Tag Archives: VDI

Upgrade from VMware Horizon 7.13.1 to 8.6 (2206) fails with VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed

22 Dec

Many customers are already in the process of upgrading from VMware Horizon 7.x to 8.x or will soon upgrade as the End Of Life dates are upcoming in April 2023. I want to share a rare experience wherein the Horizon upgrade from 7.13.1 to 8.6 version failed. In the rare occasion where in upgrade fails in the below mentioned manner, the workaround steps will come in handy.

We have only received the workaround from VMware support, and I intend to update the post once I get a complete RCA. At least the workaround can help someone not have to revert the entire environment instead, follow the workaround and avoid a lot of rework.

Issue

During the upgrade of the first connection server in the POD1, we encountered the following error five mins into the upgrade. Note before starting the upgrade, the entire health dashboard for the POD was green and included backup and snapshots.

Environment Overview

Let take a look at the environment details to provide an high-level overview:
Active Site (POD1)

  • 5 VMware Horizon Connection Servers 7.13.1
  • SQL Database on Microsoft SQL 2016 Always-on – EventsDB
  • The 5 Brokers are behind an NSX Load balancer

Active Site (POD2)

  • 5 VMware Horizon Connection Servers 7.13.1
  • SQL Database on Microsoft SQL 2016 Always-on – EventsDB
  • The 5 Brokers are behind an NSX Load balancer

Observations

The logs from the installer had the following message it’s complaining about insufficient privileges, which the installer is run with admin privileges already.

MSI (s) (A0:E0) [06:12:07:977]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
Action 6:12:07: InstallServices. Installing new services
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ProgressTotal(Total=9,Type=1,ByteEquivalent=1300000)
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ServiceInstall(Name=PCOIPSG,DisplayName=VMware Horizon View PCoIP Secure Gateway,ImagePath="C:\Program Files\VMware\VMware View\Server\bin\SecurityGateway.exe",ServiceType=16,StartType=3,ErrorControl=1,,Dependencies=[~],,,Password=**********,Description=Provides VMware Horizon View PCoIP gateway services.,,)
InstallServices: Service:
MSI (s) (A0:E0) [06:12:08:228]: Executing op: ServiceInstall(Name=VMBlastSG,DisplayName=VMware Horizon View Blast Secure Gateway,ImagePath="C:\Program Files\VMware\VMware View\Server\appblastgateway\nssm.exe",ServiceType=16,StartType=3,ErrorControl=0,,Dependencies=[~],,,Password=**********,Description=Provides VMware Horizon View Blast gateway services.,,)
InstallServices: Service:
Info 1923.Service VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed. Verify that you have sufficient privileges to install system services.
Action ended 6:12:08: InstallFinalize. Return value 3.

Also noticed during the upgrade, it should uninstall the services from version 7.13.1, and new services would be created for version 8.6. In this case, they were listed as disabled.

Workaround

Later during the ongoing RCA investigation, a workaround provided was working well. The reason for socializing the workaround is that we spent a tremendous amount of time and effort in a revert operation, which was very time consuming and cumbersome. Only if we had known about this workaround during the failed upgrade would we have saved tremendous effort.

#ProTip – If you have two POD, make sure before you start the upgrade. Take a snapshot of all the PODS together at the same time. This could help you in scenarios where the POD1 upgrade fails, and you can revert the entire environment (POD1 & POD2) from snapshots.

Prerequisite / Rollback Plan 

  1. Power off all the Connection Servers part of Cloud POD Federation 
  2. Take a powered-off snapshot
  3. In case of an incident during the change activity which requires recovering Horizon Environment, Snapshots will be used as a fallback plan as the last option if break/fix, troubleshooting steps performed is not resolving the issue. 
  4. In troubleshooting scenarios of a failed upgrade 

Workaround Steps 

  1. The following steps need to be performed on each Connection Server at a time 
  2. Uninstall HTML and Horizon Connection Server 7.13.1 component keeping ADLDS and ADLDSG Instances intact. Check services.msc, and Horizon Services will appear in the Disabled state 
  3. Perform a reboot of the Connection Server, and Horizon Services will be cleared from services.msc
  4. Install Horizon 8.6 as Standard, which will pick the residing ADLDS and ADLDSG instance
  5. After successful install, it can be verified using ldp utility as instructed in KB https://kb.vmware.com/s/article/2064157 and look for the fields whenChanged , and whenCreated . This step can be performed prior upgrade for comparing the state of ADLDS

The VMware GSS case handled by Jezill Asharaf (A very helpful support engineer) and a few of the backend engineering team has been instrumental. I hope you will find this information useful if you encounter the issue and it should help you save time. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Install VMware Horizon Client using Winget

14 Dec

The enterprise has been rolling out the application packages using various available methods (GPOs, SCCM, WS1 UEM etc.) in the industry. Today we are going to take a step further and see how to deploy the VMware Horizon Client using the new Micrososft Windows Package Manager (Winget)

Available Commands for various verison of Horizon Client

Following are the commands however, it’s recommended only to install the latest or the matching version based on your VMware Horizon environment.

VMware Horizon 8.xVMware Horizon Client 8.x
VMware Horizon 7.xVMware Horizon Client 5.x
# Latest GA version VMware Horizon Client version 8.7.0.31805
winget install -e --id VMware.HorizonClient
# VMware Horizon Client version 8.6.0.29364
winget install -e --id VMware.HorizonClient -v 8.6.0.29364
# VMware Horizon Client version 8.5.0.26981
winget install -e --id VMware.HorizonClient -v 8.5.0.26981
# VMware Horizon Client version 8.4.1.26410
winget install -e --id VMware.HorizonClient -v 8.4.1.26410
# VMware Horizon Client version 8.3.0.21227
winget install -e --id VMware.HorizonClient -v 8.3.0.21227
# VMware Horizon Client version 8.2.0.18176
winget install -e --id VMware.HorizonClient -v 8.2.0.18176
# VMware Horizon Client version 8.1.0.15949
winget install -e --id VMware.HorizonClient -v 8.1.0.15949
# VMware Horizon Client version 8.0.0.13243
winget install -e --id VMware.HorizonClient -v 8.0.0.13243
# VMware Horizon Client version 5.5.4.26353
winget install -e --id VMware.HorizonClient -v 5.5.4.26353
# VMware Horizon Client version 5.5.3.24986
winget install -e --id VMware.HorizonClient -v 5.5.3.24986
# VMware Horizon Client version 5.5.2.19788
winget install -e --id VMware.HorizonClient -v 5.5.2.19788
# VMware Horizon Client version 5.5.1.17068
winget install -e --id VMware.HorizonClient -v 5.5.1.17068
# VMware Horizon Client version 5.5.0.14558
winget install -e --id VMware.HorizonClient -v 5.5.0.14558

Installing, Listing, Upgrading and Un-installing the latest version HZ Client

Open the PowerShell with administrative privileges

Installing

winget install -e --id VMware.HorizonClient

Listing the installed package

List the package and its details of the previous installation step

winget list --name 'VMware Horizon Client'

Upgrading from version 5.5.4 to 8.7.0

winget upgrade --id VMware.HorizonClient

Un-installing

Following is the command to uninstall the Horizon Client.

winget uninstall --id VMware.HorizonClient

Note after running the above command, the Windows endpoint rebooted immediately. I am not whether the product team has included the /norestart switches to the packages. If you come across the same leave a comment down below.

I hope you will find this helpful post about the winget and VMware Horizon Client details. Give it a spin in your lab and production environment, if you find anything interesting. I hope you can share it back with me?

Thanks,
Aresh Sarkari

Azure Virtual Desktop – PowerShell – Create a Host Pool, Application Group and Workspace for RemoteApp aka Published Applications

13 Dec

In the previous blog post we learnt how to create the PowerShell – Create a Windows 11 Multi-session golden image for Azure Virtual Desktop using Marketplace Image | AskAresh and today we are going to take a step further and deploy the following features within Azure Virtual Desktop using PowerShell:

  • Create Host Pool with Type – RemoteApp
  • Create the Application Group (AG)
  • Create an Workspaces
  • Assign the Azure Active Directory Group to the (AG)

I will break down the code block into smaller chunks first to explain the critical bits, and in the end, I will post the entire code block that can be run all at once. In this way, explaining block by block becomes easier than pasting one single block.

RemoteApp

RemoteApp – This is a way to provide end-users with the business applications alone without giving them an entire desktop. They can access their applications anywhere on any device.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Azure Subscription for the creation of AVD – Host Pools
  • Assumption
    • You have an existing Resource Group (RG)
  • Azure PowerShell Modules – Az.DesktopVirtualization

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this Host Pool (Australia East)
  • Name of the Host Pool (RA-HP01)
  • Host Pool Type (Pooled) as it will be shared with multiple end-users
  • Load balancing method for the Host Pool (DepthFirst)
  • Maximum users per session host VM (10)
  • The type of Application Group (RailApplications). As we are only giving out end-users Apps
  • Application Group Name ($HPName-RAG)
  • Workspace grouping name ($HPName-WRK01)
  • Azure AD group that will be assigned to the application group (XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX)
# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • Create the host pool with all the mentioned variables, tags and whether the validation enivornment yes/no.
  • Create the application group and tie it to the host pool
  • Finally, we create the workspace and tie it to the application group and hostpool
  • Last step, we assign the AAD group object ID to the Application Group for all entitlement purposes.
# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – avdwin365mem/createhp-ag-wk-RA at main · askaresh/avdwin365mem (github.com)

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "dcc4b896-2f2d-49d9-9854-33768d8b65ba"

# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Next Steps on the Host Pool

Now that the host pool, application group and workspaces are ready following are the next steps involved:

  • Generate a registration token
  • Add the session host virtual machine to the host pool
  • Create Applications within the Application Group. You can create multiple Applications in single AG or 1 AG per Application.

I hope you will find this helpful information for deploying a host pools, application group and workspaces within Azure Virtual Desktop. If you want to see a Powershell version of the applications & session host activities, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Making Microsoft Quick Assist work with VMware App Volumes – Writable Volumes

6 Sep

Microsoft Quick Assist is a tool widely used by service desk teams to take remote control of a computer and help end-users with a screen share. We noticed with the recent changes Microsoft made to Quick Assist, it stopped working when VMware App Volumes – Writable Volumes were present.

Error launching Quick Assist

We tried many steps of installing the Quick Assist offline using various Powershell commands, and nothing worked out. We also got to a point Quick Assist will launch without the Writable Volumes present or local admins with Writable Volumes. In the end, VMware Support GSS, with help from backend engineering, provided a working solution.

Solution (Workaround)

Step 1 – Download the offline version of the Quick Assist App from the Microsoft store and place all the files into C:\Temp\QuickAssist. Following are the steps to download the offline version of MS store apps.

Offline Files MS Quick Assist

Step 2 – Delete the old version of the Quick Assist App (Not part of the MS Store). Start Menu > Settings > Apps > Optional features > Microsoft Quick Assist > Uninstall. 

Uninstall Optional Features – Microsoft Quick Assist

Step 3 – Install the Offline version of the Microsoft Quick Assist package using PowerShell

PowerShell Add-AppxProvisionedPackage -PackagePath C:\Install\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense
PowerShell Install Appx Package

Step 4 – Install WebView2 component which is a pre-requisite for Quick Assist. Note this step is quite important and not something that has been emphazied alot.

  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
  C:\Install\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
Install Microsoft Edge WebView

Step 5 – Launch the Quick Assist App once. Make sure, without launching the app, don’t move to the next step. Please wait at least 10 mins on this step or/else reboot the template VM and launch the app

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app
Launching Quick Assist

Step 6 – Create an OS scheduled task to run at every logon. This will launch the Quick Assist and register at every logon.

schtasks /create /RU "SYSTEM" /TN RegisterQuickAssist /SC ONLOGON /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-AppxProvisionedPackage -PackagePath C:\Temp\QuickAssist\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense"
Schedule Task – Register of Microsoft Quick Assist at User Login

Step 7 – Take a snapshot of the golden image and the remaning steps will be performed in App Volumes files.

Step 8 – We need to prepare the template bundle of Writable Volumes (UIA+Profile) to contain a file startup_postsvc.bat with the following contents. Note Alter the file path if you decide to use something else.

  @echo off
  setlocal enabledelayedexpansion
  set WV_Path=none
  for /F "tokens=3" %%A in ('reg query HKLM\System\ControlSet001\Services\svservice\Parameters /v WritableVolume 2^>nul') do (
    set WV_Path=C:%%A
    fltmc attach bindflt !WV_PATH!
  )
  reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView" /v DisplayName >nul 2>&1
  if %ERRORLEVEL% NEQ 0 (
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
    start /wait C:\Temp\QuickAssist\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
  )

Here is the procedure to update the writable volume’s file – Update Writable Volumes (vmware.com). Zip all the files and push the changes using AV Manager > Writables > Update Writable Volumes

Additional Files for writable volumes startup

Step 9 – Validation login to the virtual desktop (Make sure the updated file – startup_postsvc.bat are pushed onto the WV). After a few seconds, the Microsoft Edge WebView2 Runtime component and Quick Assist should appear in Programs and Features.

PowerShell Get-AppxPackage *assist*

Step 10 – Launch Quick Assist via Start Menu or Explorer and Voila!

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app

If you encounter a similar issue, you can follow the above solution. I hope you will find this information useful if you encounter the same issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 3+ months.

Thanks,
Aresh Sarkari

Mindmap – Part 2 – Horizon Cloud on Microsoft Azure (HCoA) – Configuration of Images – Desktops – Farms – Assignments

13 Apr

This post is in continuation of my part 1 – Mindmap – Part 1 – Horizon Cloud on Microsoft Azure (HCoA) – Quick start guide where we look at pre-requisites and the initial deployment of the HCoA solution. In this post, I want to share my learnings about the configuration of Images, Virtual Desktops, Farms and Assignments. We shall take a look into the following topics:

  • Mind map for Horizon Cloud on Microsoft Azure – Part 2 – Configuration of Images – Desktops – Farms – Assignments
    • Creating a Virtual Desktop or RDSH Image
      • Import VM
      • Create Image (Converting VM to Image)
    • Farms (Published Applications)
      • Create Desktop Farm
    • Add Applications to the Farms
      • New Applications – Auto-Scan from Farm
    • Create an Application Assignment
    • Create an Assignment for Multi-session or Hosted Shared Desktop
    • Create a Virtual Desktop Assignment (Persistent – Full Clone)
    • Create a Virtual Desktop Assignment (Non-Persistent – Floating)
    • AppStacks

In the second part of this series, the mindmap acts as an visual representation of all the configurations to be performed post the initial deployment of the Horizon Cloud Pod. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment details, and requirements for performing the next steps in your HCoA journey.

HCoA – Part 2

Disclaimer – This guide is a deployment/configuration guide, and the production settings, configuration, and use-cases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

Screenshots from my deployment

Horizon Cloud POD Managers + Unified Access Gateways

Note everything is deployed keeping in mind High availability.

  • 2 x Horizon Cloud Pod Managers
  • 2 x External Unified Access Gateways (Public IP)
  • 2 x Internal Unified Access Gateways (Internal on-premise network)
Azure – Virtual Machines

Azure Load Balancers

  • 1 x Horizon Cloud Pod Managers
  • 1 x Public UAG Appliances
  • 1 x Internal UAG Appliance
Azure – Load Balancers

Azure Virtual Network

I have created the vNet as part of pre-requisites in Part 1 series

  • 1 x Subnet for DMZ (Unified Access Gateway)
  • 1 x Subnet for Mgmt (Pod Managers)
  • 1 x Subnet for Workload (Desktop/Farms)
Azure – vNet

Azure Resource Groups

Note these are auto-created during the Pod deployment.

Azure – Resource Groups

I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Unable to use Privilege Elevation – VMware Dynamic Environment Manager

7 Mar

We were exploring the feature Privilege Elevation – VMware Dynamic Environment Manager (DEM) within our development environment, and for some odd reason, a specific feature and configuration wouldn’t work in our setup.

Disclaimer

The windows registry mentioned within this blog post is used within enterprise-grade secure environments. The hardening measure is part of CIS Benchmarks on Windows 10. If your machines aren’t hardened, the feature typically works out of the box. For example, in my home lab, I had no issues with the Privilege Elevation feature working.

Issue

Whenever we enable the feature and apply any settings, it will not work. It didn’t matter which configuration you picked. The error within the logs remains constant.

The error within the FlexEngine-ElevatedTasks.log

2022-02-21 13:02:30.122 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)
2022-02-22 11:22:02.960 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)
2022-02-28 18:23:19.736 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)

Cause

Provided by VMware – The additional configuration on LSA Protection causing issues with the VMware DEM agent (2103 Version). The windows registry key – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

RunAsPPL=1

Resolution

My team managed to open a VMware GSS case handled by GuruKripal (A very helpful support engineer), we had to provide numerous amount of logs, procmons and group policy export of the enivornment. After giving them the export of our CIS Benchmarked group policies, they could reproduce the issue. In the end, the VMware engineering team provided us with a newer build of DEM Agent (10.2.4.1023 x64.msi).

If you encounter a similar issue, you can raise a VMware support case to obtain the fix or/else, I was assured all future releases of DEM Agent would include the fix. I hope you will find this information useful if you encounter the issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 6+ months.

Thanks,
Aresh Sarkari

Mindmap – Part 2 – Managing Azure Virtual Desktop (AVD)

21 Jan

This blog post is in continuation of my part 1 – Mindmap – Part 1 – Azure Virtual Desktop (AVD) – Quick start guide to virtual desktop/applications | AskAresh where we look at deploying the AVD solution. In this post, I want to share my learnings with you all around the management and #Day2 aspects of AVD. We shall take a look into the following topics:

  • Mind map – Managing Azure Virtual Desktop
    • Scale Out – Add extra Host (VM) to the Host Pools
    • Lifecycle – Update your Master Image – Shared Image Gallery aka Azure compute galleries
    • Drain the old Session Host VM
    • Automatically Power ON the Session host Virtual Machines
    • Monitoring Azure Virtual Desktop

Mindmap for Managing Azure Virtual Desktop (AVD)

I have managed to document all the high-level steps involved in managing the AVD on an ongoing basis. The idea here is that the mindmap acts as an excellent visual representation of what to do during ongoing maintenance activities. You can figure out in advance the requirements/steps and pre-requisites.

Disclaimer – This guide is a get you started guide, and the production management may vary. Please make sure you always reference Microsoft documentation. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

I hope you will find this helpful information on your Managing Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

10 Nov

Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:

  • What is Orphaned Writable Volumes?
  • Script to delete them from the App Volumes Managers

What is Orphaned Writable Volumes?

App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.

Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.

Script to delete them for App Volumes Manager

Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.

Pre-requisites

  • You need the App Volumes Manager URL
  • You need the username and password of the App Volumes Manager
  • You need to enter y/Y to proceed further with the deletion
  • The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)
###########################################################################
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0
###########################################################################

#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"

# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#Login AV Manager Body
$body = @{
    username = “$RESTAPIUser"
    password = “$RESTAPIPassword”
}

#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body

#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"

#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}

#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}

#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:" 
if ($confirmation -match "[yY]" ) {
    # proceed

# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id

#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {

# Writable Volumes deletion Parameters body
$jsonbody = @{
    bg = "0"
    volumes = "$WVOutputIDss"
} | ConvertTo-Json

#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"

}

#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content

}

GitHub scripts/del-writablevolume-status-orphaned at master · askaresh/scripts (github.com)

Observations

  • When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.
  • Once you press y/Y it will go ahead and delete the Orphaned writable volumes.

I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Thanks,
Aresh Sarkari

Mindmap – Part 1 – Azure Virtual Desktop (AVD) – Quick start guide to virtual desktop/applications

1 Nov

I have been learning Azure Virtual Desktop (AVD) from the awesome book DaaS – The Complete Guide: A Step-by-Step Guide on deploying Desktop-as-a-Service solutions from Microsoft, Nutanix, Citrix, VMware, Accops. I want to share my learnings with you all, and in this post, we shall take a look into the following topics:

  • Mind map for Azure Virtual Desktop – Getting started
    • Getting started with Azure Virtual Desktop (AVD)
    • Deployment – Pre-requisites for AVD
    • Master Images – (Windows 10 Multi-Session, Windows 10 1909 Enterprise or Windows Server 2019 DC)
    • Template and Shared Image Gallery
    • Host Pools
    • Application Groups
    • Workspaces
    • Windows Desktop Client
  • Quick Start Links

Mindmap for Azure Virtual Desktop (AVD) – Getting started

Managed to put together a mindmap on the AVD getting started from zero to a working desktop or application. The idea here is the mindmap acts as an excellent visual representation of what to do during pre-requisites, deployment and you can figure out in advance the requirements/steps and pre-requisites.

Azure Virtual Desktop

Disclaimer – This guide is a get you started guide, and the production settings and configuration might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

Change log

  • The Mindmap was last updated on 21st Jan 2022 with lots of changes!

The intention here is to get you quickly started on Azure Virtual Desktop Solution:

DescriptionLinks
Azure Virtual Desktop OverviewWhat is Azure Virtual Desktop? – Azure | Microsoft Docs
Azure Virtual Desktop technical (ARM-based model) deployment walkthrough. (Christiaan Brinkhoff)Azure Virtual Desktop technical (ARM-based model) deployment walkthrough. It covers all you need to know and beyond! | christiaanbrinkhoff.com – Sharing Cloud and Virtualization Knowledge
AVD Zero to Hero (YouTube – I am IT Geek)Series 5: Episode 1 – AVD Zero to Hero Introduction – YouTube (Playlist)
AVD PowerShellAzure Virtual Desktop PowerShell – Azure | Microsoft Docs
AVD PricingAzure Virtual Desktop | Microsoft Azure

I hope you will find this helpful information on your Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, or reference links, and I will be happy to update the post.

Thanks,
Aresh Sarkari