Monthly archives: augusti, 2017

Update for Windows is already installed on this computer?

En del uppdateringar från Windows Update misslyckas vid installation med en prompt om att uppdateringen redan är installerad. Ett återkommande exempel är KB3146978 som listas som en rekommenderad hotfix för RDS 2012 R2 Session Hosts. I ett flertal miljöer har jag sett att KB3146978 inte listas under Installed Updates, Systeminfo, Powershells Get-Hotfix, wmic get hotfixid eller andra sätt som är baserade på Win32_QuickEngineering men installation fastnar ändå på ”Update for Windows is already installed on this Computer”.

För att få en mer inkluderande översyn på vilka uppdateringar som faktiskt är installerade kan följande köras:

$Session = New-Object -ComObject ”Microsoft.Update.Session”
$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$Searcher.QueryHistory(0, $historyCount) | Select-Object Title, Description, Date,
@{name=”Operation”; expression={switch($_.operation){
1 {”Installation”}; 2 {”Uninstallation”}; 3 {”Other”}
}}} | Export-Csv -NoType ”$Env:userprofile\Desktop\Windows Updates.csv”

Windows Updates.csv lägger sig då på skrivbordet och innehåller i detta exempel information om att KB3146978 faktiskt är installerad.



Scout 3.0 släppt med XenApp 7.14

I samband med att XenApp/XenDesktop 7.14 media blev tillgängligt 2017-06-09 ingår även Scout v3.0 med i mediet.

Scout GUI

Scout GUI

Scout är ett verktyg för Citrix-administratörer att enkelt kunna samla in diagnostik och loggfiler från en Delivery Controller eller VDA. Loggfiler kan sedan laddas upp till Citrix Insight Services (CIS) för analys, hälsokontroll och få rekommendationer på åtgärder eller förbättringar.

Verktyget används även vid kontakt med Citrix support för att underlätta vid felsökning och korta ner tiden det tar att lösa eventuella incidenter eller problem. För närvarande finns inte Scout v3.0 tillgängligt via en separat nedladdningslänk likt Scout v2.23.

Scout v.3.0 ingår endast i det media som används vid installation och uppgradering av XenApp/XenDesktop miljöer.

Värt att notera är att tidigare version av Scout (2.x) stödjer:

  • XenApp 6.x
  • XenDesktop 5.x
  • XenApp/XenDesktop 7.1 upp till 7.14

Version 3.0 stödjer endast XenApp/XenDesktop 7.14 och senare.

Om man av någon anledning valt bort installation Citrix Telemetry Service när man installerat VDA eller tagit bort tjänsten, kan man utföra installationen manuellt genom att köra installationfilen i mediet som finns under ”Citrix XenApp and XenDesktop 7.14.1\x64\Virtual Desktop Components\TelemetryServiceInstaller_x64.msi”

Den nya versionen förbättrar säkerheten, prestandan och användarupplevelsen.

Andra förbättringar är:

  • Capture Always-on-Traces (AOT)
    • AOT eliminerar behovet av att reproducera problem eftersom inloggningsspåren kan skickas säkert till Citrix med verktyget.
  • Insamling av obegränsad diagnostik data (beroende på resurser tillgängliga)
    • Tidigare versioner hade 10 enheter som standard vid ett insamlingstillfälle.
  • Support för Citrix Cloud
  • Schemaläggning av Call Home
  • Powershell Call Home cmdlets på alla maskiner med därTelemetry Service installerats
    • Tidigare fick man använda sig av CMD på den lokala maskinen.

För att läsa mer hur man använder sig av den nya Scout v3.0 besök följande länk.

Källor: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-14/manage-deployment/cis/scout.html



Configure Google Chrome in a multi-user environment

Installing and configuring Google Chrome in a multi-user environment can be everything but easy. More and more users change from Internet Explorer to a much more convenient browser and they expect to use it in business too. In this post, I will provide a short tutorial how I usually install and configure Google Chrome for a non-popup seamless experience for your end user.

Installing Google Chrome is a basic next, next, next installation by using the MSI-file provided here. The problem with configuring Chrome is that there are several ways to set different kinds of settings. Sometimes you can configure the same type of settings on several places and sometimes you only have one place to configure some settings. There are mainly three ways of configuring settings – Policy based (ADMX-template), master preferences and tags on the shortcut when launching Chrome. I will be talking about the first two in this post. I always try to set as much settings as possible in a group policy (GPO) using the ADMX-templates. Why? Because it is much easier to update a GPO than to update a file on each session host.

Google Chrome is an application that configure and do many things in the background. Do you really want all users to be prompted to check the default browser, get a first run introduction and create shortcuts on the desktop? Although this is a standard procedure that most users are familiar with, it is much more convenient (and enterprise) to not get any popups at all. Below is what I usually add in the “master_preferences”-file. I have not found a convenient way to see a full list of settings to configure, but this is the closest I have yet to come.

 

notepad “C:\Program Files (x86)\Google\Chrome\Application\master_preferences”

 

After installing Google Chrome and adding the “master_preferences”-file I usually proceed by downloading the ADMX-templates from here. Download and install the ADMX-template in your central store. Browsing through the settings you should notice three things.

  1. All settings are applied to the computer, meaning that the settings configured do not affect user login time.
  2. There is two folders with policys. In “Google Chrome – Default Settings” the user may override all the configured defaults. In the other folder the user may not override the configured defaults.
  3. The settings we configured using the “master_preferences” is not overridable.

 

Google Chrome GPO

Please browse through each setting in the group policy and configure the settings to your liking.

Google Chrome saves a lot of settings and files in the user profile. If you are using roaming profiles, the profiles will soon begin to fill up and users will get a longer login time. There are two different approaches we can take. If your roaming profile system allows you to include and exclude files and directories you may use the first one below.

 

Include files:

 

The second approach is to configure the policy “Set user data directory” to your home catalog. I prefer using the second one due to that it is much easier to manage.

Google Chrome GPO User data directory



SCCM – Application installation summary report

This post will describe how to create an application installation summary report in SCCM. This is a great tool to have when you’re for example doing a health check of your applications and different versions of them. The report is built in Microsoft SQL Server Report Builder and you can see the final result on the pictures down below (press on the pictures to maximize).

I will now describe the different pieces of the report so you can make it fit in your environment:

Add the following datasets to the report, just make sure it is applicable to your environment:

ApplicationCount

ExpandComputerName

ExpandApplicationName

Next step is to create the layout as shown in the picture below. When the layout is done put in the data from the datasets and the two expressions you can see under the picture.

View of the report in Microsoft SQL Server Report Builder.

In the first expression we get the application name from the list search or the wildcard search:

In the second expression we join the computers within each software version result:

Last step is to save the report and try it out.

The report gives you a choice of choosing an application from a drop-down list (where all the applications in your environment will show up) or through a wildcard search. It will then show the selected application (and/or the specific version of your choice) in a list with parameters such as how many computers the application is installed on and the names of the computers.

List of all the applications in your environment.

Wildcard search that overrides the application list search.

A list with the computers that have the application installed.

The view of the report run in Internet Explorer.



DirectAccess with Teredo Protocol requires ICMP traffic to be allowed

With Microsoft DirectAccess (DA) you have three different protocols that you can utilize, with 6To4 and Teredo being the primary ones and IPHTTPS being the fallback if both primary fail/are not configured correctly (6To4 is attempted before Teredo). One thing that is different with Teredo protocol is that the DirectAccess server will send a one-time Ping (ICMP) to any DA-configured address that the DirectAccess client is trying to connect to (link).

Example of this with Netscaler Load Balancing:
In a real-life case, a customer was load balancing internal websites on a Netscaler and wanted these websites to be accessible through DA, but it was not working for unknown reasons – until we figured out the ICMP requirement and added an exclusion to this on the Netscaler. By default when we configure a Netscaler we set it up to block most ICMP traffic (http://shouldiblockicmp.com/).

Below is an example Access-Control-List (ACL) on Netscaler that will allow ICMP traffic (by default a Netscaler will not have any ACLs configured and allow all traffic, in which case this is not needed). Replace ”192.168.50.55” with the IP of your DA server, and ensure the ACL Priority is a lower value than your Deny ACLs (if you have any).
add ns acl A-DA-ANY_ICMP ALLOW -sourceIP = 192.168.50.55 -protocol ICMP -priority 100
apply ns acls

The ICMP message is of Type 8, Code 0, which you can specify in the ACL if you want to create a more specific ACL rule. Picture taken from Wireshark trace:

In case you are not fronting your internal servers with a load balancer (such as Netscaler) and you are using Windows Firewall on your internal hosts, you might need to allow ICMP traffic in your Windows Firewall for these hosts.

Is Teredo used in my environment/scenario?
One way to check if Teredo is being utilized in your DA setup is to logon to your DA server and run below command. If there is a Teredo Interface showing, then it is at least configured, and then you can check how much, if any, traffic is being passed through it (‘Bytes In’, ‘Bytes Out’). As we see in this picture, Teredo is being utilized.

Disabling 6To4 or Teredo can be done either on the DA server or the DA clients by disabling the relevant Network Interfaces (Teredo, for example), or by disabling the DA Clients to use specific protocols using the DirectAccess GPO Settings (see link further down).

To get a better understanding of the three protocols possible with DirectAccess, and their advantages/disadvantages, I recommend below blog posts:
Richard Hicks: DirectAccess IPv6 Transition Protocols Explained
Richard Hicks: Disable 6to4 IPv6 Transition Protocol for DirectAccess Clients
Microsoft Technet: DirectAccess and Teredo Adapter Behaviour

If you have any questions or feedback on above content, feel free to email me at rasmus.kindberg@xenit.se.