compliance baseline

App-V 5, ConfigMgr compliance and fixes

Posted by nickekallen on in App-V, ConfigMgr 0 Comment

App-V 5 has recently gotten hit by two odd behaviors relating to an update and .NET Framework 4.5.2.

KB2984972 was released as an update for RDC, and caused some havoc both for App-V 4 and App-V 5. The workaround is documented in the article and essentially allows anyone to remove the unfortunate end-user experience by adding some registry keys.

.NET Framework 4.5.2 was released and quite early on people started noticing that a freeze could be experienced when using certain App-V applications. The culprit seems to be the processes wisptis.exe, and the issue could temporarily be worked around by terminating the process.

App-V 5 got hit by two issues that both were resolved by adding registry keys under the registry key ObjExclusions. The Gladiator has written an article that details more about this registry key, the purpose of it and the effects of it. The article is focused on App-V 4, however the knowledge and concepts still apply to App-V 5.

Under (HKLM\Software\Microsoft\AppV\Subsystem\ObjExclusions) this registry key there are a lot of registry keys starting at 1 and going upwards. Each registry key contains a value (oh, really?) that is the name of an object that is not virtualized.  Anyone can append new values by using the next available number. Aaron Parker wrote a great article on howto leverage Group Policy to add the requested registry keys to resolve the issues for KB2984972.

Let’s detail the fun fact about this registry key;

There are in a default installation of App-V registry keys from 1-92. On any given default installation the next available number we can use is 93. We now have two issues and would therefore end up with two extra registry keys (93 and 94). My guess is that Microsoft might potentially include these two above recommended registry keys in a future installation of App-V when a new version comes out. Forcing these values to be added to a specific number in the series could potentially throw other valuable exclusions out the window…

Therefore I personally voted against Group Policy (Preferences) and decided to go the route of ConfigMgr Compliance Settings.

By creating a configuration item I can achieve the following;

Detect if the specific value is already in the list
Find the next available number to create a new registry key in
Append the value if it doesn’t already exist.

In the end, this is what I came up with;

appv_ci

Detect if the App-V client is installed;

appv_detection

Two checks for each specific registry key;

appv_check

Create a rule set that will allow for remediation;

appv_wsptis

Scripts part of the Configuration Item. This sample is from the fix for KB2984972.

Check:

$regKey = "HKLM:\SOFTWARE\Microsoft\AppV\Subsystem\ObjExclusions"
$p = Get-ItemProperty $regKey
$kb2984972 = $p.PSObject.Properties | where { $_.Name -match "[0-9]" -and $_.Value -eq "TermSrvReadyEvent" } | select-object -ExpandProperty Name -ErrorAction SilentlyContinue

if(($? -and ($kb2984972 -ne $null))) {
1
}
else {
-1
}

Remediation:

$regKey = "HKLM:\SOFTWARE\Microsoft\AppV\Subsystem\ObjExclusions"
$p = Get-ItemProperty $regKey
$topvalue = $p.PSObject.Properties | Where-Object { $_.Name -match "[0-9]" } | Sort-Object -Property Name -Descending | Select-Object -first 1 -ExpandProperty Name
$topvalue = 1 + $topvalue

Function New-RegistryKey([string]$key,[string]$Name,[string]$type,[string]$value)

{

#Split the registry path into its single keys and save

#them in an array, use \ as delimiter:

$subkeys = $key.split("\")

#Do this for all elements in the array:

foreach ($subkey in $subkeys)

{

#Extend $currentkey with the current element of

#the array:

$currentkey += ($subkey + '\')

#Check if $currentkey already exists in the registry

if (!(Test-Path $currentkey))

{

#If no, create it and send Powershell output

#to null (don't show it)

New-Item -Type String $currentkey | Out-Null

}

}

#Set (or change if alreday exists) the value for $currentkey

Set-ItemProperty $CurrentKey $Name -value $Value -type $type

}

New-RegistryKey $regkey $topvalue "String" "TermSrvReadyEvent"

As a final treat. Here is the Configuration Item – ready to be imported into ConfigMgr.

 

2014-12-07 – Sebastian Gern stated an additional registry key for WISPTIS. The Configuration Item is also updated with the new settings.

App-V 4.6 Compliance Baseline for SCCM 2012

Posted by nickekallen on in App-V 0 Comment

Just created a Compliance-baseline for the App-V 4.6 client to be used within System Center Configuration Manager 2012 .

image

Above is a sample screenshot of the items that are beeing checked – some of them contains remediation tasks, others are just for information. There are quite a few checks there that should be verified if they suite your environment – this is the recommended practices of me, myself and not Microsoft or anyone else. The CAB-file can be download here; SCCM2k12MSAppV46baseline.cab

The checks;

AllowDisconnectedOperation
Enables or disables disconnected operation. Default value is 1 enabled, and 0 is disabled. When disconnected operations are enabled, the App-V client can start a loaded application even when it is not connected to an App-V Management Server.
Checks for 1
Remediate: Yes

AllowIndependtFileStreaming
Indicates whether streaming from file will be enabled regardless of how the client has been configured with the APPLICATIONSOURCEROOT parameter. If set to FALSE, the transport will not enable streaming from files even if the OSD HREF or the APPLICATIONSOURCEROOT parameter contains a file path.
0x0=False (default)
0x1=True
Checks for 1
Remediate: Yes

App-V Version
Checks the version of sfttray.exe
Checks for 4.6.1.30121
Remediate: No

AutoLoadTarget
Indicates what will be auto-loaded when any given AutoLoad triggers occur. Bit mask values:
(0) None: No auto-loading, regardless of what triggers may be set.
(1) PreviouslyUsed (default): If any AutoLoad trigger is enabled, load only the packages where at least one application in the package has been previously used—that is, started or precached.
(2) All: If any AutoLoad trigger is enabled, all applications in the package (per package) or all packages (set for client) will be automatically loaded, whether or not they have ever been started.
Checks for between 0-2
Remediate: No

AutoLoadTriggers
AutoLoad is a client runtime policy configuration parameter that enables the secondary feature block of a virtualized application to be streamed to the client automatically in the background. The AutoLoad triggers are flags to indicate events that initiate auto-loading of applications. AutoLoad implicitly uses background streaming to enable the application to be fully loaded into cache. The primary feature block will be loaded first, and the remaining feature blocks will be loaded in the background to enable foreground operations, such as user interaction with applications, to take place and provide optimal perceived performance.
Bit mask values:
(0) Never: No bits are set (value is 0), no auto loading will be performed, because there are no triggers set.
(1) OnLaunch: Loading starts when a user starts an application.
(2) OnRefresh: Loading starts when the application is published. This occurs whenever the package record is added or updated—for example, when a publishing refresh occurs.(4) On
Checks for between 0-5
Remediate: No

Cache Percent Free Space
This information is captured on the client computer by a performance counter called “App Virt Client Cache” and it has three components; “Cache size (MB)”, “Cache free space (MB)” and “% free space”. You can use Performance Monitor to display the information graphically.
http://blogs.technet.com/b/appv/archive/2009/04/06/how-to-determine-the-space-remaining-in-the-app-v-client-cache.aspx
Checks for greater than 20 %
Remediate: No

Drive Letter
Drive where App-V file system will be mounted, if it is available. This value is set either by the listener or the installer, and it is read by the file system.
Checks for Q:
Remediate: No

File Size
Maximum size in megabytes of file system cache file. If you change this value in the registry, you must set State to 0 and reboot.
Checks for must exist
Remediate: No

LogMinSeverty
Controls which messages are written to the log. The value indicates a threshold of what is logged—everything less than or equal to that value is logged. For example, a value of 0x3 (Warning) indicates that Warnings (0x3), Errors (0x2), and Critical Errors (0x1) are logged.
Value Range: 0x0 = None, 0x1 = Critical, 0x2 = Error, 0x3 = Warning, 0x4 = Information (Default), 0x5 = Verbose.
The log level is configurable from the Application Virtualization (App-V) client console and from the command prompt. At a command prompt, the command sftlist.exe /verboselog will increase the log level to verbose. For more information on command-line details see
http://go.microsoft.com/fwlink/?LinkId=141467http://go.microsoft.com/fwlink/?LinkId=141467
Checks for between 0-4
Remediate: No

LogRolloverCount
Defines the number of backup copies of the log file that are kept when it is reset. The valid range is 0–9999. The default is 4. A value of 0 means no copies will be kept.
Checks for between 1-4
Remediate: No

Online
Enables or disables offline mode. If set to 0, the client will not communicate with App-V Management Servers or publishing servers. In disconnected operations, the client can start a loaded application even when it is not connected to an App-V Management Server. In offline mode, the client does not attempt to connect to an App-V Management Server or publishing server. You must allow disconnected operations to be able to work offline. Default value is 1 enabled (online), and 0 is disabled (offline).
Checks for between 0-1
Remediate: No

Requireauthorizationifcached
Indicates that authorization is always required, whether or not an application is already in cache. Possible values:
0=False: Always try to connect to the server. If a connection to the server cannot be established, the client still allows the user to launch an application that has previously been loaded into cache.
1=True (default): Application always must be authorized at startup. For RTSP streamed applications, the user authorization token is sent to the server for authorization. For file-based applications, file ACLs control whether a user may access the application.
Restart the sftlist service for the change to take effect.
Checks for 0
Remediate: Yes

SystemEventLogLevel

Indicates the logging level at which log messages are written to the NT event log. The value indicates a threshold of what is logged—that is, everything equal to or less than that value is logged. For example, a value of 0x3 (Warning) indicates that Warnings (0x3), Errors (0x2), and Critical Errors (0x1) are logged.
Value Range
0x0 = None
0x1 = Critical
0x2 = Error
0x3 = Warning
0x4 = Information (Default)
0x5 = Verbose
Checks for between 0-4
Remediate: No

TrayVisibility
Checks for 2
Remediate: No

Update as of 2012-09-06
Multiple MDM
You may also see these client launch errors, especially on Terminal Servers:

xxxxxx-xxxxxx03-00001002
xxxxxx-xxxxxx0A-0000E005
xxxxxx-xxxxxx 0C-0000003C

Instead of, or in addition to these, you may also notice periodic hangs, as well as a frequent depletion of paged pool memory resources.

To prevent this issue, during the initial sequencing of Office 2007 (or via modification of the existing package) we recommend that you remove the Microsoft Office Diagnostics and Office Source Engine services from any sequenced package running Office 2007 or any sequence that includes any Office 2007 application.  This will require the removal of these virtual services under the Virtual Services Tab in the Softgrid/App-V Sequencer

http://blogs.technet.com/b/appv/archive/2009/01/22/reducing-resource-requirements-for-computers-running-virtualized-microsoft-office-2007.aspx
Checks for less than 1
Remediate: No

Multiple OSE
You may also see these client launch errors, especially on Terminal Servers:

xxxxxx-xxxxxx03-00001002
xxxxxx-xxxxxx0A-0000E005
xxxxxx-xxxxxx 0C-0000003C

Instead of, or in addition to these, you may also notice periodic hangs, as well as a frequent depletion of paged pool memory resources.

To prevent this issue, during the initial sequencing of Office 2007 (or via modification of the existing package) we recommend that you remove the Microsoft Office Diagnostics and Office Source Engine services from any sequenced package running Office 2007 or any sequence that includes any Office 2007 application. This will require the removal of these virtual services under the Virtual Services Tab in the Softgrid/App-V Sequencer

http://blogs.technet.com/b/appv/archive/2009/01/22/reducing-resource-requirements-for-computers-running-virtualized-microsoft-office-2007.aspx
Checks for less than 1
Remediate: No

Multiple Office Diagnostics
You may also see these client launch errors, especially on Terminal Servers:

xxxxxx-xxxxxx03-00001002
xxxxxx-xxxxxx0A-0000E005
xxxxxx-xxxxxx 0C-0000003C

Instead of, or in addition to these, you may also notice periodic hangs, as well as a frequent depletion of paged pool memory resources.

To prevent this issue, during the initial sequencing of Office 2007 (or via modification of the existing package) we recommend that you remove the Microsoft Office Diagnostics and Office Source Engine services from any sequenced package running Office 2007 or any sequence that includes any Office 2007 application. This will require the removal of these virtual services under the Virtual Services Tab in the Softgrid/App-V Sequencer

http://blogs.technet.com/b/appv/archive/2009/01/22/reducing-resource-requirements-for-computers-running-virtualized-microsoft-office-2007.aspx
Checks for less than 1
Remediate: No

Citrix – LogoffSyscheckModules
If you are running Citrix XenApp on a Terminal Server/RDS Server, you could be waiting on another seamless session to logoff. A good thing to verify is that the Citrix WFSHELL process releases SFTDCC properly
http://madvirtualizer.wordpress.com/2011/08/03/
Checks for sftdcc.exe
Remediate: No