Archive | PowerShell RSS feed for this section

PowerShell – Create and Assign Windows 365 Cloud PC – User Settings

8 Nov

There are numerous posts that talk about creating the Windows 365 Cloud PC – User Settings. In this blog post, I will demonstrate how to create user settings using PowerShell and MS Graph API with beta modules on Windows 365 Cloud PC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!
Permissions for MS Graph API

Step 3 –  Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.

#Beta APIs
PS C:WINDOWSsystem32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:WINDOWSsystem32> Select-MgProfile -Name "v1.0"

Create User Settings

We are creating a provisioning policy that involves the following: (avdwin365mem/win365CreateUsrSetting at main · askaresh/avdwin365mem (github.com))

  • Display Name of the setting – CPC-UserSettings01
  • Local Admin – No (#Highly recommend not to enable local admin on Cloud PCs)
  • Allow user to initiate restore service – Yes (#This will allow them to restore from Winodws365 App/Browser)
  • Frequency of backup – 6 hours (#Set whatever your requirements call out)
  • Note – Post creation of user settings, you need to add the assignment AAD group
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcUserSetting"
	DisplayName = "CPC-UserSettings02"
	SelfServiceEnabled = $false
	LocalAdminEnabled = $false
	RestorePointSetting = @{
		FrequencyInHours = 6
		UserRestoreEnabled = $true
	}
}

New-MgDeviceManagementVirtualEndpointUserSetting -BodyParameter $params

Powershell Output

Settings will show up in the MEM/Intune Portal

Assign User Settings

Now that we have the User Settings created, it’s time to assign it to an AAD group. We need to follow the following procedure

AAD Group (Copy – Object ID)

I have an existing AAD (Azure Active Directory) group called “Win365-Users” and I plan to use this group for assignment to this User Settings. The important step here is to make a note of the “Object ID” of the AAD group you are planning to assign. Please make sure you copy this ID.

User Settings (Copy ID)

Copy the ID of the previously created User Settings. We need to copy this ID for the assignment. Use the command – Get-MgDeviceManagementVirtualEndpointUserSetting | FT. Note if multiple CPC user settings, select the relevant ID.

Assign the AAD Group to the User Settings

We are assigning the provisioning policy that involves the following: (avdwin365mem/win365AssignUsrSetting at main · askaresh/avdwin365mem (github.com))

  • ID – The existing Cloud PC User Settings ID
  • GroupID – The Azure AD group which has the end-users/license to be assigned to the policy
  • Within the variable, enter the value of User Settings ID $cloudPcUserSettingId
$cloudPcUserSettingId = "ed7271e3-8844-XXXX-XXXX-9bc8bd70da4c"

$params = @{
	Assignments = @(
		@{
			Id = "ed7271e3-8844-XXXX-XXXX-9bc8bd70da4c"
			Target = @{
				"@odata.type" = "microsoft.graph.cloudPcManagementGroupAssignmentTarget"
				GroupId = "01eecc64-c3bb-XXXX-XXXX-bafb18feef12"
			}
		}
	)
}

Set-MgDeviceManagementVirtualEndpointUserSetting -CloudPcUserSettingId $cloudPcUserSettingId -BodyParameter $params

AAD group assigned within MEM Portal

I hope you will find this helpful information for creating/assigning the user settings using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

PowerShell – Unassign/Delete the Windows 365 Cloud PC Provisioning Policy

14 Oct

Please check out my earlier blog post on PowerShell – Create Windows 365 Cloud PC Provisioning Policy and PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy. This is the last part in the series where we will delete the Windows 365 Cloud PC Provisioning Policy via PowerShell.

A safety feature within MEM Portal – Windows 365 Cloud PC – Provisioning Policies that within the UI when you try to delete the policy, it will be grey out. The only way to delete the policy is to remove the Assignment Group (AAD Group assigned to the policy) and then delete the provisioning policy within UI. The motive of this blog series is PowerShell actions, and we will perform the two actions using that method.

Provisioning Policy (Copy ID)

We need the Windows 365 Provisioning Policy – ID to perform the AAD (Azure Active Directory) group un-assignment and delete operation. We need to copy this ID. Simply use the commandlet – Get-MgDeviceManagementVirtualEndpointProvisioningPolicy. Note if multiple CPC policy, select the ID that is relevant for deletion.

Un-assign AAD Group from the Provisioning Policy

The only way to delete the CPC – Provisioning policy is to remove the AAD group assignment, and it involved the following: avdwin365mem/win365DeleteProvPolicy at main · askaresh/avdwin365mem (github.com)

  • ID – The existing Cloud PC Provisioning Policy ID
  • Load the $params variable first before running the Set-MgDeviceManagementVirtualEndpointProvisioningPolicy commandlet
  • Copy/Paste the Prov policy ID within -CloudPcProvisioningPolicyId
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicyAssignment"
	Assignments = @(
		@{
			Id = "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d"
		}
	)
}
Set-MgDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d" -BodyParameter $params

Delete the Provisioning Policy

Now that the AAD Group has been un-assigned it’s time to delete the Cloud PC Provisioning Policy.

Remove-MgDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId "6d54435b-74cd-4722-9ab7-7d9b5cc0a78d"

I hope you will find this helpful information for the un-assignment & deletion of the CloudPC provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy

12 Oct

If you haven’t looked at my previous blog on PowerShell – Create Windows 365 Cloud PC Provisioning Policy, please check that out first. After creating the Cloud PC provisioning policy, the next step is to assign the Azure AD Group, which has the end-users and Windows 365 license assigned.

AAD Group (Copy – Object ID)

I have an AAD (Azure Active Directory) group called “Win365-Users” and assigned the Windows 365 Cloud PC Enterprise license. The important step here is to make a note of the “Object ID” of the AAD group you are planning to assign. Please make sure you copy this ID.

AAD Group

Provisioning Policy (Copy ID)

In the previous blog, when we created the Cloud PC provisioning policy, Azure will assign an ID. We need to copy this ID for the assignment. Simply use the commandlet – Get-MgDeviceManagementVirtualEndpointProvisioningPolicy. Note if multiple CPC policy, select the ID that is relevant.

PowerShell Output

Assign Provisioning Policy

We are assigning the provisioning policy that involves the following: (avdwin365mem/win365AssignProvPolicy at main · askaresh/avdwin365mem (github.com))

  • ID – The existing Cloud PC Provisioning Policy ID
  • GroupID – The Azure AD group which has the end-users/license to be assigned to the policy
  • Copy/Paste the Prov policy ID within -CloudPcProvisioningPolicyId
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicyAssignment"
	Assignments = @(
		@{
			Id = "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d"
			Target = @{
				"@odata.type" = "microsoft.graph.cloudPcManagementGroupAssignmentTarget"
				GroupId = "01eecc64-c3bb-XXXX-XXXX-bafb18feef12"
			}
		}
	)
}

Set-MgDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d" -BodyParameter $params

Assignment is created

I hope you will find this helpful information for the assignment of the AAD group to a CloudPC provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

PowerShell – Create Windows 365 Cloud PC Provisioning Policy

11 Oct

There are a significant amount of posts that talk about creating the Windows 365 Cloud PC Provisioning Policy. In this blog post, I will demonstrate how to create the provisioning policy using PowerShell and MS Graph API with beta modules on Windows 365 Cloud PC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:\WINDOWS\system32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:\WINDOWS\system32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:\WINDOWS\system32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!
Permissions for MS Graph API

Step 3 –  Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC the API calls are BETA.

#Beta APIs
PS C:\WINDOWS\system32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:\WINDOWS\system32> Select-MgProfile -Name "v1.0"

Create Provisioning Policy

We are creating a provisioning policy that involves the following: (avdwin365mem/win365CreateProvPolicy at main · askaresh/avdwin365mem (github.com))

  • Azure AD Joined Cloud PC desktops
  • The region for deployment – Australia East
  • Image Name – Windows 11 Ent + Optimization (from the Gallery)
  • Language & Region – English (United States)
  • Note – Post provisioning, you need to add the assignment AAD group to this policy
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicy"
	Description = "Hi Test Powershell Prov Deployment"
	DisplayName = "CloudPC-ProvPshell01"
	DomainJoinConfiguration = @{
		DomainJoinType = "azureADJoin"
        regionName = "australiaeast"
	}
	ImageDisplayName = "Windows 11 Enterprise + OS Optimizations 22H2"
	ImageId = "MicrosoftWindowsDesktop_windows-ent-cpc_win11-22h2-ent-cpc-os"
	ImageType = "gallery"
        enableSingleSignOn = "true"
	WindowsSettings = @{
		Language = "en-US"
	}
}

New-MgDeviceManagementVirtualEndpointProvisioningPolicy -BodyParameter $params

Update the code to include the latest SSO feature in Windows 365 Cloud PC. A big thanks to Andrew Taylor to update my script in Github to include SSO.

Powershell Output

Policy will show up in the MEM Portal

Optional Properties

If you are doing on-premise network integration (Azure Network Connection) , then the following additional property and value is required. In my lab, I am leveraging the Microsoft Managed Network, so this is not required.

OnPremisesConnectionId = "4e47d0f6-6f77-44f0-8893-c0fe1701ffff"

I hope you will find this helpful information for creating a provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Making Microsoft Quick Assist work with VMware App Volumes – Writable Volumes

6 Sep

Microsoft Quick Assist is a tool widely used by service desk teams to take remote control of a computer and help end-users with a screen share. We noticed with the recent changes Microsoft made to Quick Assist, it stopped working when VMware App Volumes – Writable Volumes were present.

Error launching Quick Assist

We tried many steps of installing the Quick Assist offline using various Powershell commands, and nothing worked out. We also got to a point Quick Assist will launch without the Writable Volumes present or local admins with Writable Volumes. In the end, VMware Support GSS, with help from backend engineering, provided a working solution.

Solution (Workaround)

Step 1 – Download the offline version of the Quick Assist App from the Microsoft store and place all the files into C:\Temp\QuickAssist. Following are the steps to download the offline version of MS store apps.

Offline Files MS Quick Assist

Step 2 – Delete the old version of the Quick Assist App (Not part of the MS Store). Start Menu > Settings > Apps > Optional features > Microsoft Quick Assist > Uninstall. 

Uninstall Optional Features – Microsoft Quick Assist

Step 3 – Install the Offline version of the Microsoft Quick Assist package using PowerShell

PowerShell Add-AppxProvisionedPackage -PackagePath C:\Install\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense
PowerShell Install Appx Package

Step 4 – Install WebView2 component which is a pre-requisite for Quick Assist. Note this step is quite important and not something that has been emphazied alot.

  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
  C:\Install\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
Install Microsoft Edge WebView

Step 5 – Launch the Quick Assist App once. Make sure, without launching the app, don’t move to the next step. Please wait at least 10 mins on this step or/else reboot the template VM and launch the app

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app
Launching Quick Assist

Step 6 – Create an OS scheduled task to run at every logon. This will launch the Quick Assist and register at every logon.

schtasks /create /RU "SYSTEM" /TN RegisterQuickAssist /SC ONLOGON /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-AppxProvisionedPackage -PackagePath C:\Temp\QuickAssist\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense"
Schedule Task – Register of Microsoft Quick Assist at User Login

Step 7 – Take a snapshot of the golden image and the remaning steps will be performed in App Volumes files.

Step 8 – We need to prepare the template bundle of Writable Volumes (UIA+Profile) to contain a file startup_postsvc.bat with the following contents. Note Alter the file path if you decide to use something else.

  @echo off
  setlocal enabledelayedexpansion
  set WV_Path=none
  for /F "tokens=3" %%A in ('reg query HKLM\System\ControlSet001\Services\svservice\Parameters /v WritableVolume 2^>nul') do (
    set WV_Path=C:%%A
    fltmc attach bindflt !WV_PATH!
  )
  reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView" /v DisplayName >nul 2>&1
  if %ERRORLEVEL% NEQ 0 (
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
    start /wait C:\Temp\QuickAssist\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
  )

Here is the procedure to update the writable volume’s file – Update Writable Volumes (vmware.com). Zip all the files and push the changes using AV Manager > Writables > Update Writable Volumes

Additional Files for writable volumes startup

Step 9 – Validation login to the virtual desktop (Make sure the updated file – startup_postsvc.bat are pushed onto the WV). After a few seconds, the Microsoft Edge WebView2 Runtime component and Quick Assist should appear in Programs and Features.

PowerShell Get-AppxPackage *assist*

Step 10 – Launch Quick Assist via Start Menu or Explorer and Voila!

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app

If you encounter a similar issue, you can follow the above solution. I hope you will find this information useful if you encounter the same issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 3+ months.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

VMware App Volumes – Tales of the missing Writable Volumes backup

15 Aug

You have a large VMware App Volumes environment and have backed up your writable volumes using the capabilities provided in the App Volumes Manager. (You are doing the right thing!)

AV Manager – WV Backup Config

We decided to perform an audit on the backup of the writable volumes within the App Volumes Manager 2.18.10 and the VSAN Datastore. You can export all the writable volumes to a CSV using the API. My script here will provide you with a complete outlook for conducting your analysis. Now exclude your group entitlements from the list, leaving you with the total number of writable volumes within your environment. Ideally, you are after the same number of writable volumes on the VSAN datastore. (Of course, if everything is going well in the backup world!)

In my case, we observed more than 300+ missing writable volumes between the exported CSV and the VSAN datastore. Let the investigations begin – within the production.log, we could see the backup was happening, but the challenge of a large environment is impossible to track all the backup occurring just by looking at the logs. Feature request to VMW – A dedicated backup log showcases the entire environment’s status. We eventually ended up with a GSS case after few months of back and forth and the logs exchange, we finally got a working solution. This closed the mystery of the missing backup of the writable volumes.

Solution

Go the the SQL database of the App Volumes Manager. Select the DB and New Query.

AV Database – Microsoft SQL

Enter the following query and hit execute. Now this will change the default writable volumes batch size(writables_backup_batch_size) from 5 to 25. Note the value of the batch size was tweaked multiple times, we first went with 10, which drastically reduced the missing backup. However, a few were still missing and not getting backup. The final number for our environment was 25 got all the writable volumes backup.

INSERT INTO dbo.settings ("key", value, created_at, updated_at) 
VALUES ('writables_backup_batch_size', 25, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)

Disclaimer – This tweak was required for a large App Volumes environment. Please consult with VMware Support before making any changes to your setup or Database. If it works for me doesn’t mean it will work for you. The value can differ based on the size of the enivronment.

I hope you will find this helpful information on your VMware App Volumes backup strategy. Please let me know if you have observed any issues like these, and would like to share your story?

Thanks,
Aresh Sarkari

Tags: , , , , ,

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

10 Nov

Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:

  • What is Orphaned Writable Volumes?
  • Script to delete them from the App Volumes Managers

What is Orphaned Writable Volumes?

App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.

Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.

Script to delete them for App Volumes Manager

Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.

Pre-requisites

  • You need the App Volumes Manager URL
  • You need the username and password of the App Volumes Manager
  • You need to enter y/Y to proceed further with the deletion
  • The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)
###########################################################################
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0
###########################################################################

#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"

# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#Login AV Manager Body
$body = @{
    username = “$RESTAPIUser"
    password = “$RESTAPIPassword”
}

#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body

#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"

#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}

#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}

#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:" 
if ($confirmation -match "[yY]" ) {
    # proceed

# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id

#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {

# Writable Volumes deletion Parameters body
$jsonbody = @{
    bg = "0"
    volumes = "$WVOutputIDss"
} | ConvertTo-Json

#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"

}

#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content

}

GitHub scripts/del-writablevolume-status-orphaned at master · askaresh/scripts (github.com)

Observations

  • When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.
  • Once you press y/Y it will go ahead and delete the Orphaned writable volumes.

I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , ,

Script/API – Horizon Reach – Get consolidated Horizon Farms/Desktops pools – Name Health, Image and Snapshot information

27 Oct

Horizon Reach is a potent tool, and Andrew Morgan has put in a lot of blood, sweat and tears to develope it. What suprises me is why isnt this fling included into the Horizon product? We haven’t gathered here to talk about the product management and roadmap aspects 😉

Horizon Reach fling aggregates all the various Horizon POD information into its database. Typically, running Horizon API calls or Horizon Powershell modules might have to run them against individual pods to fetch information about that POD. The beauty with Horizon Reach is it aggregates all the information, we can write scripts/API calls to request information from there instead of writing Horizon POD specific scripts.

Let’s take a look at the following information from the Horizon Reach fling:

  • What API’s are available with Horizon Reach?
  • What all options are available to interact with Horizon Reach API?
  • Script – Get a consolidated list of Horizon Farm details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)
    • Note the above can also be fetched using the old Horizon Powershell modules but trust me it’s pretty tricky to run a foreach loop for every object on the SOAP method.
  • Script – Get a consolidated list of Horizon Desktop Pools details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)

What API’s are avilable with Horizon Reach?

After you have installed the Horizon Reach fling, go to the following URL to check out all the avilable API’s. Its the UI Swagger interface to simplify and understand each calls.

URL https://horzonreach.domain:9443/swagger/index.html

What all options are avilable to interact with Horizon Reach API?

You can interact with the API with your preffered method such as Powershell or Postman or something else.

Postman https://horzonreach.domain:9443/swagger/v1/swagger.json (You will be able to import all the Horizon Reach API as a collection within Postman)

Powershell – You can use the built-in modules of Invoke-RestMethod or Invoke-WebRequest method to interact with Horizon Reach API.

Scripts to get consolidated Horizon Farms/Desktops information

Pre-requsites:

  • You need the Horizon Reach Server URL
  • You need the password of the Horizon Reach Server
  • The script provides you with the details of all Horizon PODs in your setup.
  • The script was tested on PowerShell V5.x
#Horizon Reach Server Name or IP Address
$HZReachServer = "https://horizonreach.domain:9443"

#Ignore the self signed cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the Horizon Reach Server##
$HZReachLogonAPIcall = "$HZReachServer`/api/Logon"

#The body payload that comprises of the login API request
$body = @{
    username = "administrator"
    password = "enteryourpassword"
} | ConvertTo-Json

$HZReachlogin = Invoke-RestMethod -Method Post -uri $HZReachLogonAPIcall -Body $body -ContentType "application/json"

#Header along with the JWT token is now saved for future API calls
#You need to call this header in all subsequent calls as it has the token
$Headers = @{ Authorization = "Bearer $($HZReachlogin.jwt)" }

#API Call to fetch the consolidated (as many pods you have) Horizon Farm information##
$HZReachFarms = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/Farms" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, health, isProvisioningEnabled

Write-Output $HZReachFarms

#API Call to fetch the consolidated (as many pods you have) Horizon desktop pool information##
$HZReachPools = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/pools" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, healthDetail, isProvisioningEnabled

Write-Output $HZReachPools

GitHub scripts/HorizonReach-Farms-Pools-Info at master · askaresh/scripts (github.com)

Observations:

  • Farm Output:
  • Desktop Pool Output:
  • The following information (Display Name, Snapshot, Base Image, Health, Provisioning Mode) is pulled using the above scripts. I was much interested to see the snapshot versions of each Farms/Pools along with Health and provisioning status. Feel free to extract whatever details you are looking for there are plenty of other properties.

I hope you will find this script useful to fetch helpful information from Horizon Reach. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , ,

Script to install CrowdStrike Sensor and VMware App Volumes snapvol.cfg exclusions for CrowdStrike Sensor

20 Aug

If you are planning to deploy CrowdStrike Sensor (CS Sensor) within your virtual desktop (Windows 10) or server operating(Remote Desktop – Windows Server 2016), then continue reading. In this post, we will take a look into the following topics:

  • Scripted silent install of CrowdStrike Sensor
  • Process exclusions for VMware App Volumes – Writable Volumes (snapvol.cfg)

Script to install CrowdStrike Sensor

Pre-requisites:

  • Based on your requirements, a complete range of silent switches can be found here – How to Install CrowdStrike Falcon Sensor | Dell US
  • Create a folder called C:\Temp\Sensor and place all the CS Sensor EXE within this folder.
  • Make sure to read the installer log files after the install is completed.
  • We use the proxy details as the virtual machines don’t have direct internet access.
  • Look for the exit code = 0 = success
#############################################################################################
# Install Crowd Strike Sensor to the Golden Image on Windows 10 and Windows Server 2016/2019
# Look for Exit Code 0 = Success
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari - https://twitter.com/askaresh
#############################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Sensor Names
$CSSensorName = "WindowsSen*"

#The sensor installer Location
$TempInstallPath = "C:\Temp\Sensor"

#Log Files location
$CSSensorlogFile = "C:\Temp\Sensor\CSSensor.log"

###################################################################
#                    EXE Arguments Arrary for CS Sensor           #
###################################################################
# Modify any Installer switches related to the sensor here.
# Dell Article covering all silent switches 
# https://www.dell.com/support/kbdoc/en-us/000126124/how-to-install-crowdstrike-falcon-sensor
# Proxy switches if your endpoints dont have direct Internet Access
# Log Files w.r.t to installation is generated in C:\Temp\*

# Crowd Strike Sensor Arguments
$CSArguments = @(
    "/install"
    "/quiet"
    "/norestart"
    "CID=YOUDIDGUIDWILLGOHERE-EG"
    "ProvToken=YOURTOKENNUMBER"
    "GROUPING_TAGS=TAG1,TAG_VDI"
    "ProvWaitTime=3600000"
    "APP_PROXYNAME=proxy.whateverproxy.com"
    "APP_PROXYPORT=80"
    "VDI=1"
	"/log"
    $CSSensorlogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install Crowd Strike Sensor
Write-Host "Installing the Crowd Strike Sensor" -ForegroundColor Green
$CSSensorPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $CSSensorName}).Fullname
$CSSensorInstall = (Start-Process -Filepath $CSSensorPath -Wait -ArgumentList "$CSArguments" -PassThru)
$CSSensorInstall.ExitCode

Start-Sleep 20

Git Hub scripts/CSSensor-Install at master · askaresh/scripts (github.com)

Process exclusions for VMware App Volumes

It is advisable you add the CrowdStrike process exclusions within the VMware App Volumes – Writable Volumes templates on snapvol.cfg. Here is the detailed guidance on how to modify the snapvold.cfg – Using the VMware App Volumes snapvol.cfg File to Customize Writable Volumes | VMware End-User Computing Blog. These two processes are visible within the Task Manager.

#Crowdstrike Exclusions
exclude_process_name=CSFalconService.exe
exclude_process_name=CSFalconContainer.exe

A big thanks to Jishan for the numerous testing cycles! I hope you will find this script and exclusions useful to install the CrowsStrike Sensor. A small request if you further enhance the script or exclusions, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , ,

Script to replace VMware Unified Access Gateway certificates (ADMIN and Internet)

9 Jul

Our certificates are coming close to expiry, and we use VMware Unified Access Gateway for Internal and External traffic tunneling. This brings us to perform the replacement of the expiring certificates on 12 UAG Appliances. Performing this activity from the GUI is straight forward. However, we need to perform this activity on 12 appliances.

Thanks to Mark Benson for the motivation, and I went ahead and created a script to perform this activity at further ease, sit back, relax and have a coffee!

Pre-requisites:

  • You need the CAchain pem and RSA private key certificate output in one line. Please make sure you run the following command to grab the output in a single line
    • Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-name.pem
    • Linux/Unix command – awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’ cert-namersapriv.pem
    • I saved the certificate files on a Linux machine and then ran the above command. Pasted the output in Notepad++, which is in one line.
    • Doco reference
    • The CAChain pem certificate should include (MainCA content, Subordinate Certificate content and Root Certificate content without any spaces between them.)
  • There are seperate API calls for the certificate replacement for the ADMIN and Internet facing. You can comment or un-comment the block as per your requirement
    • /rest/v1/config/certs/ssl/ADMIN
    • /rest/v1/config/certs/ssl/END_USER
  • The IP address or Hostname of the UAG Appliance along with the admin password.
##############################################################################################################################################
# Replace the ADMIN and Internet Facing certificate on the UAG Appliance
# Uncomment if you dont plan to do both the interfaces (Internet/ADMIN)
# Get the certificate in one line following this documentation 
# https://docs.vmware.com/en/Unified-Access-Gateway/3.10/com.vmware.uag-310-deploy-config.doc/GUID-870AF51F-AB37-4D6C-B9F5-4BFEB18F11E9.html
# Author - Aresh Sarkari (Twitter - @askaresh)
##############################################################################################################################################

#UAGServer Name or IP
$UAGServer = "10.1.1.1"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'


#API Call to make the intial connection to the UAG Appliance##
$Uri = "https://$UAGServer`:9443/rest/v1/config/adminusers/logAdminUserAction/LOGIN"

$Username = "admin"
$Password = "enteryouradminpassword"

$Headers = @{ Authorization = "Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $Username,$Password))) }

Invoke-WebRequest -SessionVariable DaLogin -Uri $Uri -Headers $Headers

#The PEM Certificate + Private Key in RSA Format
#The certificate has to be in online using linux command - awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem 
$certificatersaContent = "-----BEGIN RSA PRIVATE KEY-----\nMIIEo... followed by a large block of text...\n-----END RSA PRIVATE KEY-----\n"
$certificateContent = "-----BEGIN CERTIFICATE-----\nMIIEo... followed by a large block of text...\n-----END CERTIFICATE-----\n"

#Body to replace the certificate
$body = @{
  privateKeyPem = $certificatersaContent
  certChainPem = $certificateContent
} 

#Converting the Json and line breaks in strings 
#https://communary.net/2018/03/30/quick-tip-convertto-json-and-line-breaks-in-strings/
$Jsonbody = ($body | ConvertTo-Json).Replace('\\n','\n')

#API to replace the Admin Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputadmin = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/ADMIN" -Body $Jsonbody -ContentType "application/json" -Verbose

#API to replace the Internet facing Certificate of the UAG Appliance
#Please note that the Backtick ` is required in order to escape the colon
$outputenduser = Invoke-WebRequest -WebSession $DaLogin -Method Put -Uri "https://$UAGServer`:9443/rest/v1/config/certs/ssl/END_USER" -Body $Jsonbody -ContentType "application/json" -Verbose

GitHub scripts/vmwareuagcertreplace at master · askaresh/scripts (github.com)

Observations:

  • The array within the $body has further line breaks, which needs to adjust. I had to spend a considerable amount of time. Thanks to this blog post which came in hand. Powershell function ConvertTo-Json
  • The Powershell function Invoke-Webrequest and the -URI I had to add the Backtick ` in order to escape the colon
  • The key of the above script is the CAChain certificate and RSA Private Key certificate to be available online.

I hope you will find this script useful to replace or change the certificate on the VMware Unified Access Gateway appliances. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , ,

← Older Entries
Newer Entries →