by Tim Mangan, CTP
We had far too many questions at the webinar to have any chance to address them all, even after extending the question period. So, here are some of those questions, and answers to them.
Q: As an App-V Expert, how do you see the future of Microsoft App-V?
A: While I may have addressed part of this during the webinar, this is not a question directly answered, as we wanted to have more time to talk to the how rather than why, so let me do so here.
There is no doubt that companies need Application Virtualization. The demise of Citrix App Virtualization and, more recently, Symantec’s offering is more of a reflection of vendors recognizing that in this instance, Microsoft has the solution that companies need. [An aside, one has to wonder how long VMware will invest in ThinApp now that App-V is part of the OS]. Every other method that you choose to use to deliver apps with in the enterprise needs App-V to meet the needs of their businesses.
Microsoft adding App-V to the core of the operating system is proof to their commitment to the product and the technology. We do need to understand that as part of the OS, Microsoft doesn’t market it any more. Some are finding that confusing and third party marketing/sales groups for alternatives have been leveraging this to their advantage to throw FUD as a sales tool.
But as part of the OS, App-V is going to be with us for a very long time. Now at the same time, Microsoft is playing with other forms of virtualization, including Click-to-run and Centennial (now called Bridges to Windows Desktops), and Containers, but these are efforts aimed at developers and do not meet the needs of the Enterprise for Desktop Applications (well, maybe not the needs of the developers either but that is a story for another day). While we had a rough time when the 5.0 re-write initially came out a number of years back, over time the product has quietly matured and works pretty darned well. I, for one, welcome Microsoft focusing right now on fixing the nagging little issues that get in our way (as they have been doing the last two years) rather than add even more features and bugs.
During the webinar, I mentioned some things that I didn’t have time to discuss in detail, but let me do so here. I see the App-V package format as possibly “The MSI for the Enterprise”. My thinking is that maybe we should consider the packaging format of App-V independent from that of the delivery. Package once using the best tooling available into the most flexible format designed for the needs of the Enterprise. And then deliver that in forms (including non-virtualized) as best fits the need. The App-V format is best at capturing the intent of installers and packaging in a way that is as machine and user neutral as we can get, replacing most all of the hard coded references caused by installers with variables, and providing hints to the deployment engine on how to best layer the components (this is the App-V Merge with Local/Override Local and Deletion markers not available in a VHD based capture).
Q: There was a question on the call regarding slowness when populating apps in Studio from App-V. At the time I responded that I had not noticed significant slowness and did not have any ideas. But maybe we can do better together.
A: There are many possible causes to performance issues, especially those involving multiple machines. Slowness in Active Directory or Databases are always of concern. One of the listeners suggested optimizing the .NET assembly cache. This is a reasonable idea whenever performance and .NET based apps are involved. In theory, you only need to do this when a vendor screws up their installer, but it shouldn’t hurt to try.
From an elevated cmd prompt/powershell window, you change directory to:
And then run the command “.\ngen.exe update” and then “.\ngen.exe eqi”
And do the same in the C:\Windows\Microsoft.Net\Framework\v4.* folder.
If .Net 3.5 is installed you can also do that for the v2.* folder.
Q: We have a lot of unique application packages to maintain. How would you go about tracking and keeping those packages up-to-date? Do you know of any tools that would help with this issue?
A: There is no standard tooling for this that has become common practice; I see everyone sort of rolling their own. Most often I seem to see excel spreadsheets being used.
I have been developing a prototype software package utilizing a centralized database to improve upon the collaboration that occurs in application deployment projects. It might be a possible solution for what you need, but I am just playing with ideas at this point and unsure if I will complete the project or not.
Q: How do you handle apps bypassing the VE, ex : I have an app complaining about not running inside the program files!
A: It depends upon the cause.
In general, but possibly not the specific case you call out, RunVirtual may be the best solution, forcing the named executable to always be in the necessary virtual environment. RunVirtual is a registry setting added to the App-V Client that in essence says “if a process with this name ever starts up, run it in this App-V package virtual environment. This could be accomplished as an Add or Publish script in the package. I would place a .Reg file on a server share (possibly the folder of the App-V package) and use AVME (since Citrix doesn’t use the extrenal xml files at present, this has to be done inside the package during sequencing, so you export the AppXManifest file in the sequence editor, use the free AVME tool from tmurgent.com to edit the file, then import back in) to add a publishpackage script to import the reg file. It needs to be an external file because the default value of the registry key will need to have the PackageID and VersionID GUIDs of the package, which you don’t know until after the package is saved.
Now the complaint about not running in Program Files is likely a different issue, and probably not one of bypassing the VE but falling victim to stupid OS programming. I’ll illustrate with an example. An older version of TechSmith Snagit had this issue. The software includes a minor type of elevation in the manifest of a sub-process. Rather than “require administrator” it set the “UIAccess” option. This option provides the process a minor elevation level that allows the standard user process to be able to read the contents of the entire desktop screen. For security purposes, Microsoft allows this minor elevation without UAC prompt, but only the exe is running from a “well known location”. It turns out this means only Program Files or System32. The solution was to use a VFS style installation and a shortcut that launched the executable using C:\Program Files. Even though the App-V client redirected this location to C:\ProgramData\AppV\… the process block still thought it was in C:\Program Files so it worked.
Q: Is there an AppV utility to test launch apps like the old AppStreamLaunchUtility.exe in Citrix Application streaming?
A: I’ll start by saying that testing on the sequencing machine is useless as the app always works after sequencing unless the installer itself was bad.
The free AppV_Manage tool shown on the webinar can be used for automated test launching. We set up a VM with the App-V client and this tool and a snapshot. You write a script to revert the vm, start it up, and then remote in a command line to run AppV_Manage with the /R options and the App-V File. It adds/publishes the package, then finds and starts all shortcuts. It then examines a screen text looking for errors and returns a 0/1 result (or you can manually look at the results in the VM console). If you add the /S option it also runs the AntiVirus Scan on the package. An example of this scripting is found in the blog posts for the conversion utility for converting Citrix Streaming packages into App-V packages.
Q: Are there any security options available to provide only specific users to start an app on an RDHS environment? (Applocker is an option but connected to huge effort).
Q: No. We used to have that feature in App-V 4.x but we lost it in the re-write. Microsoft indicated to me that customers had stopped using the feature and with AppLocker available to the customers they did not feel it was needed any more. Prevention or Detection techniques are recommended.
Today, AppLocker is your best solution to prevent unauthorized use of a virtual application published for one user on an RDS server and accessible by somebody smart enough to find it. Even outside of RDS any user that can gain admin elevation and can google can figure out how to self-publish any package in the package share, so either prevention or detection is needed.
As your OSs move toward the latest available today, Device Guard Code Integrity is the better replacement for AppLocker. I say better from a technical standpoint, but if you think AppLocker is hard to implement, it will look easy compared to this. It is better because it will cover all aspects of the system, not just the applications but also the OS itself. It is the best Security and License enforcement option available to you today – and if you are in certain verticals with sensitive data (Health Care, Finance, Government come to mind) you really should be moving this direction NOW. But it will be a bear to implement because they require a white-listing approach rather than white or black lists. So everything in the OS and all applications need to be known and in the list. I did add a feature to AppV_Manage to generate the Code Integrity file for your App-V package for you. These files would be merged in with a file for the scan of golden images to create the white list. Even if you don’t intend to go this way now, it is best to have the analyzer create this file for every package while you are testing. Just collect them when you eventually need to do this project.
From the detection technique side, you could instead use the App-V Report Server (even if you don’t use Management and Publishing server — they are independent of report server) to catch every single use of a virtual application and take action later on. Because it is after the fact, this is more of a license verification thing (very helpful to have should an audit occur), but there is something to be said for slapping hands (virtually, of course – not advocating violence).
Q: Curious what happened to the Sequencer (from the SoftGrid days…)
A: The sequencer installer is now released as part of the Windows ADK. Starting with the Windows 10 for the 1607 build, it is updated with each release of the OS. Because of shared components with the App-V client that is already part of the OS, this installer will only work on 1607 and above.
The old 5.1 sequencer is still available from the 5.1 RTM MDOP release. This is the best for other OSs as there has been no need to fix the sequencer since it was released. It has been pretty much rock solid for years and fixes have been on the client side of App-V.
Q: Your FTP is down – can’t downlad AppV_Manage tool
A: As mentioned on the call, the TMurgent site was suffering an issue the morning of the webinar. The hosting provider made a back-end change with unexpected consequences. The site is back up so download away!
Q: When we add an App-V application to a Delivery Group, it is not available in this DG Desktop. Is there any way to publish it to the user’s Start Menu?
A: If the App-V package has shortcuts, they should appear in the user’s desktop in this scenario.
Q: Can we go over again the App-V distributed environment shown in your slides? (let’s assume we have two XenDesktop sites with 1000 users each, like New York and London). How would you layout the infrastructure?
A: This is a more complex question that requires additional information that a public forum isn’t the right place for. But the odds are 80/20 that what is on that slide is where you will end up.
Q: In dual mode admin Citrix doesn’t support load balancing the publishing servers.
A: I am unsure that this holds true for everyone. You probably need to address this with Citrix Support for a solution.
Q: In single mode admin the appv sequence is copied in full to the c:\windows\temp\appv… this makes shared content store moot… and eats up PvS write cache
A: That would be news to me, but I don’t do a lot with PVS. Assuming it is, I would recommend that you take a look at the next Citrix release (should be called 7.14?) as changes are in the works that could change that. And, of course, reach out to Citrix Support.
Q: Should you always run an application during sequencing (to optimize it)?
A: Only for certain customer situations. In general, I say do not launch and do not check the checkbox. For Citrix Customers using Shared Content Store Mode the answer is an emphatic “NO” to launching as launching is a cross-purposes with SCS mode. Laptops are better solved with AutoLoad than at the sequencer. SCCM using http streaming (but not with Bits) is the only situation where I might recommend launching today.
Q: Is this design based on offline mode, it was our understanding that when steaming that the publisher streamed to the client? Does Streamed Content mode make sense when you are in a non-persistant enviroment with a large number of users per/server as a method of reducing disk usage?
A: In the 4.x version of App-V this was true and the publishing server was a bottleneck for performance. The 5.x architecture moves streaming out of band and now also uses standard protocols (SMB or Http/s) to stream the package directly from the back end share. The new publishing server simply delivers the application assignments now.
To be clearer than perhaps I was on the webinar, my recommendation of enabling Shared Content Store Mode applies only to App-V Clients inside the data center. For these devices, offline mode is not a concern. For physical devices on user’s desktops and laptops/notebooks, SCS Mode should not be used due to latencies in accessing the network share. It is best for those devices to cache the App-V packages locally to their disk. For the subset of these devices that might go offline, full caching is recommended and there are a couple of options for this, but configuring the App-V client to not use SCS and with Autoload=2 should ensure full caching so that they may work offline.
Now back to the SCS mode question about a non-persistent environment with a large number of users per/server. If the App-V client is on an RDS (i.e. XenApp) server without SCS, only one copy of the App-V package is cached, no matter how many users get that package. So disk space reduction is not really the issue. The issue SCS addresses is that you are probably running in a VM using VHDs that are not on the physical box, such that the Write IOPS of App-V caching are going back to a centralized storage, probably of equal caliber as that of the original share. Subsequent reads from the cache therefore are always going off-box to storage and it is only a difference of which storage it comes from. The goal of SCS is simply to remove the unnecessary write IOPS; a big deal in XenApp VMs, but a huge deal in Xen Desktop morning login storms.
Q: Is it ok to use a temporary PVS vDisk version on the master that is clean with the sequencer installed to sequence apps?
A: It is possible, but I would call it a “bad practice.” We should always sequence on an OS with as little installed on it as possible. If the purpose is to use the same image as in production, you would be setting yourself up for issues down the road. Let me give an example. Your PVS image has vendor XYZ Antivirus version Q installed. Next year you switch to version R or maybe vendor ABC. If the vendor XYZ version Q installed any dependencies not present in the replacement, this might break a small subset of your packages. We always sequence on minimalist images to avoid that issue. Also, I use a desktop version of the OS for sequencing 99.999% of the time, even if I am deploying on Server OSs. It reduces certain issues in packaging in general, and keeps the possibility of extended the deployment of your current packages into desktops in the future – either VDI or physical – should the need arrise without repackaging.
Q: Re: Single Admin without an app-v server; When is the package cached/mounted for the first time? Is it on user launch, or immediately via the Studio console?
A: The process for this starts with the user logon, initiated by the ctxapplauncher executable on the VDA machine. Various parts cache at different times. It is complicated enough that I built a little WPF tool to explain it here: http://www.tmurgent.com/appv/index.php/en/resources/tools/282-appv-client-interaction-the-app
Q: Re: Single Admin; can you set your own Dynamic Config XML ? Can you console if the package will be published globally or user?
A: I think I answered only the first part on the webinar. The current best practice (starting with App-V 5.1) is to include any changes that you would make in the external Config.xml file into the internal AppXManifest.xml file using the AVME tool. Then you don’t need the external file. Using Studio, packages are published to the user.
Q: Do you have any tips for squencing applications which needs reboots during installation, and the sequencing fails, since sequencer sais, it can’t restore the previous state?
A: The sequencer supports reboots! With the 5.x sequencers, when you are installing, if a reboot is needed you just reboot. The sequencer registered itself to monitor the reboot early when the OS comes up (not to dissimilar to the ProcMon feature to do the same). You must log into the OS using the same user account. You will see the sequencer GUI pop back up in place and you continue with the next step of installing.
Q: How do I add a second Management and Publishing Server to Citrix Studio?
A: You can’t. Assuming that these are load balanced instances using the same App-V Database, I would use the load balanced name. If the other questioner is correct and there is a bug with Studio and the load balanced names, then just pick one of the servers. It’s not like they ever go down and you could manually change the name in Studio to the other if it did.
If the scenario are two independent servers and databases (I once helped to build a University environment like this) there is no solution. If there was a need to do that with the App-V servers then you should probably be looking at separate Citrix implementations as well.
Q: What are the specific differences between isolation environments and connection groups?
A: The isolation environment is basically a set of rules that are used to cause a connection group to be created at the client. In the end, it is the same thing just presented in a way that makes for an improved management experience in Studio. The SCCM implementation of Connection Groups was called “Virtual Environments” for a similar reason.
Q: Will you have any App-V and Citrix classes?
A: The classes I run include as much as I can for Citrix customers. With the end of Citrix Streaming and people moving over from 4.6, a majority of the participants are using Citrix, and the more that are present, the more I adjust to their needs. But to also teach Citrix would take more time than is reasonable in a week, so the emphasis is on App-V.
Q: Is it recommended to have office install on server or app-v package?
A: Native install on the server, unless. The scenarios that make virtualizing office a good idea all revolve around having multiple versions of office on the same machine. Office is a platform, and although the latest versions of office virtualize well, a lot of things tie into it. Some specifics:
- Office 365 (2013 and 2016 based) virtualize well and are supported.
- The 2016 volume license version of the suite is no longer supported in App-V. No, we don’t know why, but it appears to be a “licensing thing.”
- Certain components of the 2016 volume license, such as Project and Visio, are supported in App-V, just not the suite.
A Native office is recommended. If you want to virtualize plug-ins to office, go ahead and virtualize the plug-ins and use RunVirtual against the native office component in order to bring in the plug-ins.
Microsoft states that they support, but do not recommend, having two versions of office present at the same time.
Q: Do you have a way to run elevated (local admin access) user scripts and also bypass UAC?
A: Sorry, App-V is not a way to bypass security! However, sometimes we can modify the application to not require UAC by modification of the exe manifest. This is not technique is unique to App-V; but it just might be more successful if App-V is used because of other things that App-V is doing. In the end, if the App needs a UAC prompt there is going to be one unless you turn off all UAC prompts.