Monthly archives: January, 2019

Teams keeps crashing in Citrix

A while ago I installed Teams in a client Citrix environment, I solved the large profile issue (Microsoft recommends 3 GB of free data for each user) with FSLogix, you can read more about that in my earlier blog-post here!

While testing Teams in the client test-environment it all worked flawlessly, I then proceeded to implement it in the production environment, it all worked great, Teams installed and worked as expected. Or so I thought…

The Problem

Next day I received multiple complaints about Teams hanging and restarting only to resume in a hanging state. In summary, it DID NOT WORK. Puzzled on why, since it still worked as expected in the test-environment I started to investigate. I started to check the Event viewer for any clues, there was none. I then proceeded to check the Teams install log (you can find it here: “C:\Users\USERNAME\AppData\Local\SquirrelTemp\SquirrelSetup.log“, nothing to find here. I scavenged the internet for answers but always got the same solution: delete Teams and reinstall it. That did not work in my scenario. We also have 2 customers running this exact setup but without any issues. What I then started to suspect was the platform Citrix was running on, specifically virtual vs physical servers. All the installations on a virtual server worked, but on our physical server it did not.

Eventually I did a deep-dive to see what actually happens when it crashes and I discovered the following:

  1. When checking the Details tab in Task Manger I discovered that when Teams begins to be unresponsive a Werfault.exe (Windows Error Reporting) process starts and takes a lot o CPU resources but never quite finish.
  2. After investigating the Procmon I found something suspicious:
CtxGraphicHelper.dll

This is a Citrix Hook, used by Citrix to make program do stuff it was not programmed to do. Basically it’s used to make application work in a Citrix environment. If you want to know more on the subject please read this article explaining how it works!

3. After recovering this information I found a discussion on Reddit explaining my exact scenario, and a workaround for this specific issue. See below on how to apply the workaround.

Workaround

To get Teams to work on your Citrix environment if you experience this specific issue you need to exclude all Citrix Hooks from Teams.exe, you perform this by editing/adding the following registry value:

32-bit version:
HKLM\SOFTWARE\citrix\CtxHook\
String Value: ExcludedImageNames
Value: Teams.exe

64-bit version:
HKLM\SOFTWARE\WOW6432Node\citrix\CtxHook\
String Value: ExcludedImageNames
Value: Teams.exe

Note: The server need to restart for the changes to take affect!

Summary

This workaround is far from ideal, disabling the Citrix hooks is not recommended and can result in other issues with Teams. Please test it properly before making any organization-wide changes. And be aware that Teams has not yet been implemented in the HDX Optimazation pack, meaning it will not offload sound and video to your client. I’m sure Citrix is working hard to implement this as soon as possible.

I have not found the exact reason to why this is an issue and why it only seams to affect physical servers and not virtual. I suspect it’s the CtxGraphicHelper hook I discovered in the Procmon that might be the source to the problem. But it seams this workaround will get Teams to work just fine in your Citrix environment.

Please let me know if you have any questions or have anything to add!



What is ReasonML and why should you care?

ReasonML is a alternate syntax for OCaml invented at Facebook to be more familiar to programmers coming from JavaScript . OCaml is a over 20 year old general purpose language that is both expressive and safe. It belongs to the ML family of languages and it means that it has a strong type system that will guide you to write less bugs. Other languages in the ML family that you might have heard about are F# and Haskell.

Because ReasonML is just a alternate syntax for OCaml everything that is possible with one can be done with the other. ReasonML can be compiled to native binaries and bytecode with the standard compiler and there are two ways to compile to JavaScript, “JavaScript of OCaml (JSOO)” and BuckleScript. The natively compiled binaries are often really fast especially when compared to node based JavaScript that powers both web servers and desktop apps. esy is a package manager that introduces a npm-like workflow for native development, right now it’s main goal is to be the best package manager for OCaml and Reason but can in theory be used with any language.

At Xenit we’re using ReasonML together with React, via ReasonReact, to build the frontend of our Identity Provider. It brings us ease of refactoring and a higher degree of security when writing our code. We’re building some other internal tools with ReasonReact and we’re also exploring developing native applications with ReasonML. This includes both UI applications with a framework, revery, that aims to replace electron as a simple way to create desktop applications and micro service backends.

This is just a introduction and there will be more interesting posts about the Reason universe in the future.



“Outlook cannot perform your search” on Windows Server 2016 running Remote Desktop Services

INTRODUCTION

Speaking on behalf of all IT technicians, it is with no doubt that we all have had our hand in cases related to Outlook. Oftentimes I experience them to be quite understandable in order to be resolved. However, that was until I encountered a particularly obscure issue with Outlook’s search engine, nonetheless its very same obscure resolution.



Why does Teams not install for my users?

Microsoft released in October last year a MSI-installation package of Teams, making it easy to deploy Teams to computers in your organization. As you know Teams (for some unknown reason) installs directly into your profile. I suspect they have designed it this way to make sure everyone can install the application, even if you’re not an local administrator on your computer, you do have sufficient rights to your profile to perform a installation of Microsoft Teams.

Since I work primarily with Citrix, and could see the that Microsoft Teams is growing in popularity, I started to investigate if I could make it to work in a Citrix environment. But that is another story, you can read my blog post on how I installed Teams in our Citrix environment here!

Teams is supposed to install when a user logs on to the server, it will automatically install the latest Teams available to your profile and then start it. But in some cases I have seen an issue after installing the Teams wide Installer, the users simply does not get anything installed. A function this installer has is that it checks your profile for traces of Teams, if it detects part of Teams it will not try to install it again (if it’s not an update that is), and if the user uninstalled Teams it will still detect some left-overs and will therefore not install Teams again. With that said, you need to make sure your profile is clean from Teams. Unfortunately this was not the case here. It simply did not install!

To understand why this might happened you need to know how some multi-user environments are designed, from a security perspective!

If you are like us, security oriented, you might have disabled Run and Run Once witch is used by some applications to auto-start, or to continue a installation after a restart, and is unfortunately very popular place to auto-start viruses and other malware. It is then common to disable this.

This is exactly the place Microsoft Teams specify the value that starts the Teams installation for a user, if its disabled, nothing will ever happened!

There is however a really easy way around this:

You probably already thought about this by now but there is a tiny detail that will make it work exactly as it was supposed to:

  1. Create a Shortcut – Name it Install Teams (or something else if you like)
  2. Target the Teams.exe file with this specific argument: “C:\Program Files (x86)\Teams Installer\Teams.exe” –checkInstall –source=default
  3. Save it, and place it in the Startup folder in the Start Menu.

The last argument in the Target path (–CheckInstall –source=default) is the reason Teams knows if you have it installed and keeps it updated.

I hope this easy little trick has been helpful, please make a comment if you feel like it or have some questions!



Move Software Updates to Intune with Co-management

To move on with the transition towards Modern Management we can use Co-management in SCCM to decide where settings are coming from. In this specific scenario we will do a switch from Software Updates via SCCM to Intune controlled Software Updates for one test client. I will show you the following steps.

  1. How to setup the Co-management connection in SCCM
  2. How to configure the Co-management connection to be able to switch Software updates from SCCM to a pilot Intune group
  3. How to configure a Windows 10 Update Ring in Intune and assign to a group
  4. How to verify that the client are getting the correct settings

Prerequisites for this scenario:

  • A test client (in my case running 1809)
  • SCCM environment (in my case running 1810)
  • Intune environment
  • Hybrid Azure AD Joined device
  • An Intune group with the test client as a member
  • Company Portal installed on a client

Step 1 and 2 – This step in done in SCCM console

\Administration\Overview\Cloud Services\Co-management

1.Co-management > Configure Co-management

2. Next

3. Sign in

4. Logon with an Intune Administrator (Global administrator in my case)

5. Next

6. Automatic enrollment in Intune > Pilot

7. Next

8. Workloads > Switch Windows Updates policies to Pilot Intune

9. Pilot collection > Choose a collection with your test client

10. Next

11. Done

 

Step 3 – This step is done in Intune

https://devicemanagement.portal.azure.com

1. Software updates

2. Windows 10 Update Rings

3. Create

4. Name: SU-Windows 10-Test

5. Description: Software Update – Test group

6. Settings
Below are an example, please configure it so it fits your environment

7. Assignments

8. Select groups to include > Group with test client

9. Save

 

Step 4 – This step is done on the test client

1. Open Company Portal

2. Settings > Sync

3. Run > control update

4. View configured update polices

5. Look under Policies set on your device – here we want to see that settings are coming from Mobile Device Management as below

6. Be sure to turn off any GPO:s that might turn off access to Windows Updates

7. Done

This is how you make the switch over to Intune and as you can see it doesn’t require that much.

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

 



PVS-Accelerator

Introduction

PVS-Accelerator is a feature for Citrix Hypervisor (previously named XenServer). The feature utilizes the local storage and RAM on Dom0 on each Citrix Hypervisor and caches read requests from a provisioned target device. It saves network, CPU and Provisioning host disk I/O resources, effectively improving performance. Overall your storage and network should see an improvement if they are under heavy load today. [1]

Network Bandwidth Utilization
Network Bandwidth Utilization [2]

PVS-Accelerator helps with improved end-user experience, accelerated VM boots and boot storm, simplified scale-out by adding more hypervisor hosts and fewer provisioning servers are needed.

Prerequisites

  • XenServer PVS-Accelerator feature is only available in Citrix Hypervisor 7.1 and Provisioning 7.13 or later
  • PVS-Accelerator is available for customer with XenServer Enterprise Edition or if you have XenDesktop/XenApp licenses
  • If you have a Citrix Hypervisor 7.1 <, Provisioning 7.13 < and XenApp/XenDesktop you should be able to utilize the feature without any extra license or upgrades in considerations [3]

Considerations

There is no need to reboot XS host to enable PVS-accelerator. Unless you have less than 4 GB on Dom0, which is required to enable the feature. Also notice that the recommended Cache Size on storage repository is 5 GB for every vDisk version actively provisioned.

PVS-Acceleration configuration
PVS-Acceleration configuration
  • PVS-Accelerator only caches reads from vDisk, but not writes or reads from a write cache. Support is for vDisks with any non-persistent write cache type, but not “Cache on Server, Persistent” or “Cache on device hard disk persisted” write cache type
  • If you have more than one virtual network interface (VIF), make sure that the first VIF of a VM is used for connecting to the Provisioning Server
  • If you have multiple Provisioning servers that are deployed with HA and the same VHD, but have different file system timestamps, data may be cached multiple times. Due to this limitation, Citrix recommends using VHDX format, rather than VHD for vDisks
  • If you are running a 10 GBe network or just a few streamed VMs you will probably not notice a big difference

Advantages

  • Lower network utilization
  • Faster VM Boot time (Around 60%)
  • Higher Provisioning server density
  • Improved logon time
  • Helps with a saturated network or branch office
Average VM Boot Time
Average VM Boot Time
Source: Virtualfeller.com [4]

How to install

Installation is pretty straight-forward. You can download the PVS-Accelerator Supplemental Pack at https://download.citrix.com (requires Citrix account).

  • Path: Downloads / Citrix Hypervisor (XenServer) / XenServer 7.1 LTSR or above (Any Edition) / Optional Components / PVS Accelerator Supplemental Pack
  • Download and install the .iso file from XenCenter
XenCenter - Install Update
XenCenter – Install Update
XenServer - Select updatre
XenServer – Select Update

A new tab will appear in XenCenter console. Select your Hypervisor pool and click the PVS tab. Configure the PVS-Accelerator by naming your site and cache configuration. [5]

Configure PVS Accelerator
Configure PVS-Accelerator

Next step is to go back to the Provisioning Console and create your VMs with PVS-Accelerator. You do this by right-clicking on your site and running the Setup Wizard. You cannot do this on your existing provisioned targets. The short explanation is that PVS-Accelerated VMs is tied to Provisioning servers with a UUID on the XenServer.

Note: If you were to re-install the XenServer where PVS-Accelerated VMs was enabled, Provisioning Services will become out of sync and you will need to delete previously configured VMs associated with the cache configuration, including host. And reconfigure PVS-Accelerator and setup the cache again. [6]

Provisioning Console - Streamed VM Setup Wizard
Provisioning Console – Streamed VM Setup Wizard

Be sure to select “Enable PVS-Accelerator for all Virtual Machines” when configuring the number of VMs and their resources.

Provisioning Console - Enable PVS-Accelerator
Provisioning Console – Enable PVS-Accelerator
Provisioning Console - Streamed VM Wizard
Provisioning Console – Streamed VM Wizard

Verify that the PVS-Accelerator status is Caching your VMs from the XenCenter > Pool > PVS tab.

XenCenter - PVS Tab
XenCenter – PVS Tab

References

[1] https://docs.citrix.com/en-us/xenserver/current-release/storage/pvs.html

[2] https://www.youtube.com/watch?v=l_vhMf3SFks

[3] https://support.citrix.com/article/CTX220746″>

[4] https://virtualfeller.com/2017/03/07/provisioning-services-accelerator

[5] https://support.citrix.com/article/CTX220735

[6] https://docs.citrix.com/en-us/provisioning/7-15/install/configure-accelerator.html