MDT – Versioning made easy (powershell = king)

The great thing I like about doing projects with customers, is that each and every customer has it’s own challenges. And I think it is safe to say, that challenges brings out the best of all of us IT Pro’s.

In this particular post, I want to talk about the Microsoft Deployment Toolkit, versioning mechanism: ..MDT has no versioning mechanism :(

Wouldn’t it be nice to just have an option to duplicate a task sequence, like MDT’s big brother Microsoft System Center Configuration Manager?

Well that day has come my friends :)

Currently I’m working on reverse engineering a Citrix XenApp 6.5 environment which needs to be rebuild from the ground up with MDT. And after it has been built, it needs to be managed, improved, extended further when necessary.

Now it is perfectly possible to duplicate task sequences manually. Just create a new task sequence with the wizard within MDT, and copy the ts.xml and optionally the unattend.xml from your control\<tsid> folder to the new control\<newtsid> folder, and voilá your task sequence is duplicated. But wouldn’t it be nice to do this automatically?

Depending on the tools that are present in any particular organization, since MDT is free, and tools such as RES Automation Manager and System Center Config. Mgr. cost money (..and particularly Config. Mgr. costs lots of it too) I wanted to create a solution for having some kind of versioning system in MDT.

Since I’m getting more and more familiarized with PowerShell, I can kick in the open door by saying what we all know: PowerShell is truly King. Although I do not poses all the knowledge, luckily I have multiple colleagues who are willing to help me at any given time. This time I would like to thank Pascal Zeptner, for spending his free time with me :D

Now before we are going to talk about the script, it is imperative that your Task Sequence ID is built up out of the following naming convention:

  • OSB001
  • OSD002

I maintain this convention at all of my MDT implementations. The abbreviation OSB stands for “Operating System Build“, while OSD stands for “Operating System Deployment“. The essential difference between the two is, that the first one is used for creating reference images for target machines. While the second is used for deploying the reference image that is created, to target machines.

And to have a complete MDT environment with an orderly created folder structure in less then 20 seconds, please visit this blog: MDT2013 – Powershell ‘BESERK’ mode, configure everything with Powershell!!!

Behold the script:

Function

First of all, the script checks for elevation, if you do not run this script elevated it will not execute:

Secondly, the script needs certain variables made clear to work with. In this case the following static variables:

After these variables are filled in. The script will import the MDT PowerShell module, located at the default location where MDT normally is installed. If you have installed MDT elsewhere, you will receive notice that the MDT module was not found and the script will terminate.

Next, a new PowerShell drive will be created, so we can browse the MDT virtual folder structure:

After this, the real stuff begins: In the following lines of code, the properties of a task sequence will be queried. This happens with the “Out-Gridview” cmdlet, since this presents a nice selection dialog, to select the desired task sequence which we want to duplicate.

From this selected task sequence, we query it’s ID, and increase the number on the ID with +1 to create the new Task Sequence ID.

The same thing goes for the Task Sequence Version, which is also queried, and increased with +1. As soon as the version of the task sequence hits .9, it will increase the master version from 1.0 to 2.0.

Lastly the name of the task sequence is queried, and assuming we use a specific naming convention for our task sequences, which uses “v1.0″ at the end. The last three characters are removed and replaced with the $NewTSVersion variable. This causes our newly created task sequence, to receive a name with the increased version number too!

Now all the information we need to know to duplicate our task sequence is known, we can actually create a new task sequence and copy the contents from our reference task sequence to the new task sequence:

As you can see, there are some checks built-in that verify if the new to be created task sequence does not already exist on physical folder level.

Now to underline all this, screenshots:

figure 1.1: Select designated task sequence for duplication

versioning001

figure 1.2: Task Sequence duplicated

versioning002

figure 1.3: Press F5 to refresh and see the new task sequence

versioning003

figure 1.4: Perform duplication at v .9

versioning004

figure 1.5: Version 2.0 created

versioning005

figure 1.6: Press F5 to refresh and see the new task sequences

versioning006

figure 1.7: *.xml files are copied from destination task sequence to new task sequence

versioning007

..and that my padawan automaters, is how the cookie crumbles.

Comments, questions, improvements? Please let me know in the comment section. It’s as always much appreciated.

The script and images used in this blog can be downloaded here:

zip
MDTVersioning.zip.zip

Cheers! -Rens

Citrix – XenApp/Desktop integrate Internet Explorer 11 Enterprise Mode – Issue and workaround

Working in real life production environments beats concept and test environments each and every time when it comes to debugging and optimizing the environment for your care-free ;) end-users.

No matter how much you have tested up front, If you think you’ve got it covered for 99,9 % there’s always that 0,01 % that comes knocking at your door. This time it’s Internet Explorer 11 Enterprise Mode, in combination with Citrix XenApp 7.5 / 7.6 that causes a malfunction of the so called EMIE feature.

First some more details about Internet Explorer Enterprise Mode or EMIE:

A lot has been written about EMIE and one of the founding father’s I believe is Microsoft Architect Chris Jackson, who was so kind to at least hear me out after I contacted him on twitter FTW!

EMIE operates as an alternative to Internet Explorer’s Compatibility View. It’s a feature that needs to be enabled trough Group Policy Objects to reveal itself to the user. The benefit of using EMIE above Compatibility View is that EMIE allows us to specify individual websites to run EMIE even when the parenting website should not run EMIE. Opposed to Compatibility View, which allows you to only run entire domains in compatibility view, not excluding or including sub-domains or sub-sites.

If EMIE would have been enabled on your machine, you would have found it here:

figure 1.1: Internet Explorer Tools

emie001

Since it’s not there we need to make it visible, start GPEDIT.MSC and go to: “Computer Configuration \ Administrative Templates \ Windows Components \ Internet Explorer” and enable “Let users turn on and use Enterprise Mode from the Tools menu“. Next, perform a GPUPDATE /FORCE to force the policy to become active.

figure 1.2: Group Policy Objects – Configure EMIE

emie002

This causes you to put websites in Enterprise Mode for the length of your current browser session. When you close your session, Enterprise Mode for this particular website isn’t active anymore when the website is revisited.

Since we configured the Group Policy Object, we can now see EMIE in Internet Explorer 11:

figure 1.3: Internet Explorer Tools – EMIE visible

emie003

Microsoft has come up with a solution to provide a list of websites that forces Internet Explorer 11 to always render those particular websites in Enterprise Mode. Therefore the following Group Policy Object is configured: “Computer Configuration \ Administrative Templates \ Windows Components \ Use the Enterprise Mode IE website list “. This allows you to generate a website list XML file, which contains which websites should run Enterprise Mode and which shouldn’t.

It looks like this, and is best managed and generated with the Enterprise Mode Site List Manager:

figure 1.4: EMIE Site List Manager

emie006

figure 1.5: EMIE Site List Manager – Add new website

emie007

If for example the website: www.google.com was to run in Enterprise Mode, it would look like this:

figure 1.6: Google running EMIE

emie004

EMIE can be easily identified, when looking at the address bar, in front of it you should see a blue square with a white office building logo. This represents EMIE is enabled for this particular website.

The problem:

In this particular case we have setup EMIE, to use the Sitelist.xml hosted on a file server. It’s also possible to host the file on either a webserver or local file path.

If we look at EMIE and it’s behavior in the registry, we can conclude the following information is necessary to configure EMIE for users.

In HKLM we encounter the following key and registry values: “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode” -Name “Enable” -value “blank” -type “REG_SZ”

And -Name “SiteList” -value “path to xml file” -type “REG_SZ”

figure 1.7: Regedit – HKLM

emie005

And in HKCU we encounter the following key and registry value: “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode” -string “Currentversion” -value “1” -type “REG_SZ”

The currentversion value, checks if the Sitelist.xml has been updated between the previous and current session. If this is the case, EMIE will retrieve the new Sitelist.xml from the designated target location. This procedure also causes EMIE to malfunction in cases where the list has not been updated, but the list itself not being retrieved. The solution to this is to either delete the CurrentVersion value each time from the users registry, or to increase the version number within the Sitelist.xml. I choose another option: Use mandatory profiles! Since mandatory profiles is already in place within our environment, each time the user log’s out everything that is not preserved with RES Workspace Manager Zero Profile technology will be deleted. For more information about this particular ‘error’, please visit this social.technet thread.

What we encountered in our environment was that when logging in to a Citrix connected session the Enterprise Mode was not configured, opposed to when we logged in from an Remote Desktop Session. This has come forward during troubleshooting the issue. At first we looked with ProcMon to find if any other process was interfering with our Group Policy Object and RES Workspace Manager, which we use to configure HKCU Group Policy Objects and registry settings with, but we couldn’t find a direct lead to the problem.

The behavior prior to resolving the issue was, that when using a Citrix connected session. The “EnterpriseMode” key was not and could not be created in the user’s registry for the length of the session. Strangely enough we could create registry value’s under .\Internet Explorer\Main, but not key’s. Regedit threw an error stating:

figure 1.8: Regedit – Error

emie011

Unfortunately the screenshot is in Dutch, but it states: Cannot create key: an error has occurred when trying to write to the registry

The workaround:

While troubleshooting, I’ve submitted a ticket with Microsoft Support, but they were unable to find anything concerning either Server 2012 R2, Internet Explorer and EMIE in particular. Which pointed me to Citrix. I received a tip from a Citrix partner to create a registry placeholder through Group Policy Object, which is what I did:

figure 1.9: Group Policy Objects – User Configuration registry placeholder

emie008

figure 1.10: Group Policy Objects – User Configuration registry placeholderemie009
figure 1.11: Group Policy Objects – User Configuration registry placeholder
emie010

This finally ‘resolved’ my issue, and made it able to use EMIE within a Citrix XenApp 7.5 / 7.6 environment. However it’s still unclear what causes to hijack the “.\Internet Explorer\MAIN” key, due to the placeholder it’s now possible to create keys underneath MAIN which was necessary for EMIE to function properly.

Although this workaround works for now. I’m convinced the error lies within Citrix, and they should at least examine the root cause of this incident. Since Server 2012 R2 and Citrix XenApp is becoming common ground in Server Based Computing land, and I think it’s highly unlikely that no one else will encounter the same issue.

In the mean time, this should have to do the trick and I hope this can be useful for anyone encountering the same issue.

Don’t agree? Or got a better idea? -As always comments and contribution’s in the comment section are greatly appreciated.

Cheers! -Rens

RES Workspace Manager – Save IE and Windows Credentials

Just a quick post to inform everyone who is interested where to find and preserve the Internet Explorer and Windows Credentials used to log in to SharePoint websites, web-portals and other websites.

Normally you would find these settings within Windows, at the following place: “Control Panel \ All Control Panel Items \ Credential Manager”

figure 1.1: Credential Manager

Credential Manager

The folder location where these files can be found on your own computer for these three folders and it’s place in the registry are:

  1. C:\Users\<username>\AppData\Local\Microsoft\Credentials
  2. C:\Users\<username>\AppData\Roaming\Microsoft\Credentials
  3. C:\Users\<username>\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  4. HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

If we take a look into the “Credentials” folders you will not see anything unless you uncheck: “Hide protected operating system files (Recommended)” in the folder options:

figure 1.2: Folder options

HideProtected

Once this has been done, have a look into your .\Credentials folders to find files like these:

figure 1.3: Credentials

Credentials

Now if we want to preserve the information for this section with RES Workspace Manager, since you might have configured mandatory profiles with RES Zero Profile technology. Just add the following four paths to your “User Setting template” for Internet Explorer 11. (Alternatively you may want to create a dedicated User Setting for these credentials)

  1. Folder tree: %LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  2. Folder tree: %LOCALAPPDATA%\Microsoft\Credentials
  3. Folder tree: %APPDATA%\Microsoft Credentials
  4. Registry tree: HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Remarkably, the first path needs to be added into RES Workspace Manager including the GUID folder: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28

To learn more about the credentials Vault present in Windows, please visit this excellent blog written by “Derek Melber”: Saving Credentials on Windows Computers

figure 1.6: RES Workspace Manager – Edit User Setting

RES WM  - User Settings2

Click OK, and you are good to go! Now passwords entered on websites will be preserved in between user sessions.

Again any comments or contributions are valued!

Cheers! :)

MDT and RES Automation Manager – Let’s come together (in Sweet Harmony)

More and more I encounter company’s who already own a distribution mechanism, or already have implemented the Microsoft Deployment Toolkit, and are looking for a distribution mechanism or deployment mechanism.

Since MDT is free to use, and RES Automation Manager costs a fraction of the cost then System Center Configuration Manager or nowadays the entire System Center Suite. This makes allot of sense to allot of people, that integrating or combining MDT with RES Automation Manager is a strong combination to service workstations, servers or other hardware that needs to be provided with an operating system and software.

Although I’m pro MDT, I’m not necessarily against RES Automation Manager. I only want to point out that the need for a management tool depends on requirements that are drafted by the people who determine the company policy on this topic.

Now it may occur that you or your organization already has RES Automation Manager incorporated into your organization. All the modules, projects and run-books have been figured out, so taking them out of RES Automation Manager to put them in MDT might be a bit crazy, especially when those modules are also used in other situations.

Today I’m going to show you how you can incorporate RES Automation Manager in MDT!

First of all we need to have the RES Automation Manager Agent, which needs to be imported in MDT as an application.

Depending on which kind of agent you have created from RES Automation manager, the standard MSI or the MSI preconfigured to run a certain project, you’ll need to specify the following installation parameters:

Standard RES AM Agent installation, invoking a project:

RES AM Agent installation, preconfigured:

Now, for instance, If you want to deploy a computer with MDT and manage it afterwards, then the last step in your task sequence should be the installation of RES Automation Manager. And the FinishAction in your customsettings.ini should be set to either:

Leaving the FinishAction property blank, will simply do nothing. The machine will be finished, MDT will clean-up it’s act, and RES Automation Manager will kick in, and depending on if you have created a project that always should be invoked on this particular deployment, RES Automation Manager will begin executing this project.

The second option FinishAction=LOGOFF, will logoff the machine, making it unavailable for people to access the computer will it is being configured by RES Automation Manager.

Today I encountered a different scenario which put’s things in a whole other perspective. For this particular client who is building an Enterprise VDI image, the machine will be deployed with MDT, and when MDT is finished, RES Automation Manager will finalize the installation with middleware components and other configuration’s, before it is being converted to a VMware Snapshot which is at the basis of this VDI solution.

Now I received a question today, to use this same RES Automation Manager project, with some minor configuration changes to be used when creating a reference image with MDT on physical hardware to deploy to one and the same hardware model.

Just to be clear, this goes against the concept of MDT. Building a reference image on physical hardware is basically a no-go. Due to driver-store pollution, driver conflicts etc. this is something you want to avoid at all costs. Also using another tool to do the same as MDT is capable of, especially when creating a reference image, also might be a bit contradictory. However I do not question the client’s request.

To achieve this, we again need the RES Automation Manager Agent incorporated as an application within MDT.

figure 1.1: Install RES Automation Manager Agent 2014

res_am005

Then in our task sequence we need to make use of the “LTISuspend.wsf” script, which temporarily pauses the MDT task sequence at any moment that the script is called. As you can see here, this happens right after the installation of RES Automation Manager.

If you don’t pause your task sequence, or if RES Automation Manager isn’t the last action in your MDT Task Sequence, MDT will just continue executing other tasks when the RES Automation Manager Agent is installed! Reversed, RES Automation Manager will terminate the MDT Task Sequence process and you’ll be left with an incomplete deployment!

figure 1.2: LTISuspend.wsf

res_am006

After MDT has been configured, we need to create a module in RES Automation Manager, called: “Operation: Resume Suspended Task Sequence”

figure 1.3: RES Automation Manager – Module

res_am001

This module holds an “Execute Command” task

figure 1.4: RES Automation Manager – Execute Command

res_am002

The “Execute Command” action, contains the following command line:

figure 1.5: RES Automation Manager – Execute Command – Settings

res_am003

Now make sure that this particular module is set to last. After this no other task from RES Automation Manager may be executed:

figure 1.6: RES Automation Manager – Project

res_am004a

Now, when RES Automation Manager is finished executing the project, the last thing RES Automation Manager will do, is execute the resume function of the “LTISuspend.wsf script”.

After this, MDT will continue the task sequence, and capture the machine into a WIM file. If you don’t want to have the RES Automation Manager Agent into your reference image, you’ll need to provide an un-installation command in MDT before the machine is being captured. Uninstalling software is executed by using:

In addition, you might want to delete the following REG KEY. Since it holds the GUID RES AM uses to authenticate against the database.

This can be done by executing the following command:

And sow I can now finally say: MDT and RES Automation Manager can live in (sweet) Harmony. And to underline this….MUSIC!

Cheers! :)

RES Workspace Manager – Inject Java Security level for users

Today I encountered a challenge which I think needed to be shared with you all.

Currently I’m working with other colleagues on building a brand new Citrix XenApp 7.5 environment based on Server 2012 R2 x64 in combination with RES Workspace Manager 2014 SR1, together with mandatory profiles and RES Zero Profiling technology.

A user who works with several java applications encountered the following problem:

figure 1.1: Java Application Blocked by Security Settings

java selfsigned blocked

Since this error is generated by Java, I immediately went to the control panel to investigate the available options for configuring Java.

You can find the Java control panel applet, when you change the “Category” view in your control panel to “Large” or “Small” icons.

figure 1.2: Control Panel – Java (32-bit)

04

Click the “Java (32-bit)” shortcut in your control panel, and the following screen will appear:

figure 1.3: Java Control Panel

java05

Now for example, if we want to change the security level of Java, which prevents the current Java application from running, change the security level from “High”

figure 1.4: Java Control Panel – Security High

java10

To “medium”

figure 1.5: Java Control Panel – Security Medium

java11

And click “OK”.

This would do the trick, but how can this setting be passed on to users logging on to a Citrix environment with mandatory profiles?

Since we are using RES Workspace Manager, I did the following:

First of all I needed to capture the setting with some kind of tool. You’ve got two options here:

  1. Regshot, wich is an opensource and free tool to capture and compare system state registry and file system changes between two snapshots and show the result as to what has changed
  2. ProcMon, which is a great tool for checking realtime processes, registry behavior and much more.

I chose for ProcMon, (make sure it runs in admin mode!)

figure 1.6: ProcMon

procmon

Now, when ProcMon is started, make sure you stop capturing (leave ProcMon running for some time and you’ll know why ;) ) and make sure the list of captured events is made empty by clearing the screen:

 figure 1.7: ProcMon – Capture and Clear Screen

procmon arrows01

Now that’s out of the way, since we want to capture some Java activity, go to Filter in the menu, and add the following filter: “Path” contains “Java”

 figure 1.8: ProcMon – Add filter

path java09

Click “Add” and then “Apply”.

Now you have made a filter only showing event’s which concern the word “Java”.

Now repeat the configuration of the Java security level on the Java control panel menu. And you will see the following appearing in ProcMon:

 figure 1.9: ProcMon – Results

procmon12

As you can see here, Java writes the changes to the following path: “C:\Users\Administrator\Appdata\LocalLow\Sun\Java\Deployment\deployment.properties”

Examining this location reveals the following:

 figure 1.10: Windows Explorer – File location

java13

If you open this file with notepad, you will find several properties which indicate how Java is configured on your machine.

 figure 1.11: Deployment.Properties – Content

deployment.properties

So there you have it: the Java configuration file.

The same goes when adding certain trusted websites to the Java applet:

figure 1.12: Java Control Panel – Edit Site List

java10

If you click “Edit Site list” the following screen appears:

figure 1.13: Exception Site List

java14

By clicking “Add”, another screen appears:

figure 1.13: Exception Site List – Adding the website

java15

For example, by adding Google.com to the list of trusted sites to run Java-applets, you’ll receive security warning if you click “OK”

figure 1.13: Exception Site List – Just click OK…

java17

And by clicking “Continue”, the website will be added to the list of trusted sites to run Java-applets. Again a setting which will be written to a config file, this time on the following location:

“C:\Users\Administrator\Appdata\LocalLow\Sun\Java\Deployment\Security\exception.sites”

 figure 1.14: Windows Explorer – File location

java16

If you open this file with notepad, you will find the website we’ve just added:

 figure 1.15: Exception.Sites – Content

exception sites

Now, how can this be incorporated for every user signing into a Citrix environment with mandatory profiles you ask?

In the RES Workspace Manager console, go to “Administration > Custom Resources”, and add the deployment.properties and / or the exception.sites file as a custom resource:

 figure 1.16: RES Workspace Manager Console – Custom Resources

Custom Resources

Go to “Composition > Execute Command” and click “New Command”

In the properties pane, make sure the script is executed “At logon after other actions” as command specify the following: “%script%”, this makes sure you can use the “Script” pane which can hold far more complex  and even more important, multiple lined scripts.

 figure 1.16: RES Workspace Manager – Execute Command

command01

As you can see, I’ve pasted the following script in the “Script” pane:

 figure 1.17: Execute Command – Script

script

The exact content of the script is:

script 1.1: Copy Java security permission file to designated location

 figure 1.18: RES Workspace Manager – Execute Command

execute command

Now each time a user log’s into the Citrix environment the Java configuration file “deployment.properties” will be copied from the database used by RES, into the specified location. Setting the correct Java security level, trusted websites and other related settings for each user, during each session.

As you can see an entire different warning appears, which is just perfectly normal. It hopefully makes users aware of the potential risk opening the Java applet. But 90% of the users will happily make use of their trigger-finger twitch!

 figure 1.19: Java Security Warning

java do you want to run

Got anything to add, got a trick up your sleeve which can simplify this action, or am I just doing it all wrong? :) Please leave your comments in the comment section!

Cheers Rens!