Archive | Horizon RSS feed for this section

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

10 Nov

Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:

  • What is Orphaned Writable Volumes?
  • Script to delete them from the App Volumes Managers

What is Orphaned Writable Volumes?

App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.

Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.

Script to delete them for App Volumes Manager

Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.

Pre-requisites

  • You need the App Volumes Manager URL
  • You need the username and password of the App Volumes Manager
  • You need to enter y/Y to proceed further with the deletion
  • The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)
###########################################################################
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0
###########################################################################

#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"

# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#Login AV Manager Body
$body = @{
    username = “$RESTAPIUser"
    password = “$RESTAPIPassword”
}

#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body

#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"

#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}

#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}

#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:" 
if ($confirmation -match "[yY]" ) {
    # proceed

# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id

#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {

# Writable Volumes deletion Parameters body
$jsonbody = @{
    bg = "0"
    volumes = "$WVOutputIDss"
} | ConvertTo-Json

#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"

}

#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content

}

GitHub scripts/del-writablevolume-status-orphaned at master · askaresh/scripts (github.com)

Observations

  • When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.
  • Once you press y/Y it will go ahead and delete the Orphaned writable volumes.

I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Script/API – Horizon Reach – Get consolidated Horizon Farms/Desktops pools – Name Health, Image and Snapshot information

27 Oct

Horizon Reach is a potent tool, and Andrew Morgan has put in a lot of blood, sweat and tears to develope it. What suprises me is why isnt this fling included into the Horizon product? We haven’t gathered here to talk about the product management and roadmap aspects 😉

Horizon Reach fling aggregates all the various Horizon POD information into its database. Typically, running Horizon API calls or Horizon Powershell modules might have to run them against individual pods to fetch information about that POD. The beauty with Horizon Reach is it aggregates all the information, we can write scripts/API calls to request information from there instead of writing Horizon POD specific scripts.

Let’s take a look at the following information from the Horizon Reach fling:

  • What API’s are available with Horizon Reach?
  • What all options are available to interact with Horizon Reach API?
  • Script – Get a consolidated list of Horizon Farm details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)
    • Note the above can also be fetched using the old Horizon Powershell modules but trust me it’s pretty tricky to run a foreach loop for every object on the SOAP method.
  • Script – Get a consolidated list of Horizon Desktop Pools details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)

What API’s are avilable with Horizon Reach?

After you have installed the Horizon Reach fling, go to the following URL to check out all the avilable API’s. Its the UI Swagger interface to simplify and understand each calls.

URL https://horzonreach.domain:9443/swagger/index.html

What all options are avilable to interact with Horizon Reach API?

You can interact with the API with your preffered method such as Powershell or Postman or something else.

Postman https://horzonreach.domain:9443/swagger/v1/swagger.json (You will be able to import all the Horizon Reach API as a collection within Postman)

Powershell – You can use the built-in modules of Invoke-RestMethod or Invoke-WebRequest method to interact with Horizon Reach API.

Scripts to get consolidated Horizon Farms/Desktops information

Pre-requsites:

  • You need the Horizon Reach Server URL
  • You need the password of the Horizon Reach Server
  • The script provides you with the details of all Horizon PODs in your setup.
  • The script was tested on PowerShell V5.x
#Horizon Reach Server Name or IP Address
$HZReachServer = "https://horizonreach.domain:9443"

#Ignore the self signed cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the Horizon Reach Server##
$HZReachLogonAPIcall = "$HZReachServer`/api/Logon"

#The body payload that comprises of the login API request
$body = @{
    username = "administrator"
    password = "enteryourpassword"
} | ConvertTo-Json

$HZReachlogin = Invoke-RestMethod -Method Post -uri $HZReachLogonAPIcall -Body $body -ContentType "application/json"

#Header along with the JWT token is now saved for future API calls
#You need to call this header in all subsequent calls as it has the token
$Headers = @{ Authorization = "Bearer $($HZReachlogin.jwt)" }

#API Call to fetch the consolidated (as many pods you have) Horizon Farm information##
$HZReachFarms = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/Farms" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, health, isProvisioningEnabled

Write-Output $HZReachFarms

#API Call to fetch the consolidated (as many pods you have) Horizon desktop pool information##
$HZReachPools = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/pools" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, healthDetail, isProvisioningEnabled

Write-Output $HZReachPools

GitHub scripts/HorizonReach-Farms-Pools-Info at master · askaresh/scripts (github.com)

Observations:

  • Farm Output:
  • Desktop Pool Output:
  • The following information (Display Name, Snapshot, Base Image, Health, Provisioning Mode) is pulled using the above scripts. I was much interested to see the snapshot versions of each Farms/Pools along with Health and provisioning status. Feel free to extract whatever details you are looking for there are plenty of other properties.

I hope you will find this script useful to fetch helpful information from Horizon Reach. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

VMware EUC stack upgrade – Legacy? or Modernizing? or Middleground?

14 Sep

It was that time of the year to perform a VMware End-User Computing (EUC) stack upgrade on the environment, and I thought of sharing the overall thought process and decisions made along the way. It will be interesting to share with others who might be in a similar situation or process of developing their upgrade/migration strategies. In this post, we shall take a look into these topics:

  • Current versions of the VMware EUC Stack
  • What version numbers did we upgrade/migrated to?
  • Why did we migrate to these versions?
  • Wishlist (Someone Listening?)
  • Valuable links to reference during upgrade/migration

Current versions of the VMware EUC Stack

  • VMware Horizon 7.11 (Connection Server/Agents)
  • VMware Horizon Client 5.5
  • VMware App Volumes 2.18.1.x Manager/VMware App Volumes 2.18.5 Agent version
  • VMware Workspace ONE Access 20.01/Connector 1903 (Not in scope for the upgrade)
  • VMware Dynamic Environment Manager 9.10
  • VMware Unified Access Gateway 3.10

What versions numbers did we upgrade/migrated to?

  • VMware Horizon 7.13.1 (Connection Server/Agents)
  • VMware Horizon Client 5.5.2
  • VMware App Volumes 2.18.10.10 (Manager/Agents)
  • VMware Dynamic Environment Manager 2103
  • VMware Unified Access Gateway 2103.1

Why did we migrate to these versions?

The obvious question everyone might ask is the latest versions are Horizon 8.x and App Volumes 4.x why are you picking older versions for the upgrade? The short answer is the limitations and trade-off, and the following matrix tries to uncover in more detail.

Note – Not all customers might fall under the limitation category, or the limiting feature/functionality could be different in your case. By no means this should be your defacto reasons. Make sure to evaluate your situation and create a matrix to make a data-driven decision. If the project is greenfield/no-limitations applied, it’s a no-brainer to opt for the latest product releases.

ProductUpgrade DecisionVerison of Choice
VMware Horizon++ We had all the boxes ticked from a feature/functionality standpoint to be able to upgrade/migrate to Horizon 8.x version. (Instant Clones, Printing, UAG etc.). Infact everything worked well in the development environment
++ The latest vROPS Horizon Adapter 1.2/Horizon 8.x version doesn’t include the built-in Horizon reports. We use the reporting feature for all sorts of custom reporting on Horizon PODs. The older version of vROPS Horizon Adapter 6.7.1/Horizon 7.x has all the existing metrics and reporting available but doesn’t include support for Horizon 8.x on the support matrix
++ The no reporting on the Horizon Adapter 1.2 + limited metrics on RDSH limited our ability to move to the latest version of Horizon 8.x. Once the built-in reports\metrics and guidance is made available, we shall jump onto the latest version (n-1)
Horizon 7.13.1
VMware App Volumes++ Lack of Writable Volumes (UIA+Profile and UIA) migrations from 2.18.x to 4.x. Need official guidance or tool/script/guidance to upgrade all the wrtiable of the 2.18.x environment to 4.x. I am sure alot of enterprise customers will have plenty of Writable Volumes to migrate and don’t have the flexibility to start from scratch on a new version
++ VMware AppStack Migration fling is the perfect migration utility to migrate AppStacks 2.18.x to 4.x need something similar for Writable Volumes
App Volumes 2.18.10.10
VMware Dynamic Environment Manager++ This was the only piece of software that didn’t have interoperability or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)DEM 2103
VMware Unified Access Gateway++ The appliance has no interoperability issues with Horizon 7.13.1 or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)UAG 2103.1
Upgrade Decision Matrix

The above stack provides us with the required General Availability support until Q2 FY2022 and beyond.

Wishlist

I am looking forward to vROPS Horizon Adapter XX to include the built-in Horizon Reports/Additional Metrics for RDSH in the new version or provide detailed guidance on creating meaningful reports in future releases. Additionally, the App Volumes team releases tools and advice on migrating 4000’s+ Writable Volumes from 2.18.x to 4.x. Once the above is released, I plan to upgrade to the branch of Horizon 8.x and App Volumes 4.x releases version numbers.

Valuable links to reference during upgrades

Here is the cheat sheet for all the useful links to review and formulate an upgrade plan:

DescriptionLinks
VMware Product Interoperability MatrixProduct Interoperability Matrix (vmware.com)
Product DocumentationVMware Horizon Documentation
VMware App Volumes Documentation
VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Techzone Migrating Legacy Horizon Components to Modern Alternatives

View Composer –> Instant Clones
Security Server –> UAG
Persona –> DEM
Persistent Disk – FSLogix
Modernizing VDI for a New Horizon | VMware
App Volumes Upgrade considerationsVMware App Volumes 4 Installation and Upgrade Considerations | VMware
Fling Migrate App Volumes AppStack from 2.18.x to 4.xApp Volumes Migration Utility | VMware Flings
Supported Windows 10 versions based on Horizon AgentSupported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393) (vmware.com)
VMware EUC Stack Agent OrderAgent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (2118048) (vmware.com)
Supported Windows 10 versions based on App Volumes AgentVMware App Volumes and Microsoft Windows 10 Support
VMware Product Lifecycle – End of LifeProduct Lifecycle Matrix (vmware.com)
Reference Material

I hope you will find the above information useful in your enterprise upgrade/migrate strategy for VMware EUC Stack. I would love to hear your strategy and similar situations limiting your ability to migrate to the latest and greatest versions.

Thanks,
Aresh Sarkari

VMware App Volumes – AD Domain – LDAPS Configuration/Certificate Renewal

19 Aug

The Enterprise Root CA certificate was coming close to expiry, and we had to replace the certificate on VMware App Volumes Manager. In this blog post, we will take a look into the following topics:

  • How to identify the Microsoft Enterprise Root CA
  • How to generate the Root Certificate *.cer
  • Convert the certificate *.cer to *.pem format for App Volumes Manager
  • Replace the certificate within the App Volumes Manager
  • Configuring the App Volumes Manager for LDAPS

How to identify the Microsoft Enterprise Root CA

On any domain-joined box where you have the Active Directory administrative tools installed, open the adsiedit.msc and change the Naming Context to Configuration partition.

Adsiedit Connection

Navigate to the below path Under Certification Authorities, and you’ll find your Enterprise Root Certificate Authority server.

CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=askaresh,DC=dir
Active Directory – Configuration Partition

How to generate the Root Certificate *.cer

Log into the Root Certification Authority server with Administrator Account. Go to Start > Run > and type Cmd, and press on Enter button. Enter the following command:

certutil -ca.cert C:\Temp\rootca_cert.cer

Convert the certificate *.cer to *.pem format for App Volumes Manager

I typically use OpenSSL to convert all my certificates. Copy the rootca_cert.cer certificate into Folder – C:\OpenSSL-Win32\bin and run the following command to convert the certificate to PEM.

openssl x509 -in root_cer.cer -out adCA.pem

Note – We want the exported name to be adCA.pem as App Volumes Manager needs that name during setup.

Replace the certificate within the App Volumes Manager

Depending upon the number of AV Managers, you will have to repeat the steps:

  • Copy the adCA.pem on each App Volumes Manager server, to the /config directory where the App Volumes Manager is installed. The default installation location for App Volumes Manager is C:\Program Files (x86)\Cloud Volumes\Manager.
  • Restart the App Volumes Manager servers.

Configuring the App Volumes Manager for LDAPS

You only need to perform these steps on one App Volumes Manager per POD as the configurations are central on a SQL Database.

  • Login to the App Volumes Manager and go to Configuration – AD Domains – Select the Domain – Edit or New depending upon your requirements
  • Enter the Domain Name, Service Account Username, Service Account Password and Select Secure LDAPS. The port number is 636.
  • Click on Update
App Volumes Manager – AD Domains

I hope you will find these steps helpful to replace or configure the VMware App Volumes Manager with LDAPS.

Thanks,
Aresh Sarkari

Reference Links

Export Root Certification Authority Certificate – Windows Server | Microsoft Docs

Find the name of Enterprise Root CA server – Windows Server | Microsoft Docs

Configure CA Certificates in App Volumes Manager (vmware.com)

Script to replace VMware Unified Access Gateway certificates (ADMIN and Internet)

9 Jul

Our certificates are coming close to expiry, and we use VMware Unified Access Gateway for Internal and External traffic tunneling. This brings us to perform the replacement of the expiring certificates on 12 UAG Appliances. Performing this activity from the GUI is straight forward. However, we need to perform this activity on 12 appliances.

Thanks to Mark Benson for the motivation, and I went ahead and created a script to perform this activity at further ease, sit back, relax and have a coffee!

Pre-requisites:

  • You need the CAchain pem and RSA private key certificate output in one line. Please make sure you run the following command to grab the output in a single line
    • Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-name.pem
    • Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-namersapriv.pem
    • I saved the certificate files on a Linux machine and then ran the above command. Pasted the output in Notepad++, which is in one line.
    • Doco reference
    • The CAChain pem certificate should include (MainCA content, Subordinate Certificate content and Root Certificate content without any spaces between them.)
  • There are seperate API calls for the certificate replacement for the ADMIN and Internet facing. You can comment or un-comment the block as per your requirement
    • /rest/v1/config/certs/ssl/ADMIN
    • /rest/v1/config/certs/ssl/END_USER
  • The IP address or Hostname of the UAG Appliance along with the admin password.
##############################################################################################################################################
# Replace the ADMIN and Internet Facing certificate on the UAG Appliance
# Uncomment if you dont plan to do both the interfaces (Internet/ADMIN)
# Get the certificate in one line following this documentation 
# https://docs.vmware.com/en/Unified-Access-Gateway/3.10/com.vmware.uag-310-deploy-config.doc/GUID-870AF51F-AB37-4D6C-B9F5-4BFEB18F11E9.html
# Author - Aresh Sarkari (Twitter - @askaresh)
##############################################################################################################################################

#UAGServer Name or IP
$UAGServer = "10.1.1.1"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the UAG Appliance##
$Uri = "https://$UAGServer`:9443/rest/v1/config/adminusers/logAdminUserAction/LOGIN"

$Username = "admin"
$Password = "enteryouradminpassword"

$Headers = @{ Authorization = "Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $Username,$Password))) }

Invoke-WebRequest -SessionVariable DaLogin -Uri $Uri -Headers $Headers

#The PEM Certificate + Private Key in RSA Format
#The certificate has to be in online using linux command - awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem 
$certificatersaContent = "-----BEGIN RSA PRIVATE KEY-----\nMIIEo... followed by a large block of text...\n-----END RSA PRIVATE KEY-----\n"
$certificateContent = "-----BEGIN CERTIFICATE-----\nMIIEo... followed by a large block of text...\n-----END CERTIFICATE-----\n"

#Body to replace the certificate
$body = @{
  privateKeyPem = $certificatersaContent
  certChainPem = $certificateContent
} 

#Converting the Json and line breaks in strings 
#https://communary.net/2018/03/30/quick-tip-convertto-json-and-line-breaks-in-strings/
$Jsonbody = ($body | ConvertTo-Json).Replace('\\n','\n')

#API to replace the Admin Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputadmin = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/ADMIN" -Body $Jsonbody -ContentType "application/json" -Verbose

#API to replace the Internet facing Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputenduser = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/END_USER" -Body $Jsonbody -ContentType "application/json" -Verbose

GitHub scripts/vmwareuagcertreplace at master · askaresh/scripts (github.com)

Observations:

  • The array within the $body has further line breaks, which needs to adjust. I had to spend a considerable amount of time. Thanks to this blog post which came in hand. Powershell function ConvertTo-Json
  • The Powershell function Invoke-Webrequest and the -URI I had to add the Backtick ` in order to escape the colon
  • The key of the above script is the CAChain certificate and RSA Private Key certificate to be available online.

I hope you will find this script useful to replace or change the certificate on the VMware Unified Access Gateway appliances. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Script to install VMware EUC Agents – App Volumes Agent, DEM Agent and Horizon Agent

30 Jun

If you are planning for the VMware EUC Stack migration or upgrade and want to install the VMware EUC agent, then continue reading. The guidance on uninstalling the existing agents can be found on this blog post – Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools | AskAresh

In this script, we shall perform the agents install and reboot the golden image towards the end. There is no need to install the individual agents one by one, instead, sit back, relax and have a coffee!

VMware EUC Agents:

  • VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
    • Note few MSI switches are deprecated if you still use them, you will have an error code 1603
  • VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
  • VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)

Note – All the above testing is carried out on Windows 10 1909 with PowerShell 5.1. Reboot is required to complete the installation operations.

VMware EUC Agents Install

Pre-requisites:

#################################################################################################
# Install EUC Agents in the proper order - Horizon Agent , DEM Agent and App Volumes Agent
# Reboot the OS towards the end after install all Agents. Look for Exit Code 0 or 3010
# If you notice exit code 1603 there is a installation issue. Refer to my MSI switches blogpost
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
################################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Agent Names
$HorizonAgentName = "VMware-Horizon-Agent-x86_64*"
$DEMAgentName = "VMware Dynamic Environment Manager*"
$AppVolumesAgentName = "App Volumes Agent*"
$AppVolMGR = "avm001.domain.com" # Manager LB VIP

# All the installer Location
#Create a folder C:\Temp\Agents and place all the MSI\EXE in there
$TempInstallPath = "C:\Temp\Agents" 

#Log Files location
# Go through all the logs post installation
$HZlogFile = "C:\Temp\Agents\HZAgent.log"
$DEMlogFile = "C:\Temp\Agents\DEMAgent.log"
$ApplogFile = "C:\Temp\Agents\AppVolAgent.log"

###################################################################
#                    MSI Arguments Arrary for EUC Agents          #
###################################################################
# Modify any MSI switched related to the agent here.
# Follow this blog post for swithces - https://askaresh.com/2021/06/28/comparision-vmware-horizon-agent-7-x-8-x-silent-install-switches-and-properties/

# VMware Horizon Agent MSI Switches
$HZMSIArguments = @(
	"/qn"
	"VDM_VC_MANAGED_AGENT=1"
    "SUPPRESS_RUNONCE_CHECK=1"
	"VDM_IP_Protocol_Usage=IPv4"
	"ADDLOCAL=Core,ClientDriveRedirection,NGVC,USB,RTAV,PerfTracker,PrintRedir,HelpDesk,TSMMR,VmwVaudio,V4V"
	"REBOOT=REallySuppress"
	"/L*v"
	$HZlogFile
)

# VMware Dynamic Enivornment Agent MSI Switches
$DEMMSIArguments = @(
    "/qn"
    "ADDLOCAL=FlexEngine"
    "REBOOT=REallysuppress"
    "/L*v"
    $DEMlogFile
)

# VMware App Volumes Agent MSI Switches
$AppVolMSIArguments = @(
    "/qn"
    "MANAGER_ADDR=$AppVolMGR"
    "MANAGER_PORT=443"
    "REBOOT=REallysuppress"
    "EnforceSSLCertificateValidation=0"
    "/L*v"
    $ApplogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install VMware Horizon Agent
Write-Host "Installing the VMware Horizon Agent" -ForegroundColor Green
$HZAgentPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $HorizonAgentName}).Fullname

# The switches "/s /v " is the Install Shield switches and rest of the aruguments are passed with MSI
$HZAgentInstall = (Start-Process -Filepath $HZAgentPath -Wait -ArgumentList "/s /v ""$HZMSIArguments" -PassThru)
$HZAgentInstall.ExitCode

Start-Sleep 20

# Install DEM Agent
Write-Host "Installing the VMware DEM Agent" -ForegroundColor Green
$DEMPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $DEMAgentName}).Fullname
$DEMAgentInstall = (Start-Process -Filepath $DEMPath -ArgumentList $DEMMSIArguments -Wait -PassThru)
$DEMAgentInstall.ExitCode

Start-Sleep 20

# Install App Volumes Agent
Write-Host "Installing the VMware App Volumes Agent" -ForegroundColor Green
$AppVolPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $AppVolumesAgentName}).Fullname
$AppVolAgentInstall = (Start-Process -Filepath $AppVolPath -ArgumentList $AppVolMSIArguments -Wait -PassThru)
$AppVolAgentInstall.ExitCode

Start-Sleep 20

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents install" -ForegroundColor Green
Restart-Computer -Force

Git Hubscripts/vmwareeucagent-install at master · askaresh/scripts (github.com)

A big thanks to Chris H for providing the original blueprint of the script and Wouter for showing me the magical “space” on the switch /v within the Horizon Agent installer. Final thanks to Jishan for the numerous testing cycles and additions to a different version of this script which tackles VMware Tools reboot and continues installing post a reboot.

I hope you will find this script useful to install the VMware EUC agents and never look back to install them individually. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Reference Article – VMware Agent Install order – Agent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (vmware.com)

Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools

29 Jun

If you are planning for the VMware EUC Stack migration or upgrade and are in the middle of uninstalling the existing agents, look no further and here is the script that will allow you to uninstall all the agents and reboot the golden image towards the end. There is no need to remove individual agents one by one from the “Program and Features”; instead, sit back, relax and have a coffee!

VMware EUC Agents:

  • VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)
  • VMware Horizon Client (Optional)
  • VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
  • VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
  • VMware Tools (Works on 11.x)

Note – All the above testing is carried out on Windows 10 1909/Windows Server 2016 with PowerShell 5.1. The PowerShell module Uninstall-Package suppresses individual reboot and we perform the final reboot towards the end using the Restart-Computer module. (Reboot is required to complete the uninstallation operations.)

VMware EUC Agents
#################################################################################
# Un-Install EUC Agents in the proper order for Golden Image
# App Volumes Agent, Horizon Client(Optional), DEM, Horizon and VMware Tools
# Suppressed auto Reboot the OS towards the end after un-installing all Agents.
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
#################################################################################

#Un-installing VMware App Volumes Agent
Write-Host "Un-installing the App Volumes Agent" -ForegroundColor Green
Get-Package -Name 'App Volumes **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Client
#Write-Host "Un-installing the VMware Horizon Client" -ForegroundColor Green
#Get-Package -Name 'VMware Horizon Cli**' | Uninstall-Package

#sleep -Seconds 60

#Un-installing VMware Dynamic Environment Agent
Write-Host "Un-installing the Dynamic Environment Agent" -ForegroundColor Green
Get-Package -Name 'VMware Dynamic **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Agent
Write-Host "Un-installing the VMware Horizon Agent" -ForegroundColor Green
Get-Package -Name 'VMware Horizon Ag**' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Tools Agent
Write-Host "Un-installing the VMware Tools Agent" -ForegroundColor Green
Get-Package -Name 'VMware Tools' | Uninstall-Package

sleep -Seconds 60

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents Un-install" -ForegroundColor Green
Restart-Computer -Force

GitHub scripts/vmwareeucagent-uninstall at master · askaresh/scripts (github.com)

Thanks to Hilko and Joel for reviewing the script and providing valuable feedback.

I hope you will find this script useful to uninstall the VMware EUC agents and never look back to remove individual programs under “Programs and Features”. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Comparison VMware Horizon Agent 7.x/8.x (Silent Install) Switches and Properties

28 Jun

We are in the middle of automating the VMware Horizon Agent 8.x installer for the golden images. To undertake such a task, it’s essential to understand all the MSI Switches that come along with the installer. If you had already automated the Horizon Agent 7.x install it’s also important to check which MSI switches have been removed in Horizon Agent 8.x/YYMM. The below details will show you the switches and highlight the removed/deltas MSI Switches and Properties.

I use a tool called lessmsi GitHub – activescott/lessmsi: A tool to view and extract the contents of an Windows Installer (.msi) file. which essentially extracts the MSI contents and provides a detailed table view of the feature components and properties.

Horizon Agent 8.x\YYMM version (Features available within the agent)

Feature (s38)Feature_Parent (S38)Title (L64)Description (L255)Directory_ (S72)
URLRedirectionCoreURL Content RedirectionRedirects URL content from a server session to a client device and vice versa. 
PSGCore   
VmVideoCore   
VmwVdisplayCore   
VmwViddCore   
SmartCardSingleUserTSCore   
RDSH3D 3D RDSHThis feature enables hardware 3D acceleration in RDSH sessions. 
NGVC VMware Horizon Instant Clone AgentHorizon Instant Clone Agent should only be installed on a virtual machine running on VMware vSphere 6.0/2015 U1 or later. 
ScannerRedirection Scanner RedirectionEnables the Scanner Redirection feature. 
SerialPortRedirection Serial Port RedirectionEnables the Serial Port Redirection feature. 
SmartCard Smartcard RedirectionEnables the Smartcard Redirection feature. 
TSMMR TSMMRTerminal Services Multimedia Redirection. 
PrintRedir VMware Integrated PrintingVMware Integrated Printing Redirection. 
USB USB RedirectionUSB Redirection. Refer to the VMware Horizon Security document for guidance on using USB redirection securely. 
V4V Horizon Monitoring Service AgentHorizon Monitoring Service Agent. 
VmwVaudio VMware AudioVMware virtual Audio driver 
SdoSensor SDO Sensor RedirectionEnables Simple Device Orientation(SDO) Sensor Redirection feature, reports device orientation changes to remote desktop. 
HybridLogon Hybrid LogonEnables Hybrid logon which allows an unauthenticated user access to network resources without the need to enter credentials. 
HelpDesk Help Desk Plugin for Horizon AgentHelp Desk Plugin for Horizon Agent. 
RDP Enable RDP (hidden)  
BlastUDPCore   
Core Core[ProductName] core functionalityINSTALLDIR
VMWMediaProviderProxy VMware Virtualization Pack for Skype for BusinessThis feature will enable optimization for Skype for Business in remote desktop 
ClientDriveRedirection Client Drive RedirectionAllow Horizon Clients to share local drives with remote desktops and applications. If not installed, copy/paste and drag and drop files and folders features will be disabled. 
RTAV Real-Time Audio-VideoReal-Time Audio-Video enables users to redirect locally connected audio and video peripherals back to the remote desktop for use. 
GEOREDIR Geolocation RedirectionEnables redirection of client’s geolocation to the remote desktop 
PerfTracker Horizon Performance TrackerEnables Horizon Performance Tracker 
Horizon Agent 8.x/YYMM Release MSI Features

Horizon Agent 7.x version (Features available within the agent)

Feature (s38)Feature_Parent (S38)Title (L64)Description (L255)Directory_ (S72)
URLRedirectionCoreURL Content RedirectionRedirects URL content from a server session to a client device and vice versa. 
PSGCore  
VmVideoCore  
VmwVdisplayCore  
VmwViddCore  
SmartCardSingleUserTSCore  
FlashURLRedirection Flash URL RedirectionEnables Flash URL Redirection for internal company controlled web pages. 
RDSH3D 3D RDSHThis feature enables hardware 3D acceleration in RDSH sessions. 
SVIAgent VMware Horizon View Composer AgentVMware Horizon View Composer Agent RDSH installs: This machine can be used as the parent image for provisioning Automated Farms 
NGVC VMware Horizon Instant Clone AgentHorizon Instant Clone Agent should only be installed on a virtual machine running on VMware vSphere 6.0/2015 U1 or later. It cannot be co-installed with Horizon View Composer Agent. 
ScannerRedirection Scanner RedirectionEnables the Scanner Redirection feature. 
SerialPortRedirection Serial Port RedirectionEnables the Serial Port Redirection feature. 
SmartCard Smartcard RedirectionEnables the Smartcard Redirection feature. 
TSMMR TSMMRTerminal Services Multimedia Redirection. Does not support IPv6 configuration. 
ThinPrint Virtual PrintingVirtual Printer Support 
PrintRedir VMware Integrated PrintingVMware Integrated Printing Redirection. 
USB USB RedirectionUSB Redirection. Refer to the VMware Horizon 7 Security document for guidance on using USB redirection securely. 
V4V vRealize Operations Desktop AgentvRealize Operations Desktop Agent. Does not support IPv6 configuration. 
VPA VMware Horizon 7 Persona ManagementVMware Horizon 7 Persona Management 
VmwVaudio VMware AudioVMware virtual Audio driver 
DeviceBridgeBAS Device Bridge BAS PluginEnables finger scanners supported by BAS system 
SdoSensor SDO Sensor RedirectionEnables Simple Device Orientation(SDO) Sensor Redirection feature, reports device orientation changes to remote desktop. 
CIT VMware Client IP TransparencyThis feature allows remote connections to Internet Explorer to use the Client’s IP address instead of this machine’s. Does not support IPv6 configuration. 
HybridLogon Hybrid LogonEnables Hybrid logon which allows an unauthenticated user access to network resources without the need to enter credentials. 
HelpDesk Help Desk Plugin for Horizon AgentHelp Desk Plugin for Horizon Agent. 
RDP Enable RDP (hidden)  
BlastUDPCore  
Core Core[ProductName] core functionalityINSTALLDIR
VMWMediaProviderProxy VMware Virtualization Pack for Skype for BusinessThis feature will enable optimization for Skype for Business in remote desktop 
ClientDriveRedirection Client Drive RedirectionAllow Horizon View Clients to share local drives with their remote desktops and applications. Does not support IPv6 configuration. 
RTAV Real-Time Audio-VideoReal-Time Audio-Video enables users to redirect locally connected audio and video peripherals back to the remote desktop for use. 
FLASHMMR Flash RedirectionFlash Redirection 
GEOREDIR Geolocation RedirectionEnables redirection of client’s geolocation to the remote desktop 
PerfTracker Horizon Performance TrackerEnables Horizon Performance Tracker 
Horizon Agent 7.x Release MSI Features

If you want to download the spreadsheet version of the table above/below you can find it below. Note there is a bonus within the spreadsheet: MSI Property comparision between Horizon Agent 7.x and Horizon Agent 8.x and two MSI Properties have been removed VDM_FLASH_URL_REDIRECTION and INSTALL_VDIDISPLAY_DRIVER (Part of the Core in 8.x).

Deprecated/Delta Features between 7.x and 8.x/YYMM release

From the table above, we know all the switches of the Horizon Agent 7.x and 8.x versions. Once we compare the above two tables, we are left with the following delta, and I have commented on whether each feature exists or is removed. Please make sure to remove them from your existing scripts or silent installers if you had added them during your Horizon 7.x installs.

Feature (s38)Title (L64)Description (L255)Additional Comments
FlashURLRedirectionFlash URL RedirectionEnables Flash URL Redirection for internal company controlled web pages.Flash come to EOL in 2020. Feature has been deprecated
SVIAgentVMware Horizon View Composer AgentVMware Horizon View Composer Agent RDSH installs: This machine can be used as the parent image for provisioning Automated FarmsVMware Compose was replaced by Instant Clones
ThinPrintVirtual PrintingVirtual Printer SupportThinPrint is replaced by VMware Integrated Printing
VPAVMware Horizon 7 Persona ManagementVMware Horizon 7 Persona ManagementPersona is replaced by App Volumes or DEM or FSLogic
DeviceBridgeBASDevice Bridge BAS PluginEnables finger scanners supported by BAS systemFeature has been deprecated
CITVMware Client IP TransparencyThis feature allows remote connections to Internet Explorer to use the Client’s IP address instead of this machine’s. Does not support IPv6 configuration.Feature has been deprecated
FLASHMMRFlash RedirectionFlash RedirectionFlash come to EOL in 2020. Feature has been deprecated
Delta or Deprecated feature list after comparing the above two tables

I hope you will find this post useful to perform silent installs on Horizon Agent. My request is if you find any additional delta or enhancements, please make sure to share it back with me.

Thanks,
Aresh Sarkari

Reference – Check out the VMware documentation on Silent Installation Properties for Horizon Agent (vmware.com)

VMware Horizon Events Database – Annual Clean-up (purge old data)

14 May

VMware Horizon doesn’t restrict the growth of the historical tables in the Horizon Events database. VMware has a detailed knowledge base article with describes in details Purging old data from the View Events Database (2150309). However, there is a catch if you are trying to delete many records at one time, you will get transaction log full error. The below procedure will help you overcome the challenge. In our scenario, we purge the records once every year.

use HZNLOG
select count(*) from [dbo].[POD1_event_data_historical] where EventID in (select EventID from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000')
select count(*) from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000'

In the above example HZNLOG is the name of the database. POD1 is the prefix of the Horizon Events Database (Check in Horizon Admin console) and 2021-01-31 is the YYYY-MM-DD format (Show me all records before 31st Jan 2021)

No. of older records in Events DB

If we used the delete tables mentioned within the knowledge base article, we get the following error “The transaction log for database ‘HZNLOG’ is full due to ‘LOG_BACKUP”. Of course, the number of records in our case we are trying to delete is relatively high(Millions).

Error during deletion “Log is full”

You can shorten the above query for approx. 30 or 15 days, but still in our scenario, one would have to run the delete query more than 15 times to perform the annual clean-up. After searching around, I came across a blog post – Deleting millions of records from a table without blowing the transaction log (A big thank you Merill for sharing his knowledge) I tweaked it for my usecase of Horizon Events DB clean-up and, in a single query within 20 mins I could perform a yearly clean-up without any fuss of transaction log getting full. Essentially this performs the clean-up in a batch size of 10,000 row counts.

DECLARE @continue INT
DECLARE @rowcount INT
 
SET @continue = 1
WHILE @continue = 1
BEGIN
    PRINT GETDATE()
    SET ROWCOUNT 10000
    BEGIN TRANSACTION
	delete from [dbo].[POD1_event_data_historical] where EventID in (select EventID from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000')
	delete from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000'
    SET @rowcount = @@rowcount 
    COMMIT
    PRINT GETDATE()
    IF @rowcount = 0
    BEGIN
        SET @continue = 0
    END
END

The ouput will look something like below:

Enteire deletion in batches of 10K rows

After running the above deletion query, now re-run the select query to see if records exist before 31st Jan 2021, and now we have 0 records.

Zero records found

I hope you will find this SQL query helpful to perform Horizon Events Database clean-up in a jiffy. My request if you further enhance the query or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Upgrade VMware Identity Manager 3.3 to VMware Workspace ONE Access 20.01

28 Apr

I had the opportunity to work on an upgrade from VMware Identity Manager 3.3 (VIDM) to the new name VMware Workspace ONE Access 20.01 (WoA), and I would like to share the entire experience with you. There is guidance available on the VMware documentation and a few blogs. The idea here is not to provide you with a step by step guide instead, provide guidance on best practice, insights on active/passive site, change timings, an end-2-end mind map of activities/steps involved etc., on carrying out a successful upgrade.

Environment Overview
Let take a look at the environment details to provide an high-level overview:
Active Site

  • 3 VMware Identity Manager 3.3 Linux Appliances
  • 2 VMware Identity Manager 3.3 Connecter Linux Appliances (Used for Authentication & VMware Horizon Sync)
  • SQL Database on Microsoft SQL 2016 Always-on
  • The 3 Manager Appliances are behind an NSX Load balancer

Passive Site

  • 3 VMware Identity Manager 3.3 Linux Appliances (Read-only mode)
  • 2 VMware Identity Manager 3.3 Connecter Linux Appliances (Used for Authentication & VMware Horizon Sync)
  • SQL Database on Microsoft SQL 2016 Always-on (Replica DB’s)
  • The 3 Manager Appliances are behind an NSX Load balancer

The offline upgrade method was selected as the choice due to convenience and ease of setup/configuration without exposing the appliance on the internet using proxy. During both, version upgrades the offline package was kept in the /tmp directory, which deletes the files post the reboot.

Downtime Window (Choice)

We had an option of performing the entire upgrade of the above components in a single day change, or we could split the upgrade into two days as we had to go from version 3.3 –> 19.03 –> 20.01.

VIDM TO WoA Upgrade Approach

Initially, we tried the single downtime change window of 16 hours and had hiccups which I plan to write a separate blog post. We split the change into two days. Day 1 – Upgrade from VIDM 3.3 to 19.03 and Day 2 – Upgrade from VIDM 19.03 to WoA 20.01 on two consecutive days giving us the ability for partial rollback instead of starting from scratch again.

High-Level Upgrade Architecture Overview

Disable the IDM – Manager node one at a time under the NSX load balancer and carry out the upgrade of the manager nodes one by one. After all, the manager nodes are upgraded to the desired version then move to the connector nodes one by one. In our scenario this had to repeated during the 19.03 to 20.01 Access node upgrade.

High-Level VIDM to WoA Upgrade Architecture

Observations from the upgrade

  • Check the VMware Product Interoperability Matrix and Product release notes at least two times before working upon the upgrade.
  • Before you begin the upgrade – Suspend the Data Movement on your SQL Always-on the Database.
  • There is no downtime observed when you perform an upgrade on one manager at a time. Make sure you disable the node from the load balancer (No traffic flows to the node).
  • No downtime is observed when connector upgrade are carried out one by one. There were four connectors for redundancy (3 Connectors performing the Authentication Function and 1 Connector – Sync and Authentication). However, the connector chosen for the AD Sync was the last one for the upgrade and in our plan we had mentioned downtime.
  • The System Dashboard – Health of the cluster (Active/Passive) may flip between green and red because the elastic search services take time to stabilize due to the reboots.
  • If you have hotfixes provided by VMware engineering due to previous issues, please check with support whether the fixes have been incorporated into the newer version or/else make sure to ask for the hot patch for the recent version. #ProTIP – Install those hotfixes before the final reboot of the upgrade to avoid an additional service restart dedicated to the hotfix.

End to end mind map of the entire Upgrade

I have included a pdf version of the mind map to read the details with zoom on.

Upgrade VIDM to WoA mind map.
Offline Upgrade VIDM to WoA – Mind Map

I hope you will find this helpful information to plan and succeed in a VMware Workspace ONE Access upgrade. A big thanks to Jishan T S, my teammate, for his continuous contributions to making this a big success and trying all the steps in the development setup multiple times.

Thanks,
Aresh Sarkari