Install OneDrive (and soon Teams) on Local Machine

One of the most requested features for OneDrive and Teams have been to install the programs the local machine instead of in the profile for each user. Microsoft have finally released a OneDrive client to support this. As of version 19.043.0304.0003 OneDrive can be installed to the local machine by installing it with the below handle.

 

 

This makes a huge difference in a multi-user (Virtual Apps and Desktops) environment. If you wanted to use OneDrive before, you had to install the OneDrive client to all users profile. However, this can be very time consuming. Especially if something goes wrong with the installation and/or program files that’s stored in each users profile.

 

It seems that Microsoft have finally caved for the community. Christiaan Brinkhoff on twitter also states that a Teams per-machine is in progress.

 

 

This will be a very welcomed change for us that are passionate about multi-user environments.

 

 



LACP-FALLBACK BETWEEN ARISTA AND NUTANIX

If you have LACP configured between your Arista-switches (or any other switches) and a Nutanix Cluster, you will run into an issue when using Nutanix Life Cycle Management (LCM).

LCM updates for BIOS, BMC and SATA DOM are currently not supported for Nutanix Clusters that use protocols such as LACP.

If you try to do a full update with LACP active, you will end up with your first node not coming back online and being stuck in maintenance-mode.

The reason behind a node becoming stuck, is because in some of the updates, the nodes boots into the Phoenix ISO and Phoenix does not support LACP at this time.

A work-around is to enable LACP-fallback on your switches. Below is an example with Arista and how quick it is to configure it:

You will need to configure LACP-fallback on all port-channels that are connected to your nodes.

When the upgrade is complete, and the node have booted up, LACP PDUs will be sent out.
LACP will automatically be activated on the port-channel again.

If you have any questions, feel free to email me at petter.vikstrom@xenit.se or comment down below.



Microsoft Teams Rooms for modern meetings

How easy is it at your company to start a Teams or Skype meeting online in your conference room without technical difficulties? Maybe you have a very large (and expensive) video conference system in your board room but you wish you also could equip the smaller huddle rooms with such systems? Then you should look into Microsoft Teams Rooms which is the new name for Skype Room Systems.

You cant  argue the trend of moving to a more modern and mobile workplace. In a few years, more and more employees will probably not be stationed at a certain office or desk. This requires better tools and services and a big part of this is the digital meetings. We have during the last 3 years seen a massive growth, installing more video conference rooms than the last 30 years and we have seen a switch moving from proprietary (and expensive) solutions to standardized and more affordable systems so even the smallest huddle room can get one…

In it’s simplest form, you book the room in Outlook as you have done for years and you choose if it should be a Teams or a Skype meeting:

When you enter the conference room, the control unit on the table lights up and show you the upcoming meetings:

All you have to do is to click Join on your meeting and within a few seconds the meetings is started, all participants are joined, no matter if it’s via the Teams/Skype client, the web client, app on their phone or have dialed in to the number in the invitation. You see the participants on the control unit and on the bigscreen in front of the room and of course their video if they share it. From the control unit you can mute/unmute and and instantly add participants to the meeting from the directory or call them.

Want to share your screen? Simple, just plug in the HDMI cable to your laptop and it will output to the bigscreen but also share it in the meeting with remote participants. Of course, remote participants can also share their screen in the meeting.

It’s the simplicity – one-click-join and the meeting is started. You no longer need to be a technician to get a meeting started, choosing the correct input on the bigscreen, choose the right speaker and mic.

Microsoft Team Rooms comes from different partners (Logitech, HP, Lenovo, Creston, Polycom, Yealink) which have certified systems in different sizes – from the smallest 4-people huddle room to the largest boardroom. A few examples:

Xenit has used Skype Room Systems for a long time and are extremely happy how it works.

So what about the tech and for IT?

Compared to other proprietary systems, Microsoft Teams Rooms run on Windows 10 with an Windows app. This means you can use your current tools for deploying and managing it as you would do for any other Windows client except that you need to make sure not all policies apply to the system. On-premise AD join, Azure AD join and Workgroup are all supported. The app itself, which only installs on certified devices so you can’t do this DIY, is automatically updated through the Windows Store. So for us at Xenit, it has been almost no support for this system since it was first setup – except for some occasional hardware issues where someone was “smart” to disconnect the HDMI cabling to connect it directly to their laptop.

Of course, Microsoft has done some work to cloud enable these devices if you want.

For example you can use Azure OMS (Operations Management Suite) to monitor these devices since they log a lot of information to the event log. For example you can get information regarding:

  • Active / Inactive Devices
  • Devices which experienced hardware / applications issues (disconnected cables anyone?)
  • Application versions installed
  • Devices where the application had to be restarted

All this can be alerted upon so you hopefully can solve problems before someone calls it in as a problem.

In a few months, the Microsoft Teams Rooms will light up in the Teams Admin Center for additional functionality. For example, if you enroll many of these devices, the admin center will enable you to more quickly enroll them with a profile with settings you want. It will also make it easier for inventory management, updates, monitoring and reporting.

Here’s a short demo:

Let us know if you want to discuss or even get a personal demo at our office.



Text-based session watermarks

Citrix recently introduced a new feature to track data theft by giving administrators the ability to enable watermarks in their user sessions. This feature is supported for both Server and Desktop OS and requires a minimum of Virtual Delivery Agent version 7.17.

Citrix also offers the possibility to customize your sessions watermarks. The following parameters can be included or configured in the watermark:

  • Client IP Address
  • Connection Time
  • Logon user name
  • VDA host name
  • VDA IP Address
  • Style (Single or multiple)
  • Custom text
  • Transparency

    Sessions watermark with a custom text, connection time and a transparency of 10

And I bet you’re now wondering, just as I did, whether there are any exceptions. There is and they cover a few, great scenarios!

  • When using Session Recording, the recorded session does not present the watermark.
  • When using Windows remote assistance, the watermark does not present the watermark to the remote user.
  • When pressing Print Screen key to capture the screen, the screen captured at the VDA side does not include the watermark. This also works with third party applications that triggers by pressing the Print Screen button, for an example, Greenshot.

More information regarding session watermarking and its limitations can be found on the link below:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/graphics/session-watermark.html

If you have any questions regarding session watermarks, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Citrix replaces Smart Scale with Autoscale

A while ago Citrix announced the deprecation of Smart Scale but its replacement has been in the dark, and has finally been uncovered.

Smart Scale will reach end of life on May 31, 2019 and Autoscale will be the replacement for Cloud platforms. Autoscale is considered a new feature but it delivers all the functionality that are currently available in Smart Scale, such as:

  • Load based scaling
  • Schedule based scaling
  • Cost saving statistics

Note: Autoscale will only be available for customers with Citrix Virtual Apps and Desktop service. This means that customers with on-premise platforms are advised to use the Studio power management feature (Which earlier had the possibility to use Smart Scale).

Autoscale can be enabled and configured per Delivery Group in Studio and will replace the current Power management tab.

One of the new functionalities delivered with Autoscale is its integration with Director where savings and machine usage will be presented.

For a quick walk through of Autoscale, see this link.

If you have any questions regarding Autoscale, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Easily analyse your memory dumps

Recently I stumbled over a great application for debugging your system while trying to examine a memory dump. The application is named WinDbg Preview and is distributed by Microsoft themselves and serves several purposes for debugging Windows operating systems.

WinDbg Preview is a modernized version of WinDbg and extremely easy to use! With WinDbg Preview you can for example do the following:

  • Debug executables
  • Debug dump and trace files
  • Debug app packages
  • Debug scripts

WinDbg Preview

In my use case I wanted to quickly analyse a memory dump file which had been generated. A minute and about five clicks later I had received an analysis which gave me all the information I needed. I was also told which commands to use on the go without thinking.

Attaching memory dump file

Analysis result

WinDbg Preview is available from the Windows Store and can be read more about it here.

If you have any questions, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Keep your FSLogix VHD-files optimized

Background

When using either or both of FSLogix products Office 365 Containers and Profile containers you will have quite large VHD-files. However you could for example in Office 365 Container limit the size when specifying the Outlook cache limit but non the less it will require quite large storage space. Since the standard and recommended way of creating these VHD-files is setting Dynamic it will make it complicated for you when and if you run out of space, let me explain:

A dynamic disk will automatically expand when needed ensuring each disk will reserve only the actual size of the content of the disk, which is good, but it will however not shrink automatically. This means the disk will have the size of when the it contained the most, but not actually represent the actual size inside. Over time this this might be an issue, if not else, waste of disk-space.

To create a script that will shrink the disk is complicated and there is a risk that the disk will be corrupt, instead I we will focus on how to maintain an efficient use of the stored data to minimize the disk of growing in size.

Solution

There is however no solution from FSLogix to tackle this yet, so you we would need to focus on what we can do with the VHD-files witch is essentially standard virtual disks. When searching for a good long time solution to this problem I found a great script created by David Ott that Optimize the disks that is available at the given time you run the script.

How it works

The script will check the VHD-files if they are available (if the user is logged on the disk is locked), it will then proceed with the one´s available and mount them, run a Optimization Job, close them and mail a complete report of the result. The best way of using this script would be to Schedule it to run after office hours (preferably after the Session hosts has restarted) to maintain the most efficient size of the disk. This will minimize the growths of the disk and in the long run save you some space.

Where to find it

As mentioned above I found the script from the creator David Ott and you can find the original post with script here!

If you have want to know more about FSLogix you can email me at jonas.agblad@xenit.se or check out my earlier posts here:

Convert Citrix UPM to FSLogix Profile Containers

Teams in your mulit-user environment done right!

Outlook Search index with FSLogix – Swedish

FSLogix Profile Container – Easy and fast Profile management – Swedish

Office 365 with FSLogix in a Multi-user environment – Swedish



TLS 1.0 and 1.1 will be blocked, so update your Citrix Receiver!

Background

As most of the things around us constantly gets updates and improvements, the enhancements regarding flaws in vulnerabilities of security are for most people the most critical. Since cryptographic protocols like TLS 1.0 has been used since 1999, with an update to TLS 1.1 in 2006, these protocols have been vulnerable to attacks like POODLE and BEAST. The best way to prevent similar attacks from happening again is to have people to stop using the outdated protocols and having them to be forced to use the more enhanced 1.2 version.

Last year, some of the largest IT-companies in the world (Microsoft, Google, Apple & Mozilla) announced that TLS 1.0 and TLS 1.1 protocols will be deprecated from their respective web browser in 2020. After this, other companies adapted and cleverly joined the train.

As of the 15th of Mars, 2019, Citrix will no longer support communication over TLS 1.0 and 1.1 to Citrix Cloud Services.

Which cases will be affected?

The standard way of TLS negotiation is to have the latest version be the first negotiator, and if that one fails go to the next one, and so on. This means that if you are running an old version of Receiver that only supports TLS 1.0 / 1.1, you will not be able to connect to Citrix Cloud with an old Receiver. On-prem StoreFront implementations that still support TLS 1.0 / 1.1 will be unaffected by the change.

How will this affect you?

Listed below is the minimum required version of Citrix Receiver. If you have an earlier version, you will be prohibited trying to connect.

Receiver Version
Windows 4.2.1000
Mac 12.0
Linux 13.2
Android 3.7
iOS 7.0

 

What can you do to prevent this?

As of last May, at Synergy, Citrix announced that the Receiver would join the Workspace family. So don’t go looking for any version of Citrix Receiver, go look for the latest version of Citrix Workspace, which can be downloaded here. All the Workspace applications has been stripped from the TLS 1.0 and 1.1 protocol.

The full statement from Citrix can be found in this link



Changing default ADFS Decrypt/Signing Certificate lifetime from 1 year to X years

ADFS 2.0 and above versions have a feature called AutoCertificateRollover that will automatically updates the Decrypt and Signing certificates in ADFS, and by default these certificates will have a lifetime of 1 year. If you have federations (Relying Party Trusts) configured and the Service Provider (SP) is not using the ADFS metadata file to keep their configuration updated when ADFS changes occur, then the ADFS administrator will have to notify these Service Providers of the new Decrypt/Signing certificate thumbprints each time time the ADFS servers automatically renews the certificates.

To minimize the frequency of above task you can configure the default lifetime of the Decrypt and Signing certificates so you only have to do it every X years instead of every 1 year.

Below is the ADFS 3.0 Powershell configuration you can run to change the default lifetime to 5 years.

 

See below for how it should look with new Secondary certificates created with a lifetime of 5 years. When the date 3/23/2019 is reached, the ADFS server will automatically activate the (currently) Secondary certificates and update its metadata file accordingly. For any federations that do not use the ADFS metadata file those SPs will have to update the decrypt/signing certificate thumbprints on their side on this particular date (and specific hour, to minimize any downtime of the federation trust).

If you have any questions or comments on above, feel free to leave a message here or email me directly at rasmus.kindberg@xenit.se.

 



Are you able to spot phishing emails?

Phishing is an attack concept where an attacker usually contacts a victim pretending to be from a trustworthy source to get information that they shouldn’t have gotten if they used their real identity.
When an attacker targets specific individuals or groups within an organization the phishing method is called spear phishing. According to Symantec ISTR report volume 23 from 2018, the majority of organized security breaches used spear phishing as the infection vector.

One of the reasons why these attacks are so effective and commonly used is because the attack is built to exploit people’s feelings. It will also require less effort to write a mail and pretend to be from a supplier and trick a victim into clicking on a link or open an attachment instead of putting in the time and effort to find a way through a firewall or other security solution. Usually malware is being spread with these emails in form of malicious links or malicious attachment. When the user clicks on the link or opens the attachment the malicious code will be executed in the victim’s system.

This has been a common problem for years now and many users are aware that you shouldn’t open files from unknown sources but are you equally careful when clicking on links? If you find the description interesting, you will most likely just click on the link without actually reading the domain name before and that is another weakness an attacker can exploit.

Example on link-manipulation
Let’s say that you work for the company xyz and that your website is ‘xyz.com’. An attacker could then create a malicious website with a similar name, for example ‘secure-xyz.com’ or use a legit domain but with a redirect to a malicious site.

  • http://www.secure-xyz.com
  • http://www.xyz.com/amp/http://www.badsite.com

They could also encode the URL to make it harder to read or shorten it

  • http://www.xyz.com%2Fexit.asp%3FURL%3Dhttp%3A%2F%2Fwww.badsite.com
  • https://bit.ly/2TZB50k

Generally, you should keep attention to links that you think look weird and if you are not sure where the link leads to you shouldn’t visit it. It is better to be safe than sorry and today there are great tools available online where you can scan for malicious content and one of them is

To use it you just enter a URL and press enter. Multiple anti malware-engines will then scan the URL.

And for this test we can see that no engines detected our URL ‘https://www.xenit.se’ as malicious.

This and similar tools are great but the best way to reduce the risk of becoming a victim to this kind of attacks is to arrange awareness training for all employees regularly. Below you will find a link to a quiz where you will put your ability to identify phishing emails to test. You will inspect some emails and then you have to decide if you think it is malicious or not and afterwards you will get a good explanation on why or why not it is malicious.

Link to quiz:
https://phishingquiz.withgoogle.com/

Were you able to identify all phishing mails? Please leave a comment with your result or if you want to discuss phishing further.