Tag Archives: server 2012R2

Check Adobe Flash version Internet Explorer (Active-X) on Server 2012/2016 and Windows 8.1/10

Published / by Rens Hollanders / Leave a Comment

Hi there,

Just a very short post, because sometimes you’re search queries on Google don’t match the result you are looking for. I was looking for a way to detect which version of Adobe Flash is native installed on clients Windows Server (which happens to be Server 2012R2) and what it’s current patch level would be.

If you click this link (it point’s to Adobe’s website) and click on the button: “Check Now”, it will give you a result of which version of Adobe Flash is installed for Internet Explorer

checknow

After hitting “Check now” you will see the following result:

result

If you want to know which other versions of Adobe Flash player are installed for example for Google’s Chrome (PPAPI)  and Mozilla’s Firefox (NPAPI), then type in your start screen: appwiz.cpl which will bring you directly to the installed programs menu of the control panel.

Cheers! Rens

 

Citrix – XenApp/Desktop integrate Internet Explorer 11 Enterprise Mode – Issue and workaround

Published / by Rens Hollanders / 6 Comments on Citrix – XenApp/Desktop integrate Internet Explorer 11 Enterprise Mode – Issue and workaround

Working in real life production environments beats concept and test environments each and every time when it comes to debugging and optimizing the environment for your care-free 😉 end-users.

No matter how much you have tested up front, If you think you’ve got it covered for 99,9 % there’s always that 0,01 % that comes knocking at your door. This time it’s Internet Explorer 11 Enterprise Mode, in combination with Citrix XenApp 7.5 / 7.6 that causes a malfunction of the so called EMIE feature.

First some more details about Internet Explorer Enterprise Mode or EMIE:

A lot has been written about EMIE and one of the founding father’s I believe is Microsoft Architect Chris Jackson, who was so kind to at least hear me out after I contacted him on twitter FTW!

EMIE operates as an alternative to Internet Explorer’s Compatibility View. It’s a feature that needs to be enabled trough Group Policy Objects to reveal itself to the user. The benefit of using EMIE above Compatibility View is that EMIE allows us to specify individual websites to run EMIE even when the parenting website should not run EMIE. Opposed to Compatibility View, which allows you to only run entire domains in compatibility view, not excluding or including sub-domains or sub-sites.

If EMIE would have been enabled on your machine, you would have found it here:

figure 1.1: Internet Explorer Tools

emie001

Since it’s not there we need to make it visible, start GPEDIT.MSC and go to: “Computer Configuration \ Administrative Templates \ Windows Components \ Internet Explorer” and enable “Let users turn on and use Enterprise Mode from the Tools menu“. Next, perform a GPUPDATE /FORCE to force the policy to become active.

figure 1.2: Group Policy Objects – Configure EMIE

emie002

This causes you to put websites in Enterprise Mode for the length of your current browser session. When you close your session, Enterprise Mode for this particular website isn’t active anymore when the website is revisited.

Since we configured the Group Policy Object, we can now see EMIE in Internet Explorer 11:

figure 1.3: Internet Explorer Tools – EMIE visible

emie003

Microsoft has come up with a solution to provide a list of websites that forces Internet Explorer 11 to always render those particular websites in Enterprise Mode. Therefore the following Group Policy Object is configured: “Computer Configuration \ Administrative Templates \ Windows Components \ Use the Enterprise Mode IE website list “. This allows you to generate a website list XML file, which contains which websites should run Enterprise Mode and which shouldn’t.

It looks like this, and is best managed and generated with the Enterprise Mode Site List Manager:

figure 1.4: EMIE Site List Manager

emie006

figure 1.5: EMIE Site List Manager – Add new website

emie007

If for example the website: www.google.com was to run in Enterprise Mode, it would look like this:

figure 1.6: Google running EMIE

emie004

EMIE can be easily identified, when looking at the address bar, in front of it you should see a blue square with a white office building logo. This represents EMIE is enabled for this particular website.

The problem:

In this particular case we have setup EMIE, to use the Sitelist.xml hosted on a file server. It’s also possible to host the file on either a webserver or local file path.

If we look at EMIE and it’s behavior in the registry, we can conclude the following information is necessary to configure EMIE for users.

In HKLM we encounter the following key and registry values: “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode” -Name “Enable” -value “blank” -type “REG_SZ”

And -Name “SiteList” -value “path to xml file” -type “REG_SZ”

figure 1.7: Regedit – HKLM

emie005

And in HKCU we encounter the following key and registry value: “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode” -string “Currentversion” -value “1” -type “REG_SZ”

The currentversion value, checks if the Sitelist.xml has been updated between the previous and current session. If this is the case, EMIE will retrieve the new Sitelist.xml from the designated target location. This procedure also causes EMIE to malfunction in cases where the list has not been updated, but the list itself not being retrieved. The solution to this is to either delete the CurrentVersion value each time from the users registry, or to increase the version number within the Sitelist.xml. I choose another option: Use mandatory profiles! Since mandatory profiles is already in place within our environment, each time the user log’s out everything that is not preserved with RES Workspace Manager Zero Profile technology will be deleted. For more information about this particular ‘error’, please visit this social.technet thread.

What we encountered in our environment was that when logging in to a Citrix connected session the Enterprise Mode was not configured, opposed to when we logged in from an Remote Desktop Session. This has come forward during troubleshooting the issue. At first we looked with ProcMon to find if any other process was interfering with our Group Policy Object and RES Workspace Manager, which we use to configure HKCU Group Policy Objects and registry settings with, but we couldn’t find a direct lead to the problem.

The behavior prior to resolving the issue was, that when using a Citrix connected session. The “EnterpriseMode” key was not and could not be created in the user’s registry for the length of the session. Strangely enough we could create registry value’s under .\Internet Explorer\Main, but not key’s. Regedit threw an error stating:

figure 1.8: Regedit – Error

emie011

Unfortunately the screenshot is in Dutch, but it states: Cannot create key: an error has occurred when trying to write to the registry

The workaround:

While troubleshooting, I’ve submitted a ticket with Microsoft Support, but they were unable to find anything concerning either Server 2012 R2, Internet Explorer and EMIE in particular. Which pointed me to Citrix. I received a tip from a Citrix partner to create a registry placeholder through Group Policy Object, which is what I did:

figure 1.9: Group Policy Objects – User Configuration registry placeholder

emie008

figure 1.10: Group Policy Objects – User Configuration registry placeholderemie009
figure 1.11: Group Policy Objects – User Configuration registry placeholder
emie010

This finally ‘resolved’ my issue, and made it able to use EMIE within a Citrix XenApp 7.5 / 7.6 environment. However it’s still unclear what causes to hijack the “.\Internet Explorer\MAIN” key, due to the placeholder it’s now possible to create keys underneath MAIN which was necessary for EMIE to function properly.

Although this workaround works for now. I’m convinced the error lies within Citrix, and they should at least examine the root cause of this incident. Since Server 2012 R2 and Citrix XenApp is becoming common ground in Server Based Computing land, and I think it’s highly unlikely that no one else will encounter the same issue.

In the mean time, this should have to do the trick and I hope this can be useful for anyone encountering the same issue.

Don’t agree? Or got a better idea? -As always comments and contribution’s in the comment section are greatly appreciated.

Cheers! -Rens

 

RES Workspace Manager – Inject Java Security level for users

Published / by Rens Hollanders / 9 Comments on RES Workspace Manager – Inject Java Security level for users

Today I encountered a challenge which I think needed to be shared with you all.

Currently I’m working with other colleagues on building a brand new Citrix XenApp 7.5 environment based on Server 2012 R2 x64 in combination with RES Workspace Manager 2014 SR1, together with mandatory profiles and RES Zero Profiling technology.

A user who works with several java applications encountered the following problem:

figure 1.1: Java Application Blocked by Security Settings

java selfsigned blocked

Since this error is generated by Java, I immediately went to the control panel to investigate the available options for configuring Java.

You can find the Java control panel applet, when you change the “Category” view in your control panel to “Large” or “Small” icons.

figure 1.2: Control Panel – Java (32-bit)

04

Click the “Java (32-bit)” shortcut in your control panel, and the following screen will appear:

figure 1.3: Java Control Panel

java05

Now for example, if we want to change the security level of Java, which prevents the current Java application from running, change the security level from “High”

figure 1.4: Java Control Panel – Security High

java10

To “medium”

figure 1.5: Java Control Panel – Security Medium

java11

And click “OK”.

This would do the trick, but how can this setting be passed on to users logging on to a Citrix environment with mandatory profiles?

Since we are using RES Workspace Manager, I did the following:

First of all I needed to capture the setting with some kind of tool. You’ve got two options here:

  1. Regshot, wich is an opensource and free tool to capture and compare system state registry and file system changes between two snapshots and show the result as to what has changed
  2. ProcMon, which is a great tool for checking realtime processes, registry behavior and much more.

I chose for ProcMon, (make sure it runs in admin mode!)

figure 1.6: ProcMon

procmon

Now, when ProcMon is started, make sure you stop capturing (leave ProcMon running for some time and you’ll know why 😉 ) and make sure the list of captured events is made empty by clearing the screen:

 figure 1.7: ProcMon – Capture and Clear Screen

procmon arrows01

Now that’s out of the way, since we want to capture some Java activity, go to Filter in the menu, and add the following filter: “Path” contains “Java”

 figure 1.8: ProcMon – Add filter

path java09

Click “Add” and then “Apply”.

Now you have made a filter only showing event’s which concern the word “Java”.

Now repeat the configuration of the Java security level on the Java control panel menu. And you will see the following appearing in ProcMon:

 figure 1.9: ProcMon – Results

procmon12

As you can see here, Java writes the changes to the following path: “C:\Users\Administrator\Appdata\LocalLow\Sun\Java\Deployment\deployment.properties”

Examining this location reveals the following:

 figure 1.10: Windows Explorer – File location

java13

If you open this file with notepad, you will find several properties which indicate how Java is configured on your machine.

 figure 1.11: Deployment.Properties – Content

deployment.properties

So there you have it: the Java configuration file.

The same goes when adding certain trusted websites to the Java applet:

figure 1.12: Java Control Panel – Edit Site List

java10

If you click “Edit Site list” the following screen appears:

figure 1.13: Exception Site List

java14

By clicking “Add”, another screen appears:

figure 1.13: Exception Site List – Adding the website

java15

For example, by adding Google.com to the list of trusted sites to run Java-applets, you’ll receive security warning if you click “OK”

figure 1.13: Exception Site List – Just click OK…

java17

And by clicking “Continue”, the website will be added to the list of trusted sites to run Java-applets. Again a setting which will be written to a config file, this time on the following location:

“C:\Users\Administrator\Appdata\LocalLow\Sun\Java\Deployment\Security\exception.sites”

 figure 1.14: Windows Explorer – File location

java16

If you open this file with notepad, you will find the website we’ve just added:

 figure 1.15: Exception.Sites – Content

exception sites

Now, how can this be incorporated for every user signing into a Citrix environment with mandatory profiles you ask?

In the RES Workspace Manager console, go to “Administration > Custom Resources”, and add the deployment.properties and / or the exception.sites file as a custom resource:

 figure 1.16: RES Workspace Manager Console – Custom Resources

Custom Resources

Go to “Composition > Execute Command” and click “New Command”

In the properties pane, make sure the script is executed “At logon after other actions” as command specify the following: “%script%”, this makes sure you can use the “Script” pane which can hold far more complex  and even more important, multiple lined scripts.

 figure 1.16: RES Workspace Manager – Execute Command

command01

As you can see, I’ve pasted the following script in the “Script” pane:

 figure 1.17: Execute Command – Script

script

The exact content of the script is:

script 1.1: Copy Java security permission file to designated location

 figure 1.18: RES Workspace Manager – Execute Command

execute command

Now each time a user log’s into the Citrix environment the Java configuration file “deployment.properties” will be copied from the database used by RES, into the specified location. Setting the correct Java security level, trusted websites and other related settings for each user, during each session.

As you can see an entire different warning appears, which is just perfectly normal. It hopefully makes users aware of the potential risk opening the Java applet. But 90% of the users will happily make use of their trigger-finger twitch!

 figure 1.19: Java Security Warning

java do you want to run

Got anything to add, got a trick up your sleeve which can simplify this action, or am I just doing it all wrong? 🙂 Please leave your comments in the comment section!

Cheers Rens!

 

WinPE 5.0 will not boot on Hyper-V properly if start-up memory is less then 1024 Mb

Published / by Rens Hollanders / Leave a Comment

Since Windows 8.1 is here, and I’m a deployment enthusiast who likes to work with new things, I needed to upgrade my own system to Windows 8.1.

After this was complete I immediately installed the Hyper-V client role on my machine and created a Windows Server 2012R2 with MDT 2013 and Windows Assessment and Deployment Kit 8.1 for Windows 8.1 and Windows Server 2012R2.

During the installation of the Windows Server 2012R2 in Hyper-V I received the following error: “Error code: 0xE0000100

figure 1.1: Windows Server 2012R2 installation error

W2012R2_error

Later on it appeared to me that addressing less then 1024 Megabytes of memory, caused this error.

After my server and MDT 2013 where succesfully installed, I wanted to do some deployment testing using one of my VM’s which I have configured as following:

figure 1.2: Hyper-V Machine Configuration – Memory

W2012R2_hyper-v_config

Since I’m only using Hyper-V for my own lab/test environment and my client machine has 16 Gb of RAM memory, I always check the “Use Dynamic Memory for this virtual machine” checkbox, thinking that if my virtual machine needs more memory then 512 Mb, it will claim it by itself!

By increasing the memory configuration in Hyper-V for this particular virtual machine from 512 Mb to 1024 Mb the installation error of Windows Server 2012R2 was resolved, which got me thinking…

If Windows Server 2012R2, Windows 8.1 (which has been released at the same time with these two operating systems) and WinPE 5.0, all have the same kernel, increasing the memory from 512 Mb to 1024 Mb on a virtual machine which I’m going to to use for MDT deployments should solve my problem that WinPE 5.0 stalls during boot, and shows no MDT wizard screens within WinPE, and my assumption was correct

So, if you encounter this on your own lab environment, or using WinPE 5.0 on Hyper-V, then make sure the virtual machine you are using has at least 1024 Mb of startup memory available!

Almost weekend! Cheers! 😀