Citrix brings back Local Text Echo

Have you ever experienced the frustration of working on a bad connection resulting in tremendous amount of latency when typing?

Past releases of Citrix Virtual Apps and Desktops (Formerly XenApp & XenDesktop) have included many interesting news and functions, especially regarding HDX innovations and ICA improvements. One of the ”new” features that caught my eye in the Citrix Virtual Apps and Desktops 1811 release notes is Local text echo, which I will shortly cover in this post.



Wireless Networking in Windows Server 2019

The other day I installed a NUC with an integrated wireless NIC. I installed Windows Server 2019 to the NUC and installed the wireless networking drivers from Intel’s website. The problem was that after I’ve installed the network drivers they didn’t work. After a lot of trial and error I discovered that you cannot use wireless NICs without the ”Wireless-Networking” role installed. Install the role by running below in Powershell.

 

 

I restarted the computer and after that everything started to work as expected.

 



New features in Azure Blueprints

The past couple of weeks i have seen new features being released for Azure Blueprints. In this short post i will write about the updates in Definition location and Lock assignment.

New to Azure Blueprints?

Azure Blueprints allows you to define a repeatable set of Azure resources that follows your organizations standards, patterns and requirements. This allows for a more rapidly deployment of new environments while making it easy to keep your compliance at desired level.

Artifacts:

Azure Blueprints is a package or container used to achieve an organizational standard and patterns for implementation of Azure Cloud Services. To achieve this, we use Artifacts.

Artifacts available today are:

  • Role Assignments
  • Policy Assignments
  • Resource Groups
  • ARM Templates

The public preview of blueprints was released during Ignite in September last year, and its still in preview.

Read more about the basics of Azure Blueprints here

Definition location

This is where in your hierarchy you place the Blueprint, and we think of it as a hierarchy because after creation the assignments of the blue print can be done at current level or below in the hierarchy. Until now the option for definition location has been Management groups. With the new released support for subscription level you can now start use Blueprints even if you have not adopted Management groups yet.

Note you need contributor permissions to be able to save your definition to a subscription.

If you are new to management groups, I recommend you take a look at it since it’s a great way to control and apply your governance across multiple subscriptions.

Read more about Management groups here

Definition location for Blueprints

Lock Assignment

During assignment of a Blueprint we are given the option to lock the assignment.

Up until recently we only had Lock or Don’t lock. If we chose to lock the assignment all resources were locked and could not be modified or removed. Not even by a subscription owner.

Now we have the option to set the assignment to:

  • Don’t Lock – The resources are not protected by blueprints and can be deleted and modified.
  • Read Only – The resources can´t be changed in any way and can´t be deleted.
  • Do Not Delete – This is a new option that gives us the flexibility to lock our resources from deletion but still gives us the option to change the resources.

Lock assignment during assignment of Blueprint

Removing lock states

If you need to modify or remove your lock assignments, you can either:

  • Change the assignment lock to Don´t Lock
  • Delete the blueprint assignment.

Note that there is a cache so changes might take up to 30 minutes before they become active.

You can read more about resource locking here

Summary

With the ”Do not Delete” i think we will see a better use of the Lock assignment and we will have the flexibility to make changes on our resources without the possibility to delete them. And with Definition location set to subscription we can start using the Blueprints without Management groups and i can see that this might be a useful in environments where Management groups have not been introduced.

Good luck with your blueprinting!

You can reach me at Tobias.Vuorenmaa@xenit.se if you have any questions.



Easy way to disable items in Control Panel and Settings App in Windows 10 and Server 2019

In Windows 10 and Server 2019 there are both a Control Panel and a Settings App. This is somewhat confusing for the user. However, this is probably how it’s going to be until Microsoft have had enough time to migrate all settings from the Control Panel to the Settings App. Microsoft have provided great lists on canonical names for both the items in the Control Panel and Settings App. Although this is great posts, this may be overwhelming.

In Windows 10 and Server 2019 you may want to lockdown the settings the users may access. It is not appropriate that a user can start Windows Update on a Server 2019 that is used as a session host with several users logged in. To lockdown Control Panel and the Settings App, you may use the two policies below.

  1. “Computer Configuration\Administrative Templates\Control Panel” and configure “Settings Page Visibility”
  2. User Configuration\Administrative Templates\Control Panel” and configure “Show only Specified Control Panels items”

To find what to add into these policies you can use the two Microsoft articles provided above or you can use a sweet tool called Win10 Settings Blocker. With this tool you can add what settings you want to hide (or show) and then copy the registry data to the policy.

After you have successfully added the settings you want to hide you can go to “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” and copy the data from the registry key named “SettingsPageVisibility”.

Copy the data and paste it to the setting “Computer Configuration\Administrative Templates\Control Panel\Settings Page Visibility”.

You can do the same thing for the Control Panel. Just make sure to change to select “Control Panel Options” in the app instead.

When applying to hide any of the Control Panel options you can find the locked down Control Panel items under  “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl”.



Teams keeps crashing in Citrix

A while ago I installed Teams in a client Citrix environment, I solved the large profile issue (Microsoft recommends 3 GB of free data for each user) with FSLogix, you can read more about that in my earlier blog-post here!

While testing Teams in the client test-environment it all worked flawlessly, I then proceeded to implement it in the production environment, it all worked great, Teams installed and worked as expected. Or so I thought…

The Problem

Next day I received multiple complaints about Teams hanging and restarting only to resume in a hanging state. In summary, it DID NOT WORK. Puzzled on why, since it still worked as expected in the test-environment I started to investigate. I started to check the Event viewer for any clues, there was none. I then proceeded to check the Teams install log (you can find it here: ”C:\Users\USERNAME\AppData\Local\SquirrelTemp\SquirrelSetup.log”, nothing to find here. I scavenged the internet for answers but always got the same solution: delete Teams and reinstall it. That did not work in my scenario. We also have 2 customers running this exact setup but without any issues. What I then started to suspect was the platform Citrix was running on, specifically virtual vs physical servers. All the installations on a virtual server worked, but on our physical server it did not.

Eventually I did a deep-dive to see what actually happens when it crashes and I discovered the following:

  1. When checking the Details tab in Task Manger I discovered that when Teams begins to be unresponsive a Werfault.exe (Windows Error Reporting) process starts and takes a lot o CPU resources but never quite finish.
  2. After investigating the Procmon I found something suspicious:
CtxGraphicHelper.dll

This is a Citrix Hook, used by Citrix to make program do stuff it was not programmed to do. Basically it’s used to make application work in a Citrix environment. If you want to know more on the subject please read this article explaining how it works!

3. After recovering this information I found a discussion on Reddit explaining my exact scenario, and a workaround for this specific issue. See below on how to apply the workaround.

Workaround

To get Teams to work on your Citrix environment if you experience this specific issue you need to exclude all Citrix Hooks from Teams.exe, you perform this by editing/adding the following registry value:

32-bit version:
HKLM\SOFTWARE\citrix\CtxHook\
String Value: ExcludedImageNames
Value: Teams.exe

64-bit version:
HKLM\SOFTWARE\WOW6432Node\citrix\CtxHook\
String Value: ExcludedImageNames
Value: Teams.exe

Note: The server need to restart for the changes to take affect!

Summary

This workaround is far from ideal, disabling the Citrix hooks is not recommended and can result in other issues with Teams. Please test it properly before making any organization-wide changes. And be aware that Teams has not yet been implemented in the HDX Optimazation pack, meaning it will not offload sound and video to your client. I’m sure Citrix is working hard to implement this as soon as possible.

I have not found the exact reason to why this is an issue and why it only seams to affect physical servers and not virtual. I suspect it’s the CtxGraphicHelper hook I discovered in the Procmon that might be the source to the problem. But it seams this workaround will get Teams to work just fine in your Citrix environment.

Please let me know if you have any questions or have anything to add!



What is ReasonML and why should you care?

ReasonML is a alternate syntax for OCaml invented at Facebook to be more familiar to programmers coming from JavaScript . OCaml is a over 20 year old general purpose language that is both expressive and safe. It belongs to the ML family of languages and it means that it has a strong type system that will guide you to write less bugs. Other languages in the ML family that you might have heard about are F# and Haskell.

Because ReasonML is just a alternate syntax for OCaml everything that is possible with one can be done with the other. ReasonML can be compiled to native binaries and bytecode with the standard compiler and there are two ways to compile to JavaScript, ”JavaScript of OCaml (JSOO)” and BuckleScript. The natively compiled binaries are often really fast especially when compared to node based JavaScript that powers both web servers and desktop apps. esy is a package manager that introduces a npm-like workflow for native development, right now it’s main goal is to be the best package manager for OCaml and Reason but can in theory be used with any language.

At Xenit we’re using ReasonML together with React, via ReasonReact, to build the frontend of our Identity Provider. It brings us ease of refactoring and a higher degree of security when writing our code. We’re building some other internal tools with ReasonReact and we’re also exploring developing native applications with ReasonML. This includes both UI applications with a framework, revery, that aims to replace electron as a simple way to create desktop applications and micro service backends.

This is just a introduction and there will be more interesting posts about the Reason universe in the future.



”Outlook cannot perform your search” on Windows Server 2016 running Remote Desktop Services

INTRODUCTION

Speaking on behalf of all IT technicians, it is with no doubt that we all have had our hand in cases related to Outlook. Oftentimes I experience them to be quite understandable in order to be resolved. However, that was until I encountered a particularly obscure issue with Outlook’s search engine, nonetheless its very same obscure resolution.



Why does Teams not install for my users?

Microsoft released in October last year a MSI-installation package of Teams, making it easy to deploy Teams to computers in your organization. As you know Teams (for some unknown reason) installs directly into your profile. I suspect they have designed it this way to make sure everyone can install the application, even if you’re not an local administrator on your computer, you do have sufficient rights to your profile to perform a installation of Microsoft Teams.

Since I work primarily with Citrix, and could see the that Microsoft Teams is growing in popularity, I started to investigate if I could make it to work in a Citrix environment. But that is another story, you can read my blog post on how I installed Teams in our Citrix environment here!

Teams is supposed to install when a user logs on to the server, it will automatically install the latest Teams available to your profile and then start it. But in some cases I have seen an issue after installing the Teams wide Installer, the users simply does not get anything installed. A function this installer has is that it checks your profile for traces of Teams, if it detects part of Teams it will not try to install it again (if it’s not an update that is), and if the user uninstalled Teams it will still detect some left-overs and will therefore not install Teams again. With that said, you need to make sure your profile is clean from Teams. Unfortunately this was not the case here. It simply did not install!

To understand why this might happened you need to know how some multi-user environments are designed, from a security perspective!

If you are like us, security oriented, you might have disabled Run and Run Once witch is used by some applications to auto-start, or to continue a installation after a restart, and is unfortunately very popular place to auto-start viruses and other malware. It is then common to disable this.

This is exactly the place Microsoft Teams specify the value that starts the Teams installation for a user, if its disabled, nothing will ever happened!

There is however a really easy way around this:

You probably already thought about this by now but there is a tiny detail that will make it work exactly as it was supposed to:

  1. Create a Shortcut – Name it Install Teams (or something else if you like)
  2. Target the Teams.exe file with this specific argument: ”C:\Program Files (x86)\Teams Installer\Teams.exe” –checkInstall –source=default
  3. Save it, and place it in the Startup folder in the Start Menu.

The last argument in the Target path (–CheckInstall –source=default) is the reason Teams knows if you have it installed and keeps it updated.

I hope this easy little trick has been helpful, please make a comment if you feel like it or have some questions!



Move Software Updates to Intune with Co-management

To move on with the transition towards Modern Management we can use Co-management in SCCM to decide where settings are coming from. In this specific scenario we will do a switch from Software Updates via SCCM to Intune controlled Software Updates for one test client. I will show you the following steps.

  1. How to setup the Co-management connection in SCCM
  2. How to configure the Co-management connection to be able to switch Software updates from SCCM to a pilot Intune group
  3. How to configure a Windows 10 Update Ring in Intune and assign to a group
  4. How to verify that the client are getting the correct settings

Prerequisites for this scenario:

  • A test client (in my case running 1809)
  • SCCM environment (in my case running 1810)
  • Intune environment
  • Hybrid Azure AD Joined device
  • An Intune group with the test client as a member
  • Company Portal installed on a client

Step 1 and 2 – This step in done in SCCM console

\Administration\Overview\Cloud Services\Co-management

1.Co-management > Configure Co-management

2. Next

3. Sign in

4. Logon with an Intune Administrator (Global administrator in my case)

5. Next

6. Automatic enrollment in Intune > Pilot

7. Next

8. Workloads > Switch Windows Updates policies to Pilot Intune

9. Pilot collection > Choose a collection with your test client

10. Next

11. Done

 

Step 3 – This step is done in Intune

https://devicemanagement.portal.azure.com

1. Software updates

2. Windows 10 Update Rings

3. Create

4. Name: SU-Windows 10-Test

5. Description: Software Update – Test group

6. Settings
Below are an example, please configure it so it fits your environment

7. Assignments

8. Select groups to include > Group with test client

9. Save

 

Step 4 – This step is done on the test client

1. Open Company Portal

2. Settings > Sync

3. Run > control update

4. View configured update polices

5. Look under Policies set on your device – here we want to see that settings are coming from Mobile Device Management as below

6. Be sure to turn off any GPO:s that might turn off access to Windows Updates

7. Done

This is how you make the switch over to Intune and as you can see it doesn’t require that much.

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

 



PVS-Accelerator

Introduction

PVS-Accelerator is a feature for Citrix Hypervisor (previously named XenServer). The feature utilizes the local storage and RAM on Dom0 on each Citrix Hypervisor and caches read requests from a provisioned target device. It saves network, CPU and Provisioning host disk I/O resources, effectively improving performance. Overall your storage and network should see an improvement if they are under heavy load today. [1]

Network Bandwidth Utilization
Network Bandwidth Utilization [2]

PVS-Accelerator helps with improved end-user experience, accelerated VM boots and boot storm, simplified scale-out by adding more hypervisor hosts and fewer provisioning servers are needed.

Prerequisites

  • XenServer PVS-Accelerator feature is only available in Citrix Hypervisor 7.1 and Provisioning 7.13 or later
  • PVS-Accelerator is available for customer with XenServer Enterprise Edition or if you have XenDesktop/XenApp licenses
  • If you have a Citrix Hypervisor 7.1 <, Provisioning 7.13 < and XenApp/XenDesktop you should be able to utilize the feature without any extra license or upgrades in considerations [3]

Considerations

There is no need to reboot XS host to enable PVS-accelerator. Unless you have less than 4 GB on Dom0, which is required to enable the feature. Also notice that the recommended Cache Size on storage repository is 5 GB for every vDisk version actively provisioned.

PVS-Acceleration configuration
PVS-Acceleration configuration
  • PVS-Accelerator only caches reads from vDisk, but not writes or reads from a write cache. Support is for vDisks with any non-persistent write cache type, but not “Cache on Server, Persistent” or “Cache on device hard disk persisted” write cache type
  • If you have more than one virtual network interface (VIF), make sure that the first VIF of a VM is used for connecting to the Provisioning Server
  • If you have multiple Provisioning servers that are deployed with HA and the same VHD, but have different file system timestamps, data may be cached multiple times. Due to this limitation, Citrix recommends using VHDX format, rather than VHD for vDisks
  • If you are running a 10 GBe network or just a few streamed VMs you will probably not notice a big difference

Advantages

  • Lower network utilization
  • Faster VM Boot time (Around 60%)
  • Higher Provisioning server density
  • Improved logon time
  • Helps with a saturated network or branch office
Average VM Boot Time
Average VM Boot Time
Source: Virtualfeller.com [4]

How to install

Installation is pretty straight-forward. You can download the PVS-Accelerator Supplemental Pack at https://download.citrix.com (requires Citrix account).

  • Path: Downloads / Citrix Hypervisor (XenServer) / XenServer 7.1 LTSR or above (Any Edition) / Optional Components / PVS Accelerator Supplemental Pack
  • Download and install the .iso file from XenCenter
XenCenter - Install Update
XenCenter – Install Update
XenServer - Select updatre
XenServer – Select Update

A new tab will appear in XenCenter console. Select your Hypervisor pool and click the PVS tab. Configure the PVS-Accelerator by naming your site and cache configuration. [5]

Configure PVS Accelerator
Configure PVS-Accelerator

Next step is to go back to the Provisioning Console and create your VMs with PVS-Accelerator. You do this by right-clicking on your site and running the Setup Wizard. You cannot do this on your existing provisioned targets. The short explanation is that PVS-Accelerated VMs is tied to Provisioning servers with a UUID on the XenServer.

Note: If you were to re-install the XenServer where PVS-Accelerated VMs was enabled, Provisioning Services will become out of sync and you will need to delete previously configured VMs associated with the cache configuration, including host. And reconfigure PVS-Accelerator and setup the cache again. [6]

Provisioning Console - Streamed VM Setup Wizard
Provisioning Console – Streamed VM Setup Wizard

Be sure to select ”Enable PVS-Accelerator for all Virtual Machines” when configuring the number of VMs and their resources.

Provisioning Console - Enable PVS-Accelerator
Provisioning Console – Enable PVS-Accelerator
Provisioning Console - Streamed VM Wizard
Provisioning Console – Streamed VM Wizard

Verify that the PVS-Accelerator status is Caching your VMs from the XenCenter > Pool > PVS tab.

XenCenter - PVS Tab
XenCenter – PVS Tab

References

[1] https://docs.citrix.com/en-us/xenserver/current-release/storage/pvs.html

[2] https://www.youtube.com/watch?v=l_vhMf3SFks

[3] https://support.citrix.com/article/CTX220746″>

[4] https://virtualfeller.com/2017/03/07/provisioning-services-accelerator

[5] https://support.citrix.com/article/CTX220735

[6] https://docs.citrix.com/en-us/provisioning/7-15/install/configure-accelerator.html