PowerShell | AskAresh

Archive | PowerShell RSS feed for this section

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:

What is Orphaned Writable Volumes?
Script to delete them from the App Volumes Managers

What is Orphaned Writable Volumes?

App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.

Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.

Script to delete them for App Volumes Manager

Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.

Pre-requisites

You need the App Volumes Manager URL
You need the username and password of the App Volumes Manager
You need to enter y/Y to proceed further with the deletion
The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)

###########################################################################
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0
###########################################################################

#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"

# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#Login AV Manager Body
$body = @{
    username = “$RESTAPIUser"
    password = “$RESTAPIPassword”
}

#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body

#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"

#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}

#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}

#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:" 
if ($confirmation -match "[yY]" ) {
    # proceed

# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id

#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {

# Writable Volumes deletion Parameters body
$jsonbody = @{
    bg = "0"
    volumes = "$WVOutputIDss"
} | ConvertTo-Json

#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"

}

#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content

}

GitHub – scripts/del-writablevolume-status-orphaned at master · askaresh/scripts (github.com)

Observations

When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.

Once you press y/Y it will go ahead and delete the Orphaned writable volumes.

I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: API, App Volumes, EUC, Horizon, Orphaned, PowerShell, Rest API, VDI, VMware, VMware App Volumes, Writable Volumes

Comments Leave a Comment
Categories App Volumes, Horizon, PowerShell, Scripts-API

Script/API – Horizon Reach – Get consolidated Horizon Farms/Desktops pools – Name Health, Image and Snapshot information

27 Oct

Horizon Reach is a potent tool, and Andrew Morgan has put in a lot of blood, sweat and tears to develope it. What suprises me is why isnt this fling included into the Horizon product? We haven’t gathered here to talk about the product management and roadmap aspects 😉

Horizon Reach fling aggregates all the various Horizon POD information into its database. Typically, running Horizon API calls or Horizon Powershell modules might have to run them against individual pods to fetch information about that POD. The beauty with Horizon Reach is it aggregates all the information, we can write scripts/API calls to request information from there instead of writing Horizon POD specific scripts.

Let’s take a look at the following information from the Horizon Reach fling:

What API’s are available with Horizon Reach?
What all options are available to interact with Horizon Reach API?
Script – Get a consolidated list of Horizon Farm details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)
- Note the above can also be fetched using the old Horizon Powershell modules but trust me it’s pretty tricky to run a foreach loop for every object on the SOAP method.
Script – Get a consolidated list of Horizon Desktop Pools details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)

What API’s are avilable with Horizon Reach?

After you have installed the Horizon Reach fling, go to the following URL to check out all the avilable API’s. Its the UI Swagger interface to simplify and understand each calls.

URL – https://horzonreach.domain:9443/swagger/index.html

What all options are avilable to interact with Horizon Reach API?

You can interact with the API with your preffered method such as Powershell or Postman or something else.

Postman – https://horzonreach.domain:9443/swagger/v1/swagger.json (You will be able to import all the Horizon Reach API as a collection within Postman)

Powershell – You can use the built-in modules of Invoke-RestMethod or Invoke-WebRequest method to interact with Horizon Reach API.

Scripts to get consolidated Horizon Farms/Desktops information

Pre-requsites:

You need the Horizon Reach Server URL
You need the password of the Horizon Reach Server
The script provides you with the details of all Horizon PODs in your setup.
The script was tested on PowerShell V5.x

#Horizon Reach Server Name or IP Address
$HZReachServer = "https://horizonreach.domain:9443"

#Ignore the self signed cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the Horizon Reach Server##
$HZReachLogonAPIcall = "$HZReachServer`/api/Logon"

#The body payload that comprises of the login API request
$body = @{
    username = "administrator"
    password = "enteryourpassword"
} | ConvertTo-Json

$HZReachlogin = Invoke-RestMethod -Method Post -uri $HZReachLogonAPIcall -Body $body -ContentType "application/json"

#Header along with the JWT token is now saved for future API calls
#You need to call this header in all subsequent calls as it has the token
$Headers = @{ Authorization = "Bearer $($HZReachlogin.jwt)" }

#API Call to fetch the consolidated (as many pods you have) Horizon Farm information##
$HZReachFarms = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/Farms" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, health, isProvisioningEnabled

Write-Output $HZReachFarms

#API Call to fetch the consolidated (as many pods you have) Horizon desktop pool information##
$HZReachPools = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/pools" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, healthDetail, isProvisioningEnabled

Write-Output $HZReachPools

GitHub – scripts/HorizonReach-Farms-Pools-Info at master · askaresh/scripts (github.com)

Observations:

Farm Output:

Desktop Pool Output:

The following information (Display Name, Snapshot, Base Image, Health, Provisioning Mode) is pulled using the above scripts. I was much interested to see the snapshot versions of each Farms/Pools along with Health and provisioning status. Feel free to extract whatever details you are looking for there are plenty of other properties.

I hope you will find this script useful to fetch helpful information from Horizon Reach. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: API, Desktop Pools, Desktop Virtualization, Horizon, Horizon Reach, PowerShell, Published Application, VDI, VMware, VMware Horizon, vSphere

Comments 1 Comment
Categories Horizon, PowerShell, Scripts-API

Script to install CrowdStrike Sensor and VMware App Volumes snapvol.cfg exclusions for CrowdStrike Sensor

20 Aug

If you are planning to deploy CrowdStrike Sensor (CS Sensor) within your virtual desktop (Windows 10) or server operating(Remote Desktop – Windows Server 2016), then continue reading. In this post, we will take a look into the following topics:

Scripted silent install of CrowdStrike Sensor
Process exclusions for VMware App Volumes – Writable Volumes (snapvol.cfg)

Script to install CrowdStrike Sensor

Pre-requisites:

Based on your requirements, a complete range of silent switches can be found here – How to Install CrowdStrike Falcon Sensor | Dell US
Create a folder called C:\Temp\Sensor and place all the CS Sensor EXE within this folder.
Make sure to read the installer log files after the install is completed.
We use the proxy details as the virtual machines don’t have direct internet access.
Look for the exit code = 0 = success

#############################################################################################
# Install Crowd Strike Sensor to the Golden Image on Windows 10 and Windows Server 2016/2019
# Look for Exit Code 0 = Success
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari - https://twitter.com/askaresh
#############################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Sensor Names
$CSSensorName = "WindowsSen*"

#The sensor installer Location
$TempInstallPath = "C:\Temp\Sensor"

#Log Files location
$CSSensorlogFile = "C:\Temp\Sensor\CSSensor.log"

###################################################################
#                    EXE Arguments Arrary for CS Sensor           #
###################################################################
# Modify any Installer switches related to the sensor here.
# Dell Article covering all silent switches 
# https://www.dell.com/support/kbdoc/en-us/000126124/how-to-install-crowdstrike-falcon-sensor
# Proxy switches if your endpoints dont have direct Internet Access
# Log Files w.r.t to installation is generated in C:\Temp\*

# Crowd Strike Sensor Arguments
$CSArguments = @(
    "/install"
    "/quiet"
    "/norestart"
    "CID=YOUDIDGUIDWILLGOHERE-EG"
    "ProvToken=YOURTOKENNUMBER"
    "GROUPING_TAGS=TAG1,TAG_VDI"
    "ProvWaitTime=3600000"
    "APP_PROXYNAME=proxy.whateverproxy.com"
    "APP_PROXYPORT=80"
    "VDI=1"
	"/log"
    $CSSensorlogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install Crowd Strike Sensor
Write-Host "Installing the Crowd Strike Sensor" -ForegroundColor Green
$CSSensorPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $CSSensorName}).Fullname
$CSSensorInstall = (Start-Process -Filepath $CSSensorPath -Wait -ArgumentList "$CSArguments" -PassThru)
$CSSensorInstall.ExitCode

Start-Sleep 20

Git Hub – scripts/CSSensor-Install at master · askaresh/scripts (github.com)

Process exclusions for VMware App Volumes

It is advisable you add the CrowdStrike process exclusions within the VMware App Volumes – Writable Volumes templates on snapvol.cfg. Here is the detailed guidance on how to modify the snapvold.cfg – Using the VMware App Volumes snapvol.cfg File to Customize Writable Volumes | VMware End-User Computing Blog. These two processes are visible within the Task Manager.

#Crowdstrike Exclusions
exclude_process_name=CSFalconService.exe
exclude_process_name=CSFalconContainer.exe

A big thanks to Jishan for the numerous testing cycles! I hope you will find this script and exclusions useful to install the CrowsStrike Sensor. A small request if you further enhance the script or exclusions, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: CrowdStrike, Desktop Virtualization, PowerShell, VMware, VMware App Volumes

Comments Leave a Comment
Categories App Volumes, PowerShell, Scripts-API, Windows

Script to replace VMware Unified Access Gateway certificates (ADMIN and Internet)

9 Jul

Our certificates are coming close to expiry, and we use VMware Unified Access Gateway for Internal and External traffic tunneling. This brings us to perform the replacement of the expiring certificates on 12 UAG Appliances. Performing this activity from the GUI is straight forward. However, we need to perform this activity on 12 appliances.

Thanks to Mark Benson for the motivation, and I went ahead and created a script to perform this activity at further ease, sit back, relax and have a coffee!

Pre-requisites:

You need the CAchain pem and RSA private key certificate output in one line. Please make sure you run the following command to grab the output in a single line
- Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-name.pem
- Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-namersapriv.pem
- I saved the certificate files on a Linux machine and then ran the above command. Pasted the output in Notepad++, which is in one line.
- Doco reference
- The CAChain pem certificate should include (MainCA content, Subordinate Certificate content and Root Certificate content without any spaces between them.)
There are seperate API calls for the certificate replacement for the ADMIN and Internet facing. You can comment or un-comment the block as per your requirement
- /rest/v1/config/certs/ssl/ADMIN
- /rest/v1/config/certs/ssl/END_USER
The IP address or Hostname of the UAG Appliance along with the admin password.

##############################################################################################################################################
# Replace the ADMIN and Internet Facing certificate on the UAG Appliance
# Uncomment if you dont plan to do both the interfaces (Internet/ADMIN)
# Get the certificate in one line following this documentation 
# https://docs.vmware.com/en/Unified-Access-Gateway/3.10/com.vmware.uag-310-deploy-config.doc/GUID-870AF51F-AB37-4D6C-B9F5-4BFEB18F11E9.html
# Author - Aresh Sarkari (Twitter - @askaresh)
##############################################################################################################################################

#UAGServer Name or IP
$UAGServer = "10.1.1.1"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the UAG Appliance##
$Uri = "https://$UAGServer`:9443/rest/v1/config/adminusers/logAdminUserAction/LOGIN"

$Username = "admin"
$Password = "enteryouradminpassword"

$Headers = @{ Authorization = "Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $Username,$Password))) }

Invoke-WebRequest -SessionVariable DaLogin -Uri $Uri -Headers $Headers

#The PEM Certificate + Private Key in RSA Format
#The certificate has to be in online using linux command - awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem 
$certificatersaContent = "-----BEGIN RSA PRIVATE KEY-----\nMIIEo... followed by a large block of text...\n-----END RSA PRIVATE KEY-----\n"
$certificateContent = "-----BEGIN CERTIFICATE-----\nMIIEo... followed by a large block of text...\n-----END CERTIFICATE-----\n"

#Body to replace the certificate
$body = @{
  privateKeyPem = $certificatersaContent
  certChainPem = $certificateContent
} 

#Converting the Json and line breaks in strings 
#https://communary.net/2018/03/30/quick-tip-convertto-json-and-line-breaks-in-strings/
$Jsonbody = ($body | ConvertTo-Json).Replace('\\n','\n')

#API to replace the Admin Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputadmin = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/ADMIN" -Body $Jsonbody -ContentType "application/json" -Verbose

#API to replace the Internet facing Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputenduser = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/END_USER" -Body $Jsonbody -ContentType "application/json" -Verbose

GitHub – scripts/vmwareuagcertreplace at master · askaresh/scripts (github.com)

Observations:

The array within the $body has further line breaks, which needs to adjust. I had to spend a considerable amount of time. Thanks to this blog post which came in hand. Powershell function ConvertTo-Json
The Powershell function Invoke-Webrequest and the -URI I had to add the Backtick ` in order to escape the colon
The key of the above script is the CAChain certificate and RSA Private Key certificate to be available online.

I hope you will find this script useful to replace or change the certificate on the VMware Unified Access Gateway appliances. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: Horizon, PowerShell, Unified Access Gateway, VMware, VMware Horizon

Comments Leave a Comment
Categories Horizon, Postman, PowerShell, Scripts-API, Unified Access Gateway

Script to install VMware EUC Agents – App Volumes Agent, DEM Agent and Horizon Agent

30 Jun

If you are planning for the VMware EUC Stack migration or upgrade and want to install the VMware EUC agent, then continue reading. The guidance on uninstalling the existing agents can be found on this blog post – Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools | AskAresh

In this script, we shall perform the agents install and reboot the golden image towards the end. There is no need to install the individual agents one by one, instead, sit back, relax and have a coffee!

VMware EUC Agents:

VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
- Note few MSI switches are deprecated if you still use them, you will have an error code 1603
VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)

Note – All the above testing is carried out on Windows 10 1909 with PowerShell 5.1. Reboot is required to complete the installation operations.

Pre-requisites:

Based on your environment, the installation of MSI switches may differ. You may follow this post to identify appropriate details – Comparison VMware Horizon Agent 7.x/8.x (Silent Install) Switches and Properties | AskAresh
Create a folder called C:\Temp\Agents and place all the MSI/EXE within this folder.
Make sure to read the installer log files after install is completed and reboot is done

#################################################################################################
# Install EUC Agents in the proper order - Horizon Agent , DEM Agent and App Volumes Agent
# Reboot the OS towards the end after install all Agents. Look for Exit Code 0 or 3010
# If you notice exit code 1603 there is a installation issue. Refer to my MSI switches blogpost
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
################################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Agent Names
$HorizonAgentName = "VMware-Horizon-Agent-x86_64*"
$DEMAgentName = "VMware Dynamic Environment Manager*"
$AppVolumesAgentName = "App Volumes Agent*"
$AppVolMGR = "avm001.domain.com" # Manager LB VIP

# All the installer Location
#Create a folder C:\Temp\Agents and place all the MSI\EXE in there
$TempInstallPath = "C:\Temp\Agents" 

#Log Files location
# Go through all the logs post installation
$HZlogFile = "C:\Temp\Agents\HZAgent.log"
$DEMlogFile = "C:\Temp\Agents\DEMAgent.log"
$ApplogFile = "C:\Temp\Agents\AppVolAgent.log"

###################################################################
#                    MSI Arguments Arrary for EUC Agents          #
###################################################################
# Modify any MSI switched related to the agent here.
# Follow this blog post for swithces - https://askaresh.com/2021/06/28/comparision-vmware-horizon-agent-7-x-8-x-silent-install-switches-and-properties/

# VMware Horizon Agent MSI Switches
$HZMSIArguments = @(
	"/qn"
	"VDM_VC_MANAGED_AGENT=1"
    "SUPPRESS_RUNONCE_CHECK=1"
	"VDM_IP_Protocol_Usage=IPv4"
	"ADDLOCAL=Core,ClientDriveRedirection,NGVC,USB,RTAV,PerfTracker,PrintRedir,HelpDesk,TSMMR,VmwVaudio,V4V"
	"REBOOT=REallySuppress"
	"/L*v"
	$HZlogFile
)

# VMware Dynamic Enivornment Agent MSI Switches
$DEMMSIArguments = @(
    "/qn"
    "ADDLOCAL=FlexEngine"
    "REBOOT=REallysuppress"
    "/L*v"
    $DEMlogFile
)

# VMware App Volumes Agent MSI Switches
$AppVolMSIArguments = @(
    "/qn"
    "MANAGER_ADDR=$AppVolMGR"
    "MANAGER_PORT=443"
    "REBOOT=REallysuppress"
    "EnforceSSLCertificateValidation=0"
    "/L*v"
    $ApplogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install VMware Horizon Agent
Write-Host "Installing the VMware Horizon Agent" -ForegroundColor Green
$HZAgentPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $HorizonAgentName}).Fullname

# The switches "/s /v " is the Install Shield switches and rest of the aruguments are passed with MSI
$HZAgentInstall = (Start-Process -Filepath $HZAgentPath -Wait -ArgumentList "/s /v ""$HZMSIArguments" -PassThru)
$HZAgentInstall.ExitCode

Start-Sleep 20

# Install DEM Agent
Write-Host "Installing the VMware DEM Agent" -ForegroundColor Green
$DEMPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $DEMAgentName}).Fullname
$DEMAgentInstall = (Start-Process -Filepath $DEMPath -ArgumentList $DEMMSIArguments -Wait -PassThru)
$DEMAgentInstall.ExitCode

Start-Sleep 20

# Install App Volumes Agent
Write-Host "Installing the VMware App Volumes Agent" -ForegroundColor Green
$AppVolPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $AppVolumesAgentName}).Fullname
$AppVolAgentInstall = (Start-Process -Filepath $AppVolPath -ArgumentList $AppVolMSIArguments -Wait -PassThru)
$AppVolAgentInstall.ExitCode

Start-Sleep 20

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents install" -ForegroundColor Green
Restart-Computer -Force

Git Hub – scripts/vmwareeucagent-install at master · askaresh/scripts (github.com)

A big thanks to Chris H for providing the original blueprint of the script and Wouter for showing me the magical “space” on the switch /v within the Horizon Agent installer. Final thanks to Jishan for the numerous testing cycles and additions to a different version of this script which tackles VMware Tools reboot and continues installing post a reboot.

I hope you will find this script useful to install the VMware EUC agents and never look back to install them individually. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Reference Article – VMware Agent Install order – Agent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (vmware.com)

Tags: App Volumes, Desktop Virtualization, Dynamic Environment Manager, Horizon, PowerShell, VDI, VMware, VMware App Volumes, VMware Horizon

Comments Leave a Comment
Categories App Volumes, Dynamic Environment Manager, Horizon, PowerShell, Scripts-API, Windows

Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools

29 Jun

If you are planning for the VMware EUC Stack migration or upgrade and are in the middle of uninstalling the existing agents, look no further and here is the script that will allow you to uninstall all the agents and reboot the golden image towards the end. There is no need to remove individual agents one by one from the “Program and Features”; instead, sit back, relax and have a coffee!

VMware EUC Agents:

VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)
VMware Horizon Client (Optional)
VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
VMware Tools (Works on 11.x)

Note – All the above testing is carried out on Windows 10 1909/Windows Server 2016 with PowerShell 5.1. The PowerShell module Uninstall-Package suppresses individual reboot and we perform the final reboot towards the end using the Restart-Computer module. (Reboot is required to complete the uninstallation operations.)

#################################################################################
# Un-Install EUC Agents in the proper order for Golden Image
# App Volumes Agent, Horizon Client(Optional), DEM, Horizon and VMware Tools
# Suppressed auto Reboot the OS towards the end after un-installing all Agents.
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
#################################################################################

#Un-installing VMware App Volumes Agent
Write-Host "Un-installing the App Volumes Agent" -ForegroundColor Green
Get-Package -Name 'App Volumes **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Client
#Write-Host "Un-installing the VMware Horizon Client" -ForegroundColor Green
#Get-Package -Name 'VMware Horizon Cli**' | Uninstall-Package

#sleep -Seconds 60

#Un-installing VMware Dynamic Environment Agent
Write-Host "Un-installing the Dynamic Environment Agent" -ForegroundColor Green
Get-Package -Name 'VMware Dynamic **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Agent
Write-Host "Un-installing the VMware Horizon Agent" -ForegroundColor Green
Get-Package -Name 'VMware Horizon Ag**' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Tools Agent
Write-Host "Un-installing the VMware Tools Agent" -ForegroundColor Green
Get-Package -Name 'VMware Tools' | Uninstall-Package

sleep -Seconds 60

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents Un-install" -ForegroundColor Green
Restart-Computer -Force

GitHub – scripts/vmwareeucagent-uninstall at master · askaresh/scripts (github.com)

Thanks to Hilko and Joel for reviewing the script and providing valuable feedback.

I hope you will find this script useful to uninstall the VMware EUC agents and never look back to remove individual programs under “Programs and Features”. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: App Volumes, Desktop Virtualization, Dynamic Environment Manager, Horizon, VDI, VMware, VMware App Volumes, VMware Horizon, VMware Tools

Comments 3 Comments
Categories App Volumes, Dynamic Environment Manager, Horizon, PowerShell, Scripts-API, Windows

Comparison VMware Horizon Agent 7.x/8.x (Silent Install) Switches and Properties

28 Jun

We are in the middle of automating the VMware Horizon Agent 8.x installer for the golden images. To undertake such a task, it’s essential to understand all the MSI Switches that come along with the installer. If you had already automated the Horizon Agent 7.x install it’s also important to check which MSI switches have been removed in Horizon Agent 8.x/YYMM. The below details will show you the switches and highlight the removed/deltas MSI Switches and Properties.

I use a tool called lessmsi – GitHub – activescott/lessmsi: A tool to view and extract the contents of an Windows Installer (.msi) file. which essentially extracts the MSI contents and provides a detailed table view of the feature components and properties.

Horizon Agent 8.x\YYMM version (Features available within the agent)

Feature (s38)	Feature_Parent (S38)	Title (L64)	Description (L255)	Directory_ (S72)
URLRedirection	Core	URL Content Redirection	Redirects URL content from a server session to a client device and vice versa.
PSG	Core
VmVideo	Core
VmwVdisplay	Core
VmwVidd	Core
SmartCardSingleUserTS	Core
RDSH3D		3D RDSH	This feature enables hardware 3D acceleration in RDSH sessions.
NGVC		VMware Horizon Instant Clone Agent	Horizon Instant Clone Agent should only be installed on a virtual machine running on VMware vSphere 6.0/2015 U1 or later.
ScannerRedirection		Scanner Redirection	Enables the Scanner Redirection feature.
SerialPortRedirection		Serial Port Redirection	Enables the Serial Port Redirection feature.
SmartCard		Smartcard Redirection	Enables the Smartcard Redirection feature.
TSMMR		TSMMR	Terminal Services Multimedia Redirection.
PrintRedir		VMware Integrated Printing	VMware Integrated Printing Redirection.
USB		USB Redirection	USB Redirection. Refer to the VMware Horizon Security document for guidance on using USB redirection securely.
V4V		Horizon Monitoring Service Agent	Horizon Monitoring Service Agent.
VmwVaudio		VMware Audio	VMware virtual Audio driver
SdoSensor		SDO Sensor Redirection	Enables Simple Device Orientation(SDO) Sensor Redirection feature, reports device orientation changes to remote desktop.
HybridLogon		Hybrid Logon	Enables Hybrid logon which allows an unauthenticated user access to network resources without the need to enter credentials.
HelpDesk		Help Desk Plugin for Horizon Agent	Help Desk Plugin for Horizon Agent.
RDP		Enable RDP (hidden)
BlastUDP	Core
Core		Core	[ProductName] core functionality	INSTALLDIR
VMWMediaProviderProxy		VMware Virtualization Pack for Skype for Business	This feature will enable optimization for Skype for Business in remote desktop
ClientDriveRedirection		Client Drive Redirection	Allow Horizon Clients to share local drives with remote desktops and applications. If not installed, copy/paste and drag and drop files and folders features will be disabled.
RTAV		Real-Time Audio-Video	Real-Time Audio-Video enables users to redirect locally connected audio and video peripherals back to the remote desktop for use.
GEOREDIR		Geolocation Redirection	Enables redirection of client’s geolocation to the remote desktop
PerfTracker		Horizon Performance Tracker	Enables Horizon Performance Tracker

Horizon Agent 8.x/YYMM Release MSI Features

Horizon Agent 7.x version (Features available within the agent)

Feature (s38)	Feature_Parent (S38)	Title (L64)	Description (L255)	Directory_ (S72)
URLRedirection	Core	URL Content Redirection	Redirects URL content from a server session to a client device and vice versa.
PSG	Core
VmVideo	Core
VmwVdisplay	Core
VmwVidd	Core
SmartCardSingleUserTS	Core
FlashURLRedirection		Flash URL Redirection	Enables Flash URL Redirection for internal company controlled web pages.
RDSH3D		3D RDSH	This feature enables hardware 3D acceleration in RDSH sessions.
SVIAgent		VMware Horizon View Composer Agent	VMware Horizon View Composer Agent RDSH installs: This machine can be used as the parent image for provisioning Automated Farms
NGVC		VMware Horizon Instant Clone Agent	Horizon Instant Clone Agent should only be installed on a virtual machine running on VMware vSphere 6.0/2015 U1 or later. It cannot be co-installed with Horizon View Composer Agent.
ScannerRedirection		Scanner Redirection	Enables the Scanner Redirection feature.
SerialPortRedirection		Serial Port Redirection	Enables the Serial Port Redirection feature.
SmartCard		Smartcard Redirection	Enables the Smartcard Redirection feature.
TSMMR		TSMMR	Terminal Services Multimedia Redirection. Does not support IPv6 configuration.
ThinPrint		Virtual Printing	Virtual Printer Support
PrintRedir		VMware Integrated Printing	VMware Integrated Printing Redirection.
USB		USB Redirection	USB Redirection. Refer to the VMware Horizon 7 Security document for guidance on using USB redirection securely.
V4V		vRealize Operations Desktop Agent	vRealize Operations Desktop Agent. Does not support IPv6 configuration.
VPA		VMware Horizon 7 Persona Management	VMware Horizon 7 Persona Management
VmwVaudio		VMware Audio	VMware virtual Audio driver
DeviceBridgeBAS		Device Bridge BAS Plugin	Enables finger scanners supported by BAS system
SdoSensor		SDO Sensor Redirection	Enables Simple Device Orientation(SDO) Sensor Redirection feature, reports device orientation changes to remote desktop.
CIT		VMware Client IP Transparency	This feature allows remote connections to Internet Explorer to use the Client’s IP address instead of this machine’s. Does not support IPv6 configuration.
HybridLogon		Hybrid Logon	Enables Hybrid logon which allows an unauthenticated user access to network resources without the need to enter credentials.
HelpDesk		Help Desk Plugin for Horizon Agent	Help Desk Plugin for Horizon Agent.
RDP		Enable RDP (hidden)
BlastUDP	Core
Core		Core	[ProductName] core functionality	INSTALLDIR
VMWMediaProviderProxy		VMware Virtualization Pack for Skype for Business	This feature will enable optimization for Skype for Business in remote desktop
ClientDriveRedirection		Client Drive Redirection	Allow Horizon View Clients to share local drives with their remote desktops and applications. Does not support IPv6 configuration.
RTAV		Real-Time Audio-Video	Real-Time Audio-Video enables users to redirect locally connected audio and video peripherals back to the remote desktop for use.
FLASHMMR		Flash Redirection	Flash Redirection
GEOREDIR		Geolocation Redirection	Enables redirection of client’s geolocation to the remote desktop
PerfTracker		Horizon Performance Tracker	Enables Horizon Performance Tracker

Horizon Agent 7.x Release MSI Features

If you want to download the spreadsheet version of the table above/below you can find it below. Note there is a bonus within the spreadsheet: MSI Property comparision between Horizon Agent 7.x and Horizon Agent 8.x and two MSI Properties have been removed VDM_FLASH_URL_REDIRECTION and INSTALL_VDIDISPLAY_DRIVER (Part of the Core in 8.x).

compare-horizon8.x-7.x-agent-features-msi-switches-properties Download

Deprecated/Delta Features between 7.x and 8.x/YYMM release

From the table above, we know all the switches of the Horizon Agent 7.x and 8.x versions. Once we compare the above two tables, we are left with the following delta, and I have commented on whether each feature exists or is removed. Please make sure to remove them from your existing scripts or silent installers if you had added them during your Horizon 7.x installs.

Feature (s38)	Title (L64)	Description (L255)	Additional Comments
FlashURLRedirection	Flash URL Redirection	Enables Flash URL Redirection for internal company controlled web pages.	Flash come to EOL in 2020. Feature has been deprecated
SVIAgent	VMware Horizon View Composer Agent	VMware Horizon View Composer Agent RDSH installs: This machine can be used as the parent image for provisioning Automated Farms	VMware Compose was replaced by Instant Clones
ThinPrint	Virtual Printing	Virtual Printer Support	ThinPrint is replaced by VMware Integrated Printing
VPA	VMware Horizon 7 Persona Management	VMware Horizon 7 Persona Management	Persona is replaced by App Volumes or DEM or FSLogic
DeviceBridgeBAS	Device Bridge BAS Plugin	Enables finger scanners supported by BAS system	Feature has been deprecated
CIT	VMware Client IP Transparency	This feature allows remote connections to Internet Explorer to use the Client’s IP address instead of this machine’s. Does not support IPv6 configuration.	Feature has been deprecated
FLASHMMR	Flash Redirection	Flash Redirection	Flash come to EOL in 2020. Feature has been deprecated

Delta or Deprecated feature list after comparing the above two tables

I hope you will find this post useful to perform silent installs on Horizon Agent. My request is if you find any additional delta or enhancements, please make sure to share it back with me.

Thanks,
Aresh Sarkari

Reference – Check out the VMware documentation on Silent Installation Properties for Horizon Agent (vmware.com)

Tags: Desktop Virtualization, Horizon, MSI, VDI, VMware, VMware Horizon

Comments 1 Comment
Categories Horizon, PowerShell, Windows

Internet Explorer crashing on Windows Server 2016 – Remote Desktop Session Host

18 Feb

We encountered a strange issue on the Windows Server 2016 Remote Desktop Session Host (RDSH) used for VMware Horizon Application Publishing. The Internet Explorer would launch and get into “Not Responding” state, and eventually, the process would close out without any errors.

Process of elimination

We thought either Windows cumulative updates introduced the issue as it was working fine earlier.
There were no errors in the Windows Event Viewer (Application, System or Internet Explorer)
We used the Deployment Image Servicing and Management (DISM) command line tool to disable/enabled Internet Explorer without any luck.
- dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64
- dism /online /Enable-Feature /FeatureName:Internet-Explorer-Optional-amd64
Procmon is showing IE tries to launch the process multiple times, but the sub-process keep failing, and IE finally gives up at the end

We were running out of troubleshooting ideas

Resolution

My team ended up opening a Microsoft Support case, and they could see that “Name Not Found for the ieproxy.dll” which is due to ieproxy.dll registration issues. Support confirmed they had seen similar instances in the past.

Please open command prompt with Admin rights and re-register the dll from System32 and Syswow64 folders.

%SystemRoot%\System32\regsvr32 ieproxy.dll

%SystemRoot%\Syswow64\regsvr32 ieproxy.dll

I hope you will find this information useful if you encounter the issue. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Comments Leave a Comment
Categories Horizon, PowerShell, Windows

Horizon VDI – Calculator – Photos – Edge Not launching for end-users – Windows 10

8 Feb

In Windows 10 1909 VMware OST optimized image the end-users report they cannot open the following three built-in UWP windows application.

Microsoft Calculator
Microsoft Photos
Microsoft Edge browser

When the end-users try to open any of the three applications, nothing would happen – No error messages or pop-ups. The application doesn’t launch.

Environment Details

VMware Horizon 7.11
VMware App Volumes 2.18.5
VMware Dynamic Environment Manager 9.10

Process of elimination

The AppX package for (Calc, Photos and Edge) did exist in the base operating system
We can launch all the three applications within the optimized golden image template.
We were running the VMWare OSOT tool with the default VMware Windows 10 template. No additional customization or options selected.
One thing was evident the base template was working fine. The suspicion was around AppStack – App Volumes (We disabled the AppStacks/Writable Delivery – Same issue observed) or Dynamic Environment Manager causing the application from launching
We were running out of troubleshooting ideas

Resolution

Upon searching, I came across this community page – https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Windows-10-UWP-Applications-and-Taskbar/m-p/523086 and it outlined a solution of re-registering the UWP AppX package for the built-in application. We tried the fix in the DEV environment and it worked. Further it was replicated to the production setup.

Step 1: A Powershell script to register the AppX packages

Get-AppxPackage -allusers *windowscalculator* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
Get-AppxPackage -allusers *windows.photos* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
Get-AppXPackage -AllUsers *edge* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Step 2 : Create a Dynamic Environment Manager – Logon Tasks

We selected to put the Powershell script within the UEM Share as the end-users have the read- access.

Quick Update based on 4th Aug 2021 (Thanks to Curtis for bring this up in the comments section)

The above DEM 9.10 logon task no longer works in situation where end-users dont have local administrative priviledges users not being able to run the script at logon.

In the latest version of Dynamic Enivornment Manager 20XX onwards, you can now hook logon tasks into Elevated Tasks by using Privilege Elevation rules.

In DEM:

1. User Environment > Privilege Elevation > Create new privilege elevation rule

2. In the “Type” drop down menu, select “Elevated Task”

3. Click “Add”

4. In the Executable field:
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

5. In the Arguments field type the path to your script logon script

6. In User Environment > Logon Tasks, select the logon task that runs and registers the UWP apps.

7. Check “Elevated Task” and in the drop down select the Elevated Task you just created in the list.

After this, the script should be able to run at logon regardless of whether or not the user has local administrator rights!

I hope you will find this information useful if you encounter the issue. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Tags: Dynamic Environment Manager, Horizon, PowerShell, VMware, Windows 10

Comments 5 Comments
Categories App Volumes, Dynamic Environment Manager, Horizon, PowerShell, Windows

Script create read-only account for monitoring VMware Unified Access Gateway

23 Sep

We have been using VMware Unified Access Gateway (UAG) for quite a few years. To monitor the appliance using vROPS or other monitoring tools or API calls scripts you need a read-only monitoring account created in the console under “Account Settings”.

Account Settings - UAG — Read-only account for monitoring

In our deployment we have 14 UAG appliances (Internal/External) – Yes we tunnel internal connections too. Post the upgrade we had to re-create the read-only account for the API call monitoring on all 14 appliances. The following script I wrote to create the read-only account per UAG server. Just change the IP and point to another UAG to create accounts.

####################################################################
# Create ready-only account in the VMware Unified Access Gateway Appliance
# for monitoring purposes using vROPS or API etc.
# Author - Aresh Sarkari (@askaresh)
# Version - V5.0
####################################################################


# Ignore UAG cert errors (self signed or 

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


##API Call to make the intial connection to the UAG Appliance##

$Uri = "https://10.0.0.1:9443/rest/v1/config/adminusers/logAdminUserAction/LOGIN"
$Username = "admin"
$Password = "adminpassword"

$Headers = @{ Authorization = "Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $Username,$Password))) }

Invoke-RestMethod -SessionVariable DaLogin -Uri $Uri -Headers $Headers


###API Call to create the user account with read-only access under VMware Unified Access Gateway##

$body = @{
  name = "UAG_vRops"
  password= "typeyourpassword"
  enabled=$true
  roles = @("ROLE_MONITORING")
  noOfDaysRemainingForPwdExpiry=0
} | ConvertTo-Json

$output = Invoke-RestMethod -WebSession $DaLogin -Method Put -Uri "https://10.0.0.1:9443/rest/v1/config/adminusers" -Body $body -ContentType "application/json"

Write-Output $output

GitHub – https://github.com/askaresh/scripts/blob/master/uagreadonlyacct

I hope you will find this script useful to create the UAG read only accounts and would not have to create them manually on multiple appliances. My request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Comments Leave a Comment
Categories Horizon, PowerShell, Scripts-API, Unified Access Gateway

← Older Entries

	Mindmap – Part… on Mindmap – Part 1 –…
	Service – Week… on Mindmap – Part 1 –…
	VMware Horizon Load… on Persistence Profile – F5…
	VMware Horizon 7… on Automating Desktop Pool creati…
	Site Updates –… on Automating Desktop Pool creati…

Search

AskAresh

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

What is Orphaned Writable Volumes?

Script to delete them for App Volumes Manager

Pre-requisites

Observations

Script/API – Horizon Reach – Get consolidated Horizon Farms/Desktops pools – Name Health, Image and Snapshot information

What API’s are avilable with Horizon Reach?

What all options are avilable to interact with Horizon Reach API?

Scripts to get consolidated Horizon Farms/Desktops information

Pre-requsites:

Observations:

Script to install CrowdStrike Sensor and VMware App Volumes snapvol.cfg exclusions for CrowdStrike Sensor

Script to install CrowdStrike Sensor

Process exclusions for VMware App Volumes

Script to replace VMware Unified Access Gateway certificates (ADMIN and Internet)

Script to install VMware EUC Agents – App Volumes Agent, DEM Agent and Horizon Agent

Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools

Comparison VMware Horizon Agent 7.x/8.x (Silent Install) Switches and Properties

Internet Explorer crashing on Windows Server 2016 – Remote Desktop Session Host

Horizon VDI – Calculator – Photos – Edge Not launching for end-users – Windows 10

Script create read-only account for monitoring VMware Unified Access Gateway

Recent Posts

Follow me on Twitter

Categories

Archives

Recent Posts

Recent Comments

Archives

Categories

Meta