Jump to content

Nick Panaccio

Members
  • Posts

    194
  • Joined

  • Last visited

  • Days Won

    7

Posts posted by Nick Panaccio

  1. It has been years since I've had to configure O365 using CPM (last did it with FSLogix), so I thought I'd come here and ask for some details on the CPM config some of you are running in your non-persistent XenDesktop VDAs. We're having an issue where at around the 25 day mark post-O365 login where the tokens are downloaded into the Licensing folder, users are receiving a COULDN'T VERIFY ACCOUNT warning after launching any of their O365 apps:

     

    image.thumb.png.2c2927042808db7974f840cf1ecd4a81.png

     

    I've been troubleshooting this with Microsoft for the last few days with little progress, and wanted to see if anyone could provide their CPM config in a working environment. One thing to mention here is that we do not have Seamless SSO enabled in Azure AD. Our VDAs are hybrid joined, however.

     

    Currently, we are synchronizing the following two folders, the latter for an unrelated issue:

    AppData\Local\Microsoft\Office\16.0\Licensing

    AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

     

    I have only ever had to roam the Licensing folder, so I'd really like to know if there are other folders that should/should not be excluded from CPM in order for this to function properly.

  2. Anyone running 2203 VDAs with Tanium and CrowdStrike? We have seen nothing but crashes in 2203 (CU1 and CU2), and most point to one or the other. Tanium just consumes resources, and it appears as though the VMs are running out of CPU and memory just before the BSOD, but CrowdStrike components are always listed within the crash dump (not the faulting file, mind you). We first saw this in our non-persistent W10 environment, but I'm testing in persistent MCS and the crashes are coming on a daily basis.

     

    I have been told that "CrowdStrike requires no exceptions" blah blah blah, but I believe that about as much as I believe in the tooth fairy.

  3. 1 hour ago, Michael Brislen1709158665 said:

    Hi, did this every get resolved as we are having a similar issue once the platform layer has been updated?

     

    Thanks in advance

    Unfortunately, the only resolution I've found to work is to completely remove all XenTools each time I need to update the agent. I wrote a process that has been 100% successful for me in the past. Here is a link to my cleanup scripts (ensure that all files are in the same directory when run): https://drive.google.com/file/d/1isOzZ8Y7V5O5hvVOwClldcR-ou_meOnX/view?usp=share_link

     

    To upgrade the Citrix XenServer Management Agent, do the following:

    1. Run Uninstall.ps1
      • This will uninstall previous XenServer Management agents, and is required because previous upgrades result in the NIC/network being broken in future layer versions
    2. Reboot the VM
    3. Run Run.ps1
      • This script will remove old XenServer driver files
      • Edit the path to Cleanup.ps1 within this script before running!
    4. Reboot the VM
    5. Run Install.ps1 to install the latest XenServer Management Agent
    6. Reboot the VM twice
    7. Add the XenServer Agent name, version and Product GUID to the Cleanup.ps1 script

    I always installed the XenServer Agent in the OS layer, so you'll want to create a new Platform layer based on this OS layer once it's finalized.

  4. I can only speak to how I implemented Defender in our XenDesktop environment (W10 20H2, non-persistent), which is a little different than the route you took. First thing's first - there are two really good blogs on this topic, in case you haven't seen them. Here's part 1 and part 2. I did not opt for the local GPO method, instead using a domain GPO for onboarding. Here are the steps I took to configure Defender:

     

    1. Create a DFS share to host Defender's Security intelligence updates per part 1 of that blog
    2. Create a GPO to manage Defender's settings (see screenshot below)
      1. Note: For "Define the order of sources...", I use FileShares|MMPC because if the share hosting the defs goes down, the only way your VMs will receive updated defs is if you use MMPC, which will grab them from the Microsoft's website directly. I found out this the hard way, and confirmed with MS on the behavior
      2. This GPO also uses a PowerShell Startup script (computer policy) for onboarding
        1. Onboard-NonPersistentMachine.ps1 is used for the script, but make sure that WindowsDefenderATPOnboardingScript.cmd is also present in that folder if you intend to use 'a single entry for each machine' per part 2 of that blog. which is the route I assume most would want with non-persistent VMs
    3. Enable Defender in the OS layer, and run Windows Update to pull in the latest defs
    4. After compiling the image, I edit it in Private mode to seal it, performing the following tasks in my sealing script:
      1. #Install the latest Defender definitions before sealing
        Write-Host "Updating Defender..." -ForegroundColor Yellow -NoNewLine
        Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-RemoveDefinitions -DynamicSignatures" -Wait -PassThru | Out-Null
        Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-SignatureUpdate" -Wait -PassThru | Out-Null
        Write-Host " Done" -ForegroundColor Green
        
        #Scan the compiled image before sealing
        Write-Host "Scanning the image with Defender..." -ForegroundColor Yellow -NoNewLine
        Start-MpScan -ScanType FullScan
        Write-Host " Done" -ForegroundColor Green
        
        #Configure Defender settings that need to be baked into the image, as some require a reboot
        Write-Host "Configuring Defender..." -ForegroundColor Yellow -NoNewLine
        Set-MpPreference -SharedSignaturesPath \\domain.com\Citrix\WDAV\wdav-update
        Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\domain.com\Citrix\WDAV\wdav-update
        Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $False
        Set-MpPreference -SignatureFallbackOrder 'FileShares|MMPC'
        Write-Host " Done" -ForegroundColor Green

    That's all I do for our W10 non-persistent VMs, and Defender has been fine in our environment. All VMs onboard properly, and I never have to worry about offboarding since I don't onboard my master image, etc. It's much cleaner this way, IMO. I will say that Defender is a bit of a pig, somehow. We moved from Trend Micro Apex One, which did much better in terms of resource consumption. Not only does Defender use more CPU and RAM, but it also added 10 seconds to our logon time just by having the services enabled.

    Defender.jpg

  5. 20 hours ago, Björn Schläfli said:

    We've upgraded WEM 2103 to 2203. Agent synchronization is not working. We use the option 'infrastructure service uses windows authentication' in database connection usually, but this option was not enabled while upgrading. As far as I know this means vuemUser is not the database user. 

    Am I able to change this option after update? The only gui I have is the database upgrade and that's not helping, because the database is already on 2203. 

    Or do I need a database restore?

    You should also have access to the WEM Infrastructure Service Configuration GUI on your brokers. I'm not 100% sure, but I want to say that the DB upgrade wizard just uses that account for the upgrade, so the local account may still be in the DB (you should be able to check this directly against the SQL DB). I'd launch the Infra Svc Config GUI first to validate the connection settings, and if something is configured incorrectly (like the account used to hit the WEM DB), correct it there. Otherwise, yeah, a DB restore is probably your quickest recovery option.

  6. I submitted a ticket with Citrix and asked for the private fix, referencing everything above, and they told me that the WMI issues were fixed with the 2206 build and that I didn't need any private fix. Okay then. Guess it was a good thing I was able to restore my appliance from backup, so I'll hang out on 2204 until the next release.

  7. I've never run into the side by side errors, but what I would do is this:

     

    1. Assuming that you installed Edge in your OS layer, create a new version and uninstall Edge (even if you have two entries in Add Programs listed)
    2. Finalize that layer
    3. Create another OS layer version and install whichever build of Edge you're looking to be on. Below is a copy of my current install script, which has some new entries that I wanted to remove in later builds of Edge
    $var_Install_Exec = "msiexec.exe"
    $var_Install_Arg = "/i MicrosoftEdgeEnterpriseX64.msi DONOTCREATEDESKTOPSHORTCUT=TRUE DONOTCREATETASKBARSHORTCUT=TRUE /qn"
    
    $proc = Start-Process -FilePath $var_Install_Exec -ArgumentList $var_Install_Arg -WorkingDirectory $PSScriptRoot -Wait -PassThru
    
    While (!(Test-Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")) { Start-Sleep 5 }
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" -Name "StubPath" -Force
    
    While (!(Test-Path "C:\Users\Public\Desktop\Microsoft Edge.lnk")) { Start-Sleep 5 }
    Remove-Item "C:\Users\Public\Desktop\Microsoft Edge.lnk" -Force
    
    #Fixing the Microsoft Edge tile background color so that it matches the other Windows 10 tiles
    Remove-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml" -Force
    $Shell = New-Object -ComObject ("WScript.Shell")
    $Shortcut = $Shell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")
    $Shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe";
    $Shortcut.Save()
    
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Name "UpdateDefault" -Value 0 -PropertyType "DWORD" -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch\" -Name "AutoRunOnLogon" -Value 0 -PropertyType "DWORD" -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost\" -Name "AutoRunOnLogon" -Value 0 -PropertyType "DWORD" -Force | Out-Null
    Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null
    Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Unregister-ScheduledTask -Confirm:$False | Out-Null
    
    $Services = "edgeupdate","MicrosoftEdgeElevationService"
    ForEach ($Service in $Services){
    	Set-Service -Name $Service -StartupType Disabled
    	Stop-Service -Name $Service -Force
    }

     

  8. Bit of a strange one here. Like the title says, in my W10 VDA (1912 LTSR CU3),  when testing webcam redirection in Edge (versions 94-97), the webcam initially works fine, and then it'll turn off, even though the page still says it's enabled. When I test with the same versions of Chrome, I never see this behavior. The Edge and Chrome GPOs are identical, and even after disabling them for both, the same pattern repeats. Has anyone experienced the same? It's driving me nuts, because we have already removed Chrome from our image, and I'd like to keep it that way.

  9. I know it's regarding FSLogix, but I'm asking this everywhere I can, as I'm having no luck figuring it out...

     

    My environment:

    • CVAD 1912 LTSR CU3
    • Windows 10 20H2 VDA (non-persistent PVS)
    • FSLogix 2.9.7838.44263 (also happens with 2.9.7654.46150)
    • Folder Redirection via Citrix WEM (Documents to the OneDrive\Documents location)
    •  

    In my FSL GPO, I have Store search database in profile container Enabled/single-user search, and in the image itself I have RoamSearch set to 1. When I login to my Citrix Desktop and create a brand new profile, I am unable to search for content in both File Explorer and the Search taskbar, even after a full OneDrive sync. Searching simply returns no results. If I rebuild the index, searching will start working, though I'm not sure if it will continue to index with new folders being created.

     

    I have tried setting the Windows Search service to Automatic (Delayed Start) via GPP. This seems to enable me to search in File Explorer, but only if I'm in the OneDrive folder, where the search field displays Search OneDrive - tenant; If I'm in my redirected Documents folder, no results are returned.

     

    If I disable the FSL services on the VDA and then login (fresh profile), searching works in both File Explorer and the Search taskbar, and Indexing Options shows that it appears to be indexing all of the OneDrive content; thousands of indexed items vs. ~600 when FSL is enabled.

     

    The FSL logs all look fine. I can see that it knows Search Index roaming is enabled, and it successfully processes the commands. Has anyone else run into this? Or does anyone have any idea on what else I can try here? Being unable to search in a published desktop is a major issue. I do already have a ticket in with MS on this.

  10. After getting bit by Edge's update scheduled task name change recently, I had to pivot with my install script. I'm doing basically what Rob suggests:

     

    1. Install Edge in the OS layer
    2. Hardcode the UpdateDefault registry key to 0, disabling Edge updates
    3. Disabling all scheduled tasks named MicrosoftEdgeUpdate*
    4. Disabling the two Edge update services

    Below is my install script:

     

    $var_Install_Exec = "msiexec.exe"
    $var_Install_Arg = "/i MicrosoftEdgeEnterpriseX64.msi DONOTCREATEDESKTOPSHORTCUT=TRUE DONOTCREATETASKBARSHORTCUT=TRUE /qn"
    
    $proc = Start-Process -FilePath $var_Install_Exec -ArgumentList $var_Install_Arg -WorkingDirectory $PSScriptRoot -Wait -PassThru
    
    While (!(Test-Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")) { Start-Sleep 5 }
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" -Name "StubPath" -Force
    
    While (!(Test-Path "C:\Users\Public\Desktop\Microsoft Edge.lnk")) { Start-Sleep 5 }
    Remove-Item "C:\Users\Public\Desktop\Microsoft Edge.lnk" -Force
    
    #Fixing the Microsoft Edge tile background color so that it matches the other Windows 10 tiles
    Remove-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml" -Force
    $Shell = New-Object -ComObject ("WScript.Shell")
    $Shortcut = $Shell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")
    $Shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe";
    $Shortcut.Save()
    
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Name "UpdateDefault" -Value 0 -PropertyType "DWORD" -Force | Out-Null
    Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null
    
    $Services = "edgeupdate","MicrosoftEdgeElevationService"
    ForEach ($Service in $Services){
    	Set-Service -Name $Service -StartupType Disabled
    	Stop-Service -Name $Service -Force
    }

    That middle section isn't necessary, but it drives me nuts seeing Edge's icon so much larger than the other Windows 10 icons, so I correct it as part of my script.

  11. What Rob said - you need to make sure that your O365 layer is a prerequisite when creating your Teams layer, otherwise that won't work. Kasper Johansen wrote a nice article on Teams in Citrix: https://virtualwarlock.net/microsoft-teams-in-citrix/

     

    For presence to work properly, you need to load Teams and Outlook, close both, and then then load both again (assuming you have Teams set as your IM presence). Painfully stupid, but this is Microsoft.

  12. This is a bit of a weird one, and I've only seen it happen in a large Teams meeting. The presenter is using a user-based version of Teams (latest build) on their Windows 10 laptop, and sharing out their first monitor (1080p). If you join the meeting in Citrix Desktop using Teams installed in the VDA (machine-based, optimized) early enough, you can see the shared content. However, if a certain number of others are already in the meeting - and I don't know what this number is - then optimized Teams users cannot see the incoming screen sharing; they just see a gallery view of the users (not video). However, if I disable Teams optimization in Citrix via Studio, they can see the incoming screen sharing in this meeting every time.

     

    My environment:

    W10 20H2 VDA

    1912 LTSR CU3 (saw it in my previous CU2 image, as well)

    Teams (machine-based, optimized) 1.4.0.22976; also experienced this issue on the previous 2 builds, .22472, etc.

    CWA 2107 (saw it in CWA 2105, as well)

     

    Any ideas here? I don't see this listed as a limitation anywhere, and it's driving me nuts.

×
×
  • Create New...