues with Horizon 7.13.1 or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)UAG 2103.1
Upgrade Decision Matrix

The above stack provides us with the required General Availability support until Q2 FY2022 and beyond.

Wishlist

I am looking forward to vROPS Horizon Adapter XX to include the built-in Horizon Reports/Additional Metrics for RDSH in the new version or provide detailed guidance on creating meaningful reports in future releases. Additionally, the App Volumes team releases tools and advice on migrating 4000’s+ Writable Volumes from 2.18.x to 4.x. Once the above is released, I plan to upgrade to the branch of Horizon 8.x and App Volumes 4.x releases version numbers.

Valuable links to reference during upgrades

Here is the cheat sheet for all the useful links to review and formulate an upgrade plan:

DescriptionLinks
VMware Product Interoperability MatrixProduct Interoperability Matrix (vmware.com)
Product DocumentationVMware Horizon Documentation
VMware App Volumes Documentation
VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Techzone Migrating Legacy Horizon Components to Modern Alternatives

View Composer –> Instant Clones
Security Server –> UAG
Persona –> DEM
Persistent Disk – FSLogix		Modernizing VDI for a New Horizon | VMware
App Volumes Upgrade considerationsVMware App Volumes 4 Installation and Upgrade Considerations | VMware
Fling Migrate App Volumes AppStack from 2.18.x to 4.xApp Volumes Migration Utility | VMware Flings
Supported Windows 10 versions based on Horizon AgentSupported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393) (vmware.com)
VMware EUC Stack Agent OrderAgent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (2118048) (vmware.com)
Supported Windows 10 versions based on App Volumes AgentVMware App Volumes and Microsoft Windows 10 Support
VMware Product Lifecycle – End of LifeProduct Lifecycle Matrix (vmware.com)
Reference Material

I hope you will find the above information useful in your enterprise upgrade/migrate strategy for VMware EUC Stack. I would love to hear your strategy and similar situations limiting your ability to migrate to the latest and greatest versions.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , ,

Script to install VMware EUC Agents – App Volumes Agent, DEM Agent and Horizon Agent

30 Jun

If you are planning for the VMware EUC Stack migration or upgrade and want to install the VMware EUC agent, then continue reading. The guidance on uninstalling the existing agents can be found on this blog post – Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools | AskAresh

In this script, we shall perform the agents install and reboot the golden image towards the end. There is no need to install the individual agents one by one, instead, sit back, relax and have a coffee!

VMware EUC Agents:

  • VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
    • Note few MSI switches are deprecated if you still use them, you will have an error code 1603
  • VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
  • VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)

Note – All the above testing is carried out on Windows 10 1909 with PowerShell 5.1. Reboot is required to complete the installation operations.

VMware EUC Agents Install

Pre-requisites:

#################################################################################################
# Install EUC Agents in the proper order - Horizon Agent , DEM Agent and App Volumes Agent
# Reboot the OS towards the end after install all Agents. Look for Exit Code 0 or 3010
# If you notice exit code 1603 there is a installation issue. Refer to my MSI switches blogpost
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
################################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Agent Names
$HorizonAgentName = "VMware-Horizon-Agent-x86_64*"
$DEMAgentName = "VMware Dynamic Environment Manager*"
$AppVolumesAgentName = "App Volumes Agent*"
$AppVolMGR = "avm001.domain.com" # Manager LB VIP

# All the installer Location
#Create a folder C:\Temp\Agents and place all the MSI\EXE in there
$TempInstallPath = "C:\Temp\Agents" 

#Log Files location
# Go through all the logs post installation
$HZlogFile = "C:\Temp\Agents\HZAgent.log"
$DEMlogFile = "C:\Temp\Agents\DEMAgent.log"
$ApplogFile = "C:\Temp\Agents\AppVolAgent.log"

###################################################################
#                    MSI Arguments Arrary for EUC Agents          #
###################################################################
# Modify any MSI switched related to the agent here.
# Follow this blog post for swithces - https://askaresh.com/2021/06/28/comparision-vmware-horizon-agent-7-x-8-x-silent-install-switches-and-properties/

# VMware Horizon Agent MSI Switches
$HZMSIArguments = @(
	"/qn"
	"VDM_VC_MANAGED_AGENT=1"
    "SUPPRESS_RUNONCE_CHECK=1"
	"VDM_IP_Protocol_Usage=IPv4"
	"ADDLOCAL=Core,ClientDriveRedirection,NGVC,USB,RTAV,PerfTracker,PrintRedir,HelpDesk,TSMMR,VmwVaudio,V4V"
	"REBOOT=REallySuppress"
	"/L*v"
	$HZlogFile
)

# VMware Dynamic Enivornment Agent MSI Switches
$DEMMSIArguments = @(
    "/qn"
    "ADDLOCAL=FlexEngine"
    "REBOOT=REallysuppress"
    "/L*v"
    $DEMlogFile
)

# VMware App Volumes Agent MSI Switches
$AppVolMSIArguments = @(
    "/qn"
    "MANAGER_ADDR=$AppVolMGR"
    "MANAGER_PORT=443"
    "REBOOT=REallysuppress"
    "EnforceSSLCertificateValidation=0"
    "/L*v"
    $ApplogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install VMware Horizon Agent
Write-Host "Installing the VMware Horizon Agent" -ForegroundColor Green
$HZAgentPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $HorizonAgentName}).Fullname

# The switches "/s /v " is the Install Shield switches and rest of the aruguments are passed with MSI
$HZAgentInstall = (Start-Process -Filepath $HZAgentPath -Wait -ArgumentList "/s /v ""$HZMSIArguments" -PassThru)
$HZAgentInstall.ExitCode

Start-Sleep 20

# Install DEM Agent
Write-Host "Installing the VMware DEM Agent" -ForegroundColor Green
$DEMPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $DEMAgentName}).Fullname
$DEMAgentInstall = (Start-Process -Filepath $DEMPath -ArgumentList $DEMMSIArguments -Wait -PassThru)
$DEMAgentInstall.ExitCode

Start-Sleep 20

# Install App Volumes Agent
Write-Host "Installing the VMware App Volumes Agent" -ForegroundColor Green
$AppVolPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $AppVolumesAgentName}).Fullname
$AppVolAgentInstall = (Start-Process -Filepath $AppVolPath -ArgumentList $AppVolMSIArguments -Wait -PassThru)
$AppVolAgentInstall.ExitCode

Start-Sleep 20

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents install" -ForegroundColor Green
Restart-Computer -Force

Git Hubscripts/vmwareeucagent-install at master · askaresh/scripts (github.com)

A big thanks to Chris H for providing the original blueprint of the script and Wouter for showing me the magical “space” on the switch /v within the Horizon Agent installer. Final thanks to Jishan for the numerous testing cycles and additions to a different version of this script which tackles VMware Tools reboot and continues installing post a reboot.

I hope you will find this script useful to install the VMware EUC agents and never look back to install them individually. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Reference Article – VMware Agent Install order – Agent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (vmware.com)

Tags: , , , , , , , ,

Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools

29 Jun

If you are planning for the VMware EUC Stack migration or upgrade and are in the middle of uninstalling the existing agents, look no further and here is the script that will allow you to uninstall all the agents and reboot the golden image towards the end. There is no need to remove individual agents one by one from the “Program and Features”; instead, sit back, relax and have a coffee!

VMware EUC Agents:

  • VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)
  • VMware Horizon Client (Optional)
  • VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
  • VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
  • VMware Tools (Works on 11.x)

Note – All the above testing is carried out on Windows 10 1909/Windows Server 2016 with PowerShell 5.1. The PowerShell module Uninstall-Package suppresses individual reboot and we perform the final reboot towards the end using the Restart-Computer module. (Reboot is required to complete the uninstallation operations.)

VMware EUC Agents
#################################################################################
# Un-Install EUC Agents in the proper order for Golden Image
# App Volumes Agent, Horizon Client(Optional), DEM, Horizon and VMware Tools
# Suppressed auto Reboot the OS towards the end after un-installing all Agents.
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
#################################################################################

#Un-installing VMware App Volumes Agent
Write-Host "Un-installing the App Volumes Agent" -ForegroundColor Green
Get-Package -Name 'App Volumes **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Client
#Write-Host "Un-installing the VMware Horizon Client" -ForegroundColor Green
#Get-Package -Name 'VMware Horizon Cli**' | Uninstall-Package

#sleep -Seconds 60

#Un-installing VMware Dynamic Environment Agent
Write-Host "Un-installing the Dynamic Environment Agent" -ForegroundColor Green
Get-Package -Name 'VMware Dynamic **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Agent
Write-Host "Un-installing the VMware Horizon Agent" -ForegroundColor Green
Get-Package -Name 'VMware Horizon Ag**' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Tools Agent
Write-Host "Un-installing the VMware Tools Agent" -ForegroundColor Green
Get-Package -Name 'VMware Tools' | Uninstall-Package

sleep -Seconds 60

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents Un-install" -ForegroundColor Green
Restart-Computer -Force

GitHub scripts/vmwareeucagent-uninstall at master · askaresh/scripts (github.com)

Thanks to Hilko and Joel for reviewing the script and providing valuable feedback.

I hope you will find this script useful to uninstall the VMware EUC agents and never look back to remove individual programs under “Programs and Features”. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Horizon VDI – Calculator – Photos – Edge Not launching for end-users – Windows 10

8 Feb

In Windows 10 1909 VMware OST optimized image the end-users report they cannot open the following three built-in UWP windows application.

  • Microsoft Calculator
  • Microsoft Photos
  • Microsoft Edge browser

When the end-users try to open any of the three applications, nothing would happen – No error messages or pop-ups. The application doesn’t launch.

Environment Details

VMware Horizon 7.11
VMware App Volumes 2.18.5
VMware Dynamic Environment Manager 9.10

Process of elimination

  • The AppX package for (Calc, Photos and Edge) did exist in the base operating system
  • We can launch all the three applications within the optimized golden image template.
  • We were running the VMWare OSOT tool with the default VMware Windows 10 template. No additional customization or options selected.
  • One thing was evident the base template was working fine. The suspicion was around AppStack – App Volumes (We disabled the AppStacks/Writable Delivery – Same issue observed) or Dynamic Environment Manager causing the application from launching
  • We were running out of troubleshooting ideas

Resolution

Upon searching, I came across this community page – https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Windows-10-UWP-Applications-and-Taskbar/m-p/523086 and it outlined a solution of re-registering the UWP AppX package for the built-in application. We tried the fix in the DEV environment and it worked. Further it was replicated to the production setup.

Step 1: A Powershell script to register the AppX packages

Get-AppxPackage -allusers *windowscalculator* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
Get-AppxPackage -allusers *windows.photos* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
Get-AppXPackage -AllUsers *edge* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Step 2 : Create a Dynamic Environment Manager – Logon Tasks

We selected to put the Powershell script within the UEM Share as the end-users have the read- access.

DEM - Logon Task
DEM-LogonTasks

 Quick Update based on 4th Aug 2021 (Thanks to Curtis for bring this up in the comments section)

The above DEM 9.10 logon task no longer works in situation where end-users dont have local administrative priviledges users not being able to run the script at logon.

In the latest version of Dynamic Enivornment Manager 20XX onwards, you can now hook logon tasks into Elevated Tasks by using Privilege Elevation rules.

In DEM:

1. User Environment > Privilege Elevation > Create new privilege elevation rule

2. In the “Type” drop down menu, select “Elevated Task”

3. Click “Add”

4. In the Executable field:
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

5. In the Arguments field type the path to your script logon script

6. In User Environment > Logon Tasks, select the logon task that runs and registers the UWP apps.

7. Check “Elevated Task” and in the drop down select the Elevated Task you just created in the list.

After this, the script should be able to run at logon regardless of whether or not the user has local administrator rights!

I hope you will find this information useful if you encounter the issue. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Tags: , , , ,

Enabling Verbose Mode for ADMX Logging (NoAD Mode) – VMware UEM 9.1

14 Feb

If you using VMware UEM for applying ADMX-based Setting and want detailed verbose logs on ADMX then then you will have to add an additional advanced settings in the NoAD.xml file.

Background: We were applying an ADMX setting (Desktop Background Wallpaper) and it wasn’t applying on the virtual desktop. The informational logging was not sufficient in deriving the root cause of the issue. Why the AMDX setting was getting skipped? After enabling the verbose logging it started logging additional information that was helpful in arriving to a conclusion.

Solution (NoAD.xml)
Located under \\FileShare\General\FlexRepository\NoAD subfolder.

Setting

XML Attribute

Comments

Enable verbose logging for ADMX-based settings, application blocking, and Horizon policiesAdmxLogging=”1″

Set to 1 to configure

Screenshot of the NoAD.xml file:

ADMX Logging

After enabling the setting you will see an additional file called FlexEngine-ADMX.log in the logs folder which will capture all the verbose logging.

Reference KB Article:
Configuring advanced UEM settings in NoAD mode – 2148324

Thanks,
Aresh

Missing default Windows ADMX Templates after importing VMware UEM ADMX files

5 Jul

In VMware User Environment Manager 9.0 (UEM) after you have copied over the VMware UEM Manager GPO’s (.ADMX and .ADML) to the central store for group policy administrative policy templates on a domain controller you cannot view the default Windows ADMX templates such System, Network, Control Panel etc.

Issue
After copying the UEM GPO templates to  \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions. You cannot see “System” under the Computer Configuration – Policies – Administrative Templates.

What is a Central Store on Domain Controller?
It’s a location to centrally store the .ADMX and .ADML files in a domain environment. The path is as follows:

.ADMX – \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
.ADML – \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US

MS Reference KB – https://support.microsoft.com/en-in/kb/3087759

Where is the default group policy administrative templates stored?
When central store is not enable the .ADMX and .ADML is stored at the default location on a domain controller. The path is as follows:

.ADMX – C:\Windows\PolicyDefinitions
.ADML – C:\Windows\PolicyDefinitions\en-US

Solution
If you cannot see the Windows default templates post enabling the central store you will have to copy all the ADMX and ADML manually from the Windows default location to Central Store on a domain controller

Copy all the .ADMX/.ADML files from Default to Central Store:

Particulars

Source

Destination

.ADMXC:\Windows\PolicyDefinitions \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
.ADMLC:\Windows\PolicyDefinitions\en-US\\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US

I hope the above steps will help you to get your default Windows ADMX templates back and help you complete the remaining VMware UEM 9.0 server configuration.

Thanks,
Aresh

Solving Microsoft Outlook (.OST) issues by combing VMware UEM and App Volumes

28 Jun

The long outstanding challenge of Microsoft Outlook *.ost files within Windows 7/8/10 floating desktops. Using VMware User Environment Management (UEM) and App Volumes together can overcome this challenge. Microsoft never supported or recommended keeping .ost files on File Shares and with O365 into equation the .ost file could be enormous sizes and would be unable to provide optimal end-user experience like you would be running from your PC devices.

App Volumes

  • Writable Volumes with the User Installed Applications template will be used to store the Outlook .ost and profile configuration details (.xml)
  • The .ost is stored within the writable volumes. Hence there is no performance impact like storing it on remote file shares
  • Depending upon the mailbox sizes you can create larger custom Writable Volumes – UIA template (The default template in AV is 10 GB). Like in O365 scenarios its normal to have 25GB mailbox size. Customer can create larger WV depending upon the requirements

UEM

  • Use the ADMX based setting for the Microsoft Office 2013/2016 cache settings. Policy – Default location for OST files
  • The most import step here is to point the .ost location to “C:\Snapvolumestemp\writable\Outlook”. Note this path is not virtualized, there is no over ahead of the filter driver

Using this technique, we can now quickly re-direct the .ost files to writable volumes and continue offering floating desktops to our end-users

There is also a VMware UEM video which demonstrates this steps in more details here – https://www.youtube.com/watch?v=bzy4X5xbURY (Thanks to Pim Vandeis from the UEM team)

Thanks,
Aresh