MDOP and EMET for Windows 10

It’s been a while since I’ve posted anything here now which is in part down to me being busy at home and in part due to work being full-on at the moment trying to juggle a handful of internal systems projects as well as dropping in customer engagements but you won’t hear me complaining as it’s all great work.

In the time between I last wrote anything and now, Windows 10 is full swing and we are already looking at the Threshold 2 (or November 2015 Update) for Windows 10 shipping which will see the Skype Messaging experience rolled out to the public as well as the Cortana text messaging and missed call notifications on the desktop, both of which have been available to people running the Windows 10 Insider Preview builds for a few weeks’ now.

With people looking more closely at Windows 10, there’s good news for people who rely on the slew of Microsoft tools in the enterprise as many of them are either now already updated to support Windows 10 or are working their way to support. MDOP 2015 was released back in August 2015 and this included updated service packs for Application Virtualization (App-V) 5.0 SP3, User Experience Virtualization (UE-V) 2.1 SP1 and Microsoft BitLocker Administration and Management (MBAM) 2.5 SP1 to add support for Windows 10. App-V and MBAM are simply service packs to add support whilst UE-V not only gains support for Windows 10 but also gets native support for Office 2013 via the ADMX files which means you no longer need to manually import the Office 2013 .xml templates into your Template Store.

Sadly, UE-V 2.1 SP1 shipped before the release of Office 2016 which means there is no native support for this which seems to be a common theme for UE-V; the product ships ready for a new Windows version but misses the matching Office version so. If you want to use UE-V for Office 2016, you can head over to the TechNet Gallery and download the official Microsoft .xml templates for it from https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8.

Aside from MDOP, Microsoft EMET is being updated to version 5.5 which includes support for Windows 10 along with claiming to include much improved Group Policy based management of the clients. I haven’t tried this for myself yet as the product is still in beta but I will be giving it a try soon and I will be sure to post anything I find that can help improve the management position of it.

As a throw-in note, If you are using System Center Endpoint Protection for anti-virus then you might want to have a read of this post by System Center Dudes at http://www.systemcenterdudes.com/sccm-2012-windows-10-endpoint-protection/, which explains the behaviour of Endpoint Protection in Windows 10.

App-V 4.6 SP3 Beta Available via Microsoft Connect

 

For those of you out there who are using App-V but have been put off from a Windows 8.1 upgrade due to the fact that when you run the upgrade installer it forces you to uninstall App-V due to incompatibility issues, fear not.

https://connect.microsoft.com/MDOPTAP

Visit the URL above, fill out the survey about how your organisation uses MDOP and enjoy the download. I installed it today on my desktop which I’ve just updated to Windows 8.1 Enterprise and the Beta worked a treat. For anyone who might wonder why I upgraded to Windows 8.1 Enterprise even though it means I would lose all my applications because the Enterprise installer doesn’t offer the Retain my Apps and Files option unlike the Pro installer, it’s because of App-V. Aside from the Office suite and a few other tiny little applets I use, all of my daily use applications come via App-V.

All we need now is for the KMS Host update for Windows 8.1 to be released – Hopefully within the next 30 days otherwise my desktop is going to need to be given the rearm treatment.

App-V Hidden Drive Letter ADM File

In our environment, our users love their drive letters, and they do so to the Nth degree. As part of a change control process, myself and a colleague have scheduled the deployment of the App-V Client across our business estate to allow us to begin provding the users with user-centric real-time streamed applications to meet their business needs.

We today discovered the true nature of our Nth degree network drive letter because after some review, it became aparent that not a single letter (beyond the usual C, D, E for local disks) was free for company-wide use which caused us pain on the inside. We came to the conslucsion that people in our business very rarely use floppy disk drives anymore, and even less people (zero to my best guess) use a second floppy disk drive, which means that the B: drive would be available across the estate.

Using the Microsoft App-V ADM file for Group Policy (available for download from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=25070), I re-configured our GPO to force the clients to use the B: drive instead of the App-V default Q: drive. I tested the configuration change on my own machine (ICT dogfooding for everyone), and also streamed a couple of applications to verify the drive letter change didn’t cause any issues, and I came to an idea. If the App-V virtual file system is inaccessible by the user because of the ACLs that App-V applies to it, and because the user has no reason to be meddling in the App-V virtual file system drive, why, display it to them?

I took a look at the Windows Explorer, Hide these specified drives in My Computer policy in the User Configuration portion of Group Policy however for reasons beyond me, Microsoft only gave you a very limited set of options in this policy (Hide A, Hide A and B, Hide A, B and C, or Hide All Drives). This policy was probably useful in the legacy days where you only wanted to restrict use of local floppy disk drives, however it’s not very useful in the 21st century.

The way around this, is to build your own custom ADM file to change the options for disabling the drive letters.

I have this evening created a custom ADM file for such a purpose, and in my example, the file is crafted to allow you to hide the B drive, or no drives, however you can add as many options to this file as you like.

How you configure the file to restrict particular drives is based on a binary value using a reverse alphabet table. Details for calculating this can be found on the Microsoft Support article Using Group Policy to Hide Specific Drives (http://support.microsoft.com/kb/231289). If you aren’t ocomfortable trying to do this in your head, you can simply copy and paste the table out of the article into Notepad and do your working in there.

Simply add the ADM file to an existing GPO and link it to an OU which contains users in AD, and you’re all set.

If you want to only restrict a single letter, then you can simply edit my file by modifying the label for, and the binary value for the BOnly item. The file is shared and free for you to download from my Windows Live SkyDrive account. I’m also happy to take comments or answer emails with questions about how to modify the file.

App-V Client Management via GPO

Deploying the App-V Client to end-user machines can be headache. Microsoft provide ADM files for managing the configuration of the App-V Client via Group Policy in AD DS, however if you are trying to deploy the client yourself, you will soon discover that the Microsoft ADM files don’t allow you to configure an App-V Publishing Server. The only options you have with the ADM files are to override the sequenced application package and icon source roots.

Using this method, you install string for silent installation will look something like this:

setup.exe /s /v” /qn SWIPUBSVRDISPLAY=”App-V Server” SWIPUBSVRTYPE=”RTSP /secure” SWIPUBSVRHOST=”SERVERNAME” SWIPUBSVRPORT=”322” SWIPUBSVRREFRESH=”on” SWIFSDRIVE=”Q””

As anyone can see this isn’t exactly elegant, and if you are using SCCM to deploy the App-V Client as I am, you will soon discover SCCM has a character limit for the installer path which means you may have to turn to building a batch file to execute the installation and then call the file in the SCCM Program.

The other problem you will have are that you are then hardcoded to use the server name and port specified in the install. Yes, you could use a DNS CNAME to direct your clients to the App-V servers, and sure you can use a GPO to edit the registry keys on the end-user machines after the fact, however none of this is elegant as properly managing the deployment.

Introducing Login Consultants, a Netherlands based virtualization specialist company. This company provide a third-party ADM file for you to import into AD DS for extending the management options for App-V from the Microsoft ADM file, and best of all, you can register and download the ADM file for free from http://www.loginconsultants.com/index.php?option=com_docman&task=cat_view&gid=20&Itemid=149.

Using the Microsoft ADM file and the Login Consultants ADM file in conjunction, your install string turns into this:

setup.exe /s /v” /qn”

Much cleaner, easier to setup in Configuration Manager and then it gives you the ability to manage all of your App-V server configuration, including server name, ports, protocol, SFT_SOFTGRIDSERVER environment variable and all the other settings you need via Group Policy.

For centralising and streamlining management, this is a huge boon, as it means you have a one size fits all deployment of the App-V Client and then allowing you to manage everything else from either AD DS or from the App-V Management Server.

Certificate Store Permissions and Windows Live Block App-V RTSPS Protocol

Last week, when converting our existing ICT internal dogfood trial of App-V to a highly available production capable App-V solution, we came to a decision to utilize the RTSPS (Real Time Streaming Protocol Secure) protocol for streaming our applications.

Using some my own and another colleagues laptops for testing the RTSPS protocol, we ran into an issue whereby the client received the following error:

The specified Application Virtualization Server has shut down the connection. Try again in a few minutes. If the problem persists, report the following error code to your System Administrator.

Error Code: xxxxxx-xxxxxx0A-10000009

We initially discovered from an App-V blog article (http://blogs.technet.com/b/appv/archive/2010/03/09/troubleshooting-common-rtsps-issues-with-app-v.aspx) that this issue occurs when the server lacks permissions for the NETWORK SERVICE account to access the certificate store machine keys.

Following the advise of the article for Windows Server 2008 R2 systems, this was quickly resolved by using a Certificate Management based Microsoft Management Console to grant Read permission for the NETWORK SERVICE account to the certificate which is being used to sign the RTSPS protocol in App-V.

Thinking the issue was resolved, we proceeded to initiate a Refresh on the App-V client and tried to stream an application that we had previously sequenced, however we now received a new error:

The Application Virtualization Client could not update publishing information from the server App-V Server. The server will not allow a connection without valid NTLM credentials. Report the following error code to your System Administrator.

Error code: 4615186-1690900A-00002002

Leaving us puzzled. We were unable to find a solution initially, so we turned to Bing for some assistance, unearthing an interesting but niche blog post.

According to the source of our findings (http://blogs.ethz.ch/jlaville/2011/08/25/app-v-error-00002002/) machines with components from the Windows Live Essentials suite of applications cannot run the RTSPS protocol due to a registry key added to the LSA Security Packages key.

AppV Regedit LSA No LIVESSP

After removing the livessp value from the multi-value string in the registry and restarting the system we were successfully able to refresh the server and also stream the applications.