Archive | Windows RSS feed for this section

Script to install CrowdStrike Sensor and VMware App Volumes snapvol.cfg exclusions for CrowdStrike Sensor

20 Aug

If you are planning to deploy CrowdStrike Sensor (CS Sensor) within your virtual desktop (Windows 10) or server operating(Remote Desktop – Windows Server 2016), then continue reading. In this post, we will take a look into the following topics:

  • Scripted silent install of CrowdStrike Sensor
  • Process exclusions for VMware App Volumes – Writable Volumes (snapvol.cfg)

Script to install CrowdStrike Sensor

Pre-requisites:

  • Based on your requirements, a complete range of silent switches can be found here – How to Install CrowdStrike Falcon Sensor | Dell US
  • Create a folder called C:\Temp\Sensor and place all the CS Sensor EXE within this folder.
  • Make sure to read the installer log files after the install is completed.
  • We use the proxy details as the virtual machines don’t have direct internet access.
  • Look for the exit code = 0 = success
#############################################################################################
# Install Crowd Strike Sensor to the Golden Image on Windows 10 and Windows Server 2016/2019
# Look for Exit Code 0 = Success
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari - https://twitter.com/askaresh
#############################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Sensor Names
$CSSensorName = "WindowsSen*"

#The sensor installer Location
$TempInstallPath = "C:\Temp\Sensor"

#Log Files location
$CSSensorlogFile = "C:\Temp\Sensor\CSSensor.log"

###################################################################
#                    EXE Arguments Arrary for CS Sensor           #
###################################################################
# Modify any Installer switches related to the sensor here.
# Dell Article covering all silent switches 
# https://www.dell.com/support/kbdoc/en-us/000126124/how-to-install-crowdstrike-falcon-sensor
# Proxy switches if your endpoints dont have direct Internet Access
# Log Files w.r.t to installation is generated in C:\Temp\*

# Crowd Strike Sensor Arguments
$CSArguments = @(
    "/install"
    "/quiet"
    "/norestart"
    "CID=YOUDIDGUIDWILLGOHERE-EG"
    "ProvToken=YOURTOKENNUMBER"
    "GROUPING_TAGS=TAG1,TAG_VDI"
    "ProvWaitTime=3600000"
    "APP_PROXYNAME=proxy.whateverproxy.com"
    "APP_PROXYPORT=80"
    "VDI=1"
	"/log"
    $CSSensorlogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install Crowd Strike Sensor
Write-Host "Installing the Crowd Strike Sensor" -ForegroundColor Green
$CSSensorPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $CSSensorName}).Fullname
$CSSensorInstall = (Start-Process -Filepath $CSSensorPath -Wait -ArgumentList "$CSArguments" -PassThru)
$CSSensorInstall.ExitCode

Start-Sleep 20

Git Hub scripts/CSSensor-Install at master · askaresh/scripts (github.com)

Process exclusions for VMware App Volumes

It is advisable you add the CrowdStrike process exclusions within the VMware App Volumes – Writable Volumes templates on snapvol.cfg. Here is the detailed guidance on how to modify the snapvold.cfg – Using the VMware App Volumes snapvol.cfg File to Customize Writable Volumes | VMware End-User Computing Blog. These two processes are visible within the Task Manager.

#Crowdstrike Exclusions
exclude_process_name=CSFalconService.exe
exclude_process_name=CSFalconContainer.exe

A big thanks to Jishan for the numerous testing cycles! I hope you will find this script and exclusions useful to install the CrowsStrike Sensor. A small request if you further enhance the script or exclusions, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , ,

VMware App Volumes – AD Domain – LDAPS Configuration/Certificate Renewal

19 Aug

The Enterprise Root CA certificate was coming close to expiry, and we had to replace the certificate on VMware App Volumes Manager. In this blog post, we will take a look into the following topics:

  • How to identify the Microsoft Enterprise Root CA
  • How to generate the Root Certificate *.cer
  • Convert the certificate *.cer to *.pem format for App Volumes Manager
  • Replace the certificate within the App Volumes Manager
  • Configuring the App Volumes Manager for LDAPS

How to identify the Microsoft Enterprise Root CA

On any domain-joined box where you have the Active Directory administrative tools installed, open the adsiedit.msc and change the Naming Context to Configuration partition.

Adsiedit Connection

Navigate to the below path Under Certification Authorities, and you’ll find your Enterprise Root Certificate Authority server.

CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=askaresh,DC=dir
Active Directory – Configuration Partition

How to generate the Root Certificate *.cer

Log into the Root Certification Authority server with Administrator Account. Go to Start > Run > and type Cmd, and press on Enter button. Enter the following command:

certutil -ca.cert C:\Temp\rootca_cert.cer

Convert the certificate *.cer to *.pem format for App Volumes Manager

I typically use OpenSSL to convert all my certificates. Copy the rootca_cert.cer certificate into Folder – C:\OpenSSL-Win32\bin and run the following command to convert the certificate to PEM.

openssl x509 -in root_cer.cer -out adCA.pem

Note – We want the exported name to be adCA.pem as App Volumes Manager needs that name during setup.

Replace the certificate within the App Volumes Manager

Depending upon the number of AV Managers, you will have to repeat the steps:

  • Copy the adCA.pem on each App Volumes Manager server, to the /config directory where the App Volumes Manager is installed. The default installation location for App Volumes Manager is C:\Program Files (x86)\Cloud Volumes\Manager.
  • Restart the App Volumes Manager servers.

Configuring the App Volumes Manager for LDAPS

You only need to perform these steps on one App Volumes Manager per POD as the configurations are central on a SQL Database.

  • Login to the App Volumes Manager and go to Configuration – AD Domains – Select the Domain – Edit or New depending upon your requirements
  • Enter the Domain Name, Service Account Username, Service Account Password and Select Secure LDAPS. The port number is 636.
  • Click on Update
App Volumes Manager – AD Domains

I hope you will find these steps helpful to replace or configure the VMware App Volumes Manager with LDAPS.

Thanks,
Aresh Sarkari

Reference Links

Export Root Certification Authority Certificate – Windows Server | Microsoft Docs

Find the name of Enterprise Root CA server – Windows Server | Microsoft Docs

Configure CA Certificates in App Volumes Manager (vmware.com)

Tags: , , , , ,

Script to install VMware EUC Agents – App Volumes Agent, DEM Agent and Horizon Agent

30 Jun

If you are planning for the VMware EUC Stack migration or upgrade and want to install the VMware EUC agent, then continue reading. The guidance on uninstalling the existing agents can be found on this blog post – Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools | AskAresh

In this script, we shall perform the agents install and reboot the golden image towards the end. There is no need to install the individual agents one by one, instead, sit back, relax and have a coffee!

VMware EUC Agents:

  • VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
    • Note few MSI switches are deprecated if you still use them, you will have an error code 1603
  • VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
  • VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)

Note – All the above testing is carried out on Windows 10 1909 with PowerShell 5.1. Reboot is required to complete the installation operations.

VMware EUC Agents Install

Pre-requisites:

#################################################################################################
# Install EUC Agents in the proper order - Horizon Agent , DEM Agent and App Volumes Agent
# Reboot the OS towards the end after install all Agents. Look for Exit Code 0 or 3010
# If you notice exit code 1603 there is a installation issue. Refer to my MSI switches blogpost
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
################################################################################################

###################################################################
#                    Declare Variables                            #
###################################################################

#Agent Names
$HorizonAgentName = "VMware-Horizon-Agent-x86_64*"
$DEMAgentName = "VMware Dynamic Environment Manager*"
$AppVolumesAgentName = "App Volumes Agent*"
$AppVolMGR = "avm001.domain.com" # Manager LB VIP

# All the installer Location
#Create a folder C:\Temp\Agents and place all the MSI\EXE in there
$TempInstallPath = "C:\Temp\Agents" 

#Log Files location
# Go through all the logs post installation
$HZlogFile = "C:\Temp\Agents\HZAgent.log"
$DEMlogFile = "C:\Temp\Agents\DEMAgent.log"
$ApplogFile = "C:\Temp\Agents\AppVolAgent.log"

###################################################################
#                    MSI Arguments Arrary for EUC Agents          #
###################################################################
# Modify any MSI switched related to the agent here.
# Follow this blog post for swithces - https://askaresh.com/2021/06/28/comparision-vmware-horizon-agent-7-x-8-x-silent-install-switches-and-properties/

# VMware Horizon Agent MSI Switches
$HZMSIArguments = @(
	"/qn"
	"VDM_VC_MANAGED_AGENT=1"
    "SUPPRESS_RUNONCE_CHECK=1"
	"VDM_IP_Protocol_Usage=IPv4"
	"ADDLOCAL=Core,ClientDriveRedirection,NGVC,USB,RTAV,PerfTracker,PrintRedir,HelpDesk,TSMMR,VmwVaudio,V4V"
	"REBOOT=REallySuppress"
	"/L*v"
	$HZlogFile
)

# VMware Dynamic Enivornment Agent MSI Switches
$DEMMSIArguments = @(
    "/qn"
    "ADDLOCAL=FlexEngine"
    "REBOOT=REallysuppress"
    "/L*v"
    $DEMlogFile
)

# VMware App Volumes Agent MSI Switches
$AppVolMSIArguments = @(
    "/qn"
    "MANAGER_ADDR=$AppVolMGR"
    "MANAGER_PORT=443"
    "REBOOT=REallysuppress"
    "EnforceSSLCertificateValidation=0"
    "/L*v"
    $ApplogFile
)

###################################################################
#                    Main                                        #
###################################################################

# Install VMware Horizon Agent
Write-Host "Installing the VMware Horizon Agent" -ForegroundColor Green
$HZAgentPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $HorizonAgentName}).Fullname

# The switches "/s /v " is the Install Shield switches and rest of the aruguments are passed with MSI
$HZAgentInstall = (Start-Process -Filepath $HZAgentPath -Wait -ArgumentList "/s /v ""$HZMSIArguments" -PassThru)
$HZAgentInstall.ExitCode

Start-Sleep 20

# Install DEM Agent
Write-Host "Installing the VMware DEM Agent" -ForegroundColor Green
$DEMPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $DEMAgentName}).Fullname
$DEMAgentInstall = (Start-Process -Filepath $DEMPath -ArgumentList $DEMMSIArguments -Wait -PassThru)
$DEMAgentInstall.ExitCode

Start-Sleep 20

# Install App Volumes Agent
Write-Host "Installing the VMware App Volumes Agent" -ForegroundColor Green
$AppVolPath = (Get-ChildItem -Path $TempInstallPath | Where-Object {$_.name -like $AppVolumesAgentName}).Fullname
$AppVolAgentInstall = (Start-Process -Filepath $AppVolPath -ArgumentList $AppVolMSIArguments -Wait -PassThru)
$AppVolAgentInstall.ExitCode

Start-Sleep 20

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents install" -ForegroundColor Green
Restart-Computer -Force

Git Hubscripts/vmwareeucagent-install at master · askaresh/scripts (github.com)

A big thanks to Chris H for providing the original blueprint of the script and Wouter for showing me the magical “space” on the switch /v within the Horizon Agent installer. Final thanks to Jishan for the numerous testing cycles and additions to a different version of this script which tackles VMware Tools reboot and continues installing post a reboot.

I hope you will find this script useful to install the VMware EUC agents and never look back to install them individually. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Reference Article – VMware Agent Install order – Agent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (vmware.com)

Tags: , , , , , , , ,

Script uninstall VMware EUC Agents – App Volumes Agent, Horizon Client, DEM Agent, Horizon Agent and VMware Tools

29 Jun

If you are planning for the VMware EUC Stack migration or upgrade and are in the middle of uninstalling the existing agents, look no further and here is the script that will allow you to uninstall all the agents and reboot the golden image towards the end. There is no need to remove individual agents one by one from the “Program and Features”; instead, sit back, relax and have a coffee!

VMware EUC Agents:

  • VMware App Volumes Agent (Works on 2.x and 4.x/YYMM)
  • VMware Horizon Client (Optional)
  • VMware Dynamic Environment Manager Agent (Works on 9.x and YYMM)
  • VMware Horizon Agent (Works on 7.x and 8.x/YYMM)
  • VMware Tools (Works on 11.x)

Note – All the above testing is carried out on Windows 10 1909/Windows Server 2016 with PowerShell 5.1. The PowerShell module Uninstall-Package suppresses individual reboot and we perform the final reboot towards the end using the Restart-Computer module. (Reboot is required to complete the uninstallation operations.)

VMware EUC Agents
#################################################################################
# Un-Install EUC Agents in the proper order for Golden Image
# App Volumes Agent, Horizon Client(Optional), DEM, Horizon and VMware Tools
# Suppressed auto Reboot the OS towards the end after un-installing all Agents.
# Comment or Un-comment the Agent that does not apply to your environment
# Author - Aresh Sarkari (Twitter - @askaresh)
#################################################################################

#Un-installing VMware App Volumes Agent
Write-Host "Un-installing the App Volumes Agent" -ForegroundColor Green
Get-Package -Name 'App Volumes **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Client
#Write-Host "Un-installing the VMware Horizon Client" -ForegroundColor Green
#Get-Package -Name 'VMware Horizon Cli**' | Uninstall-Package

#sleep -Seconds 60

#Un-installing VMware Dynamic Environment Agent
Write-Host "Un-installing the Dynamic Environment Agent" -ForegroundColor Green
Get-Package -Name 'VMware Dynamic **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Agent
Write-Host "Un-installing the VMware Horizon Agent" -ForegroundColor Green
Get-Package -Name 'VMware Horizon Ag**' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Tools Agent
Write-Host "Un-installing the VMware Tools Agent" -ForegroundColor Green
Get-Package -Name 'VMware Tools' | Uninstall-Package

sleep -Seconds 60

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents Un-install" -ForegroundColor Green
Restart-Computer -Force

GitHub scripts/vmwareeucagent-uninstall at master · askaresh/scripts (github.com)

Thanks to Hilko and Joel for reviewing the script and providing valuable feedback.

I hope you will find this script useful to uninstall the VMware EUC agents and never look back to remove individual programs under “Programs and Features”. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Comparison VMware Horizon Agent 7.x/8.x (Silent Install) Switches and Properties

28 Jun

We are in the middle of automating the VMware Horizon Agent 8.x installer for the golden images. To undertake such a task, it’s essential to understand all the MSI Switches that come along with the installer. If you had already automated the Horizon Agent 7.x install it’s also important to check which MSI switches have been removed in Horizon Agent 8.x/YYMM. The below details will show you the switches and highlight the removed/deltas MSI Switches and Properties.

I use a tool called lessmsi GitHub – activescott/lessmsi: A tool to view and extract the contents of an Windows Installer (.msi) file. which essentially extracts the MSI contents and provides a detailed table view of the feature components and properties.

Horizon Agent 8.x\YYMM version (Features available within the agent)

Feature (s38)Feature_Parent (S38)Title (L64)Description (L255)Directory_ (S72)
URLRedirectionCoreURL Content RedirectionRedirects URL content from a server session to a client device and vice versa. 
PSGCore   
VmVideoCore   
VmwVdisplayCore   
VmwViddCore   
SmartCardSingleUserTSCore   
RDSH3D 3D RDSHThis feature enables hardware 3D acceleration in RDSH sessions. 
NGVC VMware Horizon Instant Clone AgentHorizon Instant Clone Agent should only be installed on a virtual machine running on VMware vSphere 6.0/2015 U1 or later. 
ScannerRedirection Scanner RedirectionEnables the Scanner Redirection feature. 
SerialPortRedirection Serial Port RedirectionEnables the Serial Port Redirection feature. 
SmartCard Smartcard RedirectionEnables the Smartcard Redirection feature. 
TSMMR TSMMRTerminal Services Multimedia Redirection. 
PrintRedir VMware Integrated PrintingVMware Integrated Printing Redirection. 
USB USB RedirectionUSB Redirection. Refer to the VMware Horizon Security document for guidance on using USB redirection securely. 
V4V Horizon Monitoring Service AgentHorizon Monitoring Service Agent. 
VmwVaudio VMware AudioVMware virtual Audio driver 
SdoSensor SDO Sensor RedirectionEnables Simple Device Orientation(SDO) Sensor Redirection feature, reports device orientation changes to remote desktop. 
HybridLogon Hybrid LogonEnables Hybrid logon which allows an unauthenticated user access to network resources without the need to enter credentials. 
HelpDesk Help Desk Plugin for Horizon AgentHelp Desk Plugin for Horizon Agent. 
RDP Enable RDP (hidden)  
BlastUDPCore   
Core Core[ProductName] core functionalityINSTALLDIR
VMWMediaProviderProxy VMware Virtualization Pack for Skype for BusinessThis feature will enable optimization for Skype for Business in remote desktop 
ClientDriveRedirection Client Drive RedirectionAllow Horizon Clients to share local drives with remote desktops and applications. If not installed, copy/paste and drag and drop files and folders features will be disabled. 
RTAV Real-Time Audio-VideoReal-Time Audio-Video enables users to redirect locally connected audio and video peripherals back to the remote desktop for use. 
GEOREDIR Geolocation RedirectionEnables redirection of client’s geolocation to the remote desktop 
PerfTracker Horizon Performance TrackerEnables Horizon Performance Tracker 
Horizon Agent 8.x/YYMM Release MSI Features

Horizon Agent 7.x version (Features available within the agent)

Feature (s38)Feature_Parent (S38)Title (L64)Description (L255)Directory_ (S72)
URLRedirectionCoreURL Content RedirectionRedirects URL content from a server session to a client device and vice versa. 
PSGCore  
VmVideoCore  
VmwVdisplayCore  
VmwViddCore  
SmartCardSingleUserTSCore  
FlashURLRedirection Flash URL RedirectionEnables Flash URL Redirection for internal company controlled web pages. 
RDSH3D 3D RDSHThis feature enables hardware 3D acceleration in RDSH sessions. 
SVIAgent VMware Horizon View Composer AgentVMware Horizon View Composer Agent RDSH installs: This machine can be used as the parent image for provisioning Automated Farms 
NGVC VMware Horizon Instant Clone AgentHorizon Instant Clone Agent should only be installed on a virtual machine running on VMware vSphere 6.0/2015 U1 or later. It cannot be co-installed with Horizon View Composer Agent. 
ScannerRedirection Scanner RedirectionEnables the Scanner Redirection feature. 
SerialPortRedirection Serial Port RedirectionEnables the Serial Port Redirection feature. 
SmartCard Smartcard RedirectionEnables the Smartcard Redirection feature. 
TSMMR TSMMRTerminal Services Multimedia Redirection. Does not support IPv6 configuration. 
ThinPrint Virtual PrintingVirtual Printer Support 
PrintRedir VMware Integrated PrintingVMware Integrated Printing Redirection. 
USB USB RedirectionUSB Redirection. Refer to the VMware Horizon 7 Security document for guidance on using USB redirection securely. 
V4V vRealize Operations Desktop AgentvRealize Operations Desktop Agent. Does not support IPv6 configuration. 
VPA VMware Horizon 7 Persona ManagementVMware Horizon 7 Persona Management 
VmwVaudio VMware AudioVMware virtual Audio driver 
DeviceBridgeBAS Device Bridge BAS PluginEnables finger scanners supported by BAS system 
SdoSensor SDO Sensor RedirectionEnables Simple Device Orientation(SDO) Sensor Redirection feature, reports device orientation changes to remote desktop. 
CIT VMware Client IP TransparencyThis feature allows remote connections to Internet Explorer to use the Client’s IP address instead of this machine’s. Does not support IPv6 configuration. 
HybridLogon Hybrid LogonEnables Hybrid logon which allows an unauthenticated user access to network resources without the need to enter credentials. 
HelpDesk Help Desk Plugin for Horizon AgentHelp Desk Plugin for Horizon Agent. 
RDP Enable RDP (hidden)  
BlastUDPCore  
Core Core[ProductName] core functionalityINSTALLDIR
VMWMediaProviderProxy VMware Virtualization Pack for Skype for BusinessThis feature will enable optimization for Skype for Business in remote desktop 
ClientDriveRedirection Client Drive RedirectionAllow Horizon View Clients to share local drives with their remote desktops and applications. Does not support IPv6 configuration. 
RTAV Real-Time Audio-VideoReal-Time Audio-Video enables users to redirect locally connected audio and video peripherals back to the remote desktop for use. 
FLASHMMR Flash RedirectionFlash Redirection 
GEOREDIR Geolocation RedirectionEnables redirection of client’s geolocation to the remote desktop 
PerfTracker Horizon Performance TrackerEnables Horizon Performance Tracker 
Horizon Agent 7.x Release MSI Features

If you want to download the spreadsheet version of the table above/below you can find it below. Note there is a bonus within the spreadsheet: MSI Property comparision between Horizon Agent 7.x and Horizon Agent 8.x and two MSI Properties have been removed VDM_FLASH_URL_REDIRECTION and INSTALL_VDIDISPLAY_DRIVER (Part of the Core in 8.x).

compare-horizon8.x-7.x-agent-features-msi-switches-propertiesDownload

Deprecated/Delta Features between 7.x and 8.x/YYMM release

From the table above, we know all the switches of the Horizon Agent 7.x and 8.x versions. Once we compare the above two tables, we are left with the following delta, and I have commented on whether each feature exists or is removed. Please make sure to remove them from your existing scripts or silent installers if you had added them during your Horizon 7.x installs.

Feature (s38)Title (L64)Description (L255)Additional Comments
FlashURLRedirectionFlash URL RedirectionEnables Flash URL Redirection for internal company controlled web pages.Flash come to EOL in 2020. Feature has been deprecated
SVIAgentVMware Horizon View Composer AgentVMware Horizon View Composer Agent RDSH installs: This machine can be used as the parent image for provisioning Automated FarmsVMware Compose was replaced by Instant Clones
ThinPrintVirtual PrintingVirtual Printer SupportThinPrint is replaced by VMware Integrated Printing
VPAVMware Horizon 7 Persona ManagementVMware Horizon 7 Persona ManagementPersona is replaced by App Volumes or DEM or FSLogic
DeviceBridgeBASDevice Bridge BAS PluginEnables finger scanners supported by BAS systemFeature has been deprecated
CITVMware Client IP TransparencyThis feature allows remote connections to Internet Explorer to use the Client’s IP address instead of this machine’s. Does not support IPv6 configuration.Feature has been deprecated
FLASHMMRFlash RedirectionFlash RedirectionFlash come to EOL in 2020. Feature has been deprecated
Delta or Deprecated feature list after comparing the above two tables

I hope you will find this post useful to perform silent installs on Horizon Agent. My request is if you find any additional delta or enhancements, please make sure to share it back with me.

Thanks,
Aresh Sarkari

Reference – Check out the VMware documentation on Silent Installation Properties for Horizon Agent (vmware.com)

Tags: , , , , ,

VMware Horizon Events Database – Annual Clean-up (purge old data)

14 May

VMware Horizon doesn’t restrict the growth of the historical tables in the Horizon Events database. VMware has a detailed knowledge base article with describes in details Purging old data from the View Events Database (2150309). However, there is a catch if you are trying to delete many records at one time, you will get transaction log full error. The below procedure will help you overcome the challenge. In our scenario, we purge the records once every year.

use HZNLOG
select count(*) from [dbo].[POD1_event_data_historical] where EventID in (select EventID from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000')
select count(*) from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000'

In the above example HZNLOG is the name of the database. POD1 is the prefix of the Horizon Events Database (Check in Horizon Admin console) and 2021-01-31 is the YYYY-MM-DD format (Show me all records before 31st Jan 2021)

No. of older records in Events DB

If we used the delete tables mentioned within the knowledge base article, we get the following error “The transaction log for database ‘HZNLOG’ is full due to ‘LOG_BACKUP”. Of course, the number of records in our case we are trying to delete is relatively high(Millions).

Error during deletion “Log is full”

You can shorten the above query for approx. 30 or 15 days, but still in our scenario, one would have to run the delete query more than 15 times to perform the annual clean-up. After searching around, I came across a blog post – Deleting millions of records from a table without blowing the transaction log (A big thank you Merill for sharing his knowledge) I tweaked it for my usecase of Horizon Events DB clean-up and, in a single query within 20 mins I could perform a yearly clean-up without any fuss of transaction log getting full. Essentially this performs the clean-up in a batch size of 10,000 row counts.

DECLARE @continue INT
DECLARE @rowcount INT
 
SET @continue = 1
WHILE @continue = 1
BEGIN
    PRINT GETDATE()
    SET ROWCOUNT 10000
    BEGIN TRANSACTION
	delete from [dbo].[POD1_event_data_historical] where EventID in (select EventID from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000')
	delete from [dbo].[POD1_event_historical] where Time < '2021-01-31 00:00:00.000'
    SET @rowcount = @@rowcount 
    COMMIT
    PRINT GETDATE()
    IF @rowcount = 0
    BEGIN
        SET @continue = 0
    END
END

The ouput will look something like below:

Enteire deletion in batches of 10K rows

After running the above deletion query, now re-run the select query to see if records exist before 31st Jan 2021, and now we have 0 records.

Zero records found

I hope you will find this SQL query helpful to perform Horizon Events Database clean-up in a jiffy. My request if you further enhance the query or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , ,

VMware App Volumes – Volumes were not mounted due to an issue with your Writable Volume

18 Mar

Random floating desktop pools within our environment would exhibit issues where in the end-user would login to their desktop and they will be presented with a black screen with the message – Volumes were not mounted due to an issue with your Writable Volume. Please try logging in again, or contact your administrator.

Error

When this issue would surface, neither the AppStacks nor Writable Volumes would mount to the end-user desktop and if the end-user clicked on OK the session would log-off.

Environment Details

VMware Horizon 7.11
VMware App Volumes 2.18.5
VMware Dynamic Environment Manager 9.10
Windows 10 1909 Enterprise

Process of elimination

  • The App Volumes (AV) agent is able to communicate to the AV Manager on port 443 without any issues.
  • There were no SSL errors or load balancing issues communicating with the Agent/Manager.
  • We thought a particular Writable Volumes (WV) would be causing the issue. Deleted and re-created the WV still the issue would persist.
  • The issue would happen randomly for few users again and again.

Resolution

My team managed to open a VMware GSS case handled by Sanjay SP (A very helpful support engineer), he mentioned there were quite a few cases opened on a similar pattern. Following were the assessments from our logs:

  • During the first startup of Instant Clones, App Volumes Agent queries below registry key to know the customization status and updates manager with the same
    • [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\ViewComposer\ga\AgentIntegration]
      • “CustomizationState”=dword:1
  • It has a timeout of 300 seconds, and if this task times out AppVolumes manager will fail to create a unique identity for the VM in its database
  • In the App Volumes Agent logs, we see the respective timeout
    • [2021-03-09 07:11:34.009 UTC] [svservice:P1564:T1976] HandleNGVC: Waiting for NGVC to complete (count 299)
    • [2021-03-09 07:11:34.009 UTC] [svservice:P1564:T1976] Timed out waiting on NGVC after 300 seconds, disabling
  • The customization itself is working fine and we do see the registry entries getting updated with appropriate values. However, its not completed within 300 seconds. 

Fix

  • The delay in cloneprep customization was not found with IPv6 disabled on the primary nic adapter. The recommendation was to disable IPv6 since we don’t use it within the NIC adapter properties.
Disable IPv6 in the network adapters

I hope you will find this information useful if you encounter the issue. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Internet Explorer crashing on Windows Server 2016 – Remote Desktop Session Host

18 Feb

We encountered a strange issue on the Windows Server 2016 Remote Desktop Session Host (RDSH) used for VMware Horizon Application Publishing. The Internet Explorer would launch and get into “Not Responding” state, and eventually, the process would close out without any errors.

IE Opening and Crashing

Process of elimination

  • We thought either Windows cumulative updates introduced the issue as it was working fine earlier.
  • There were no errors in the Windows Event Viewer (Application, System or Internet Explorer)
  • We used the Deployment Image Servicing and Management (DISM) command line tool to disable/enabled Internet Explorer without any luck.
    • dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64
    • dism /online /Enable-Feature /FeatureName:Internet-Explorer-Optional-amd64
  • Procmon is showing IE tries to launch the process multiple times, but the sub-process keep failing, and IE finally gives up at the end
IE Process launching multiple times
  • We were running out of troubleshooting ideas

Resolution

My team ended up opening a Microsoft Support case, and they could see that “Name Not Found for the ieproxy.dll” which is due to ieproxy.dll registration issues. Support confirmed they had seen similar instances in the past.

Please open command prompt with Admin rights and re-register the dll from System32 and Syswow64 folders.

%SystemRoot%\System32\regsvr32 ieproxy.dll

%SystemRoot%\Syswow64\regsvr32 ieproxy.dll

 I hope you will find this information useful if you encounter the issue. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Horizon VDI – Calculator – Photos – Edge Not launching for end-users – Windows 10

8 Feb

In Windows 10 1909 VMware OST optimized image the end-users report they cannot open the following three built-in UWP windows application.

  • Microsoft Calculator
  • Microsoft Photos
  • Microsoft Edge browser

When the end-users try to open any of the three applications, nothing would happen – No error messages or pop-ups. The application doesn’t launch.

Environment Details

VMware Horizon 7.11
VMware App Volumes 2.18.5
VMware Dynamic Environment Manager 9.10

Process of elimination

  • The AppX package for (Calc, Photos and Edge) did exist in the base operating system
  • We can launch all the three applications within the optimized golden image template.
  • We were running the VMWare OSOT tool with the default VMware Windows 10 template. No additional customization or options selected.
  • One thing was evident the base template was working fine. The suspicion was around AppStack – App Volumes (We disabled the AppStacks/Writable Delivery – Same issue observed) or Dynamic Environment Manager causing the application from launching
  • We were running out of troubleshooting ideas

Resolution

Upon searching, I came across this community page – https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Windows-10-UWP-Applications-and-Taskbar/m-p/523086 and it outlined a solution of re-registering the UWP AppX package for the built-in application. We tried the fix in the DEV environment and it worked. Further it was replicated to the production setup.

Step 1: A Powershell script to register the AppX packages

Get-AppxPackage -allusers *windowscalculator* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
Get-AppxPackage -allusers *windows.photos* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
Get-AppXPackage -AllUsers *edge* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Step 2 : Create a Dynamic Environment Manager – Logon Tasks

We selected to put the Powershell script within the UEM Share as the end-users have the read- access.

DEM - Logon Task
DEM-LogonTasks

 Quick Update based on 4th Aug 2021 (Thanks to Curtis for bring this up in the comments section)

The above DEM 9.10 logon task no longer works in situation where end-users dont have local administrative priviledges users not being able to run the script at logon.

In the latest version of Dynamic Enivornment Manager 20XX onwards, you can now hook logon tasks into Elevated Tasks by using Privilege Elevation rules.

In DEM:

1. User Environment > Privilege Elevation > Create new privilege elevation rule

2. In the “Type” drop down menu, select “Elevated Task”

3. Click “Add”

4. In the Executable field:
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

5. In the Arguments field type the path to your script logon script

6. In User Environment > Logon Tasks, select the logon task that runs and registers the UWP apps.

7. Check “Elevated Task” and in the drop down select the Elevated Task you just created in the list.

After this, the script should be able to run at logon regardless of whether or not the user has local administrator rights!

I hope you will find this information useful if you encounter the issue. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Tags: , , , ,

Black screen when re-connect to VMware Horizon virtual desktop

27 May

We had an issue after we upgraded our EUC Stack, especially VMware App Volumes 2.14 to 2.18.1. Quite a few end-users started reporting black screen when they were trying to re-connect to their desktops post the original session launch. This would mean re-connect post breaks, endpoint screen locks, next working day re-connections, etc.

EUC Environment Details:
VMware Horizon 7.11
VMware App Volumes 2.18.1
VMware Dynamic Environment Manager 9.10
VMware Horizon Client 5.x
VMware Workspace One 3.3

Process of elimination

  • If we re-created the writable volumes of the problematic end-users the black screen issue would go away. This provided us with a clue that the problem lied with VMware App Volumes – Writable Volumes
  • No errors/failures observed within the VMware DEM/Horizon logs
  • Upgrade the Horizon Client to the latest 5.x version to remove any Client related issues
  • We already had the necessary anti-virus exclusion based on VMware Antivirus Considerations in a VMware Horizon 7 Environment

Resolution
After trying out all the usual steps and avoid re-creating writable volumes for problematic end-users, we managed to open a VMware GSS case handled by Karan Ahuja(Very helpful support engineer), which ended been worked by the engineering team(Art Rothstein – Champ in AV Eng Team). Note quite alot of logs, memory dumps, and Procmon were exchanged from the problematic VM using various remote gathering techniques. Finally, the fix was determined as a writable volume snapvol.cfg exclusion. (In our case, the problem is caused by smss.exe using a copy of winlogon.exe that is on the writable volume). After putting this exclusion into all problematic end-users, they stopped seeing Black screen issues upon re-connect.

exclude_path=%SystemRoot%\System32\winlogon.exe
Path exclusion in writable volumes snapvol.cfg

In this blog, I am not outlining the steps on how to add the snapvol.cfg exclusion as my ex-colleague Daniel Bakshi outlines on a VMware blog post on how to do it step by step. I hope you will find this information useful if you encounter intermittent black screen issues.

Thanks,
Aresh Sarkari

Tags: , , , ,

← Older Entries
Newer Entries →