This was an open discussion session where customers were able to talk directly with some of the App-V team. There were some interesting details brought up in this session including:

• A couple of customers in the room were managing 3500 and 5000 applications respectively and one of them was even supporting applications dating back to 1982!
• Do you need to re-sequence your application when integrating App-V with SCCM 2007 R2? You can upgrade your existing sequences using the command line sequencer tool in 4.5 and this then generate the manifest XML file for use by SCCM. I get the impression that only 4.5 sequences are supported when managed with SCCM, however I’m sure that I’ve had 4.2 sequences working, but I could be wrong.
• Is Office 2007 supported in App-V? The release of Office 2007 Service Pack 1 brings this suite into proper support with App-V. Office 2007 does perform better under 4.5 that it did with 4.2.
• One of the points brought up by Gene Ferioli, was about sequencing applications on one OS and getting them to work on another. In most cases this works and this has been the general rule for us so far, but he used Communicator as an example. Communicator was sequenced on Windows Vista but it did not run correctly on Windows Server 2008. Even though these platforms are essentially the same, Vista had a specific DLL that 2008 is missing (he didn’t go into detail). The bottom line here is that you must fully test your applications on each of your client platforms – App-V doesn’t remove the need to test.

This session was interesting to observe and be a part of and I can see that the App-V team has a very good understanding of the issues and challenges customers face and were very keen on feedback for future versions.

Well TechEd EMEA 2008 is done and I still have some notes to post from a few more noteworthy sessions, so until then here’s a few more observations about the conference:

• TechEd was well put together and the content was mostly very good. This was my first since TechEd 2003 in Australia and I was impressed. Quick tip – if you do go to TechEd, get as much sleep as you can over the week as the amount of beer you consume is inversely proportionate to the amount of information you can take in the next day.
• If you get a Netbook to take notes (like the MSi Wind that I have) be sure to get a 6 cell or a second 3 cell battery so that it can last the day. Madlly searching for power points isn’t much fun.
• HTC Touch Diamonds and Touch Pros where everywhere, I’m sure they where out-numbering iPhones.
• VMware had a booth and were even a Gold sponsor, plus they were giving away an iPhone (not Windows Mobile-based phones like everyone else).
• The number of female delegates was quite high. I don’t have numbers, but this was a good sign – hopefully this number will continue to increase.
• Mark Russinovich, Jesper Johansson and Steve Riley have reached rock star status. It’s an odd thing to see but perhaps warranted – they do present very well.
• Mark Minasi, Chris Jackson and Aaron Margosis are also very good and worth seeing if you get the chance. Chris and Aaron are a nerdy version of the Odd Couple when they present together.
• People go crazy over the conference satchels. When the organisers where getting rid of the last lot, I saw one guy with 4 of these things and they aren’t something that you would be caught carrying anywhere but TechEd. Well I wouldn’t anyway.
• Barcelona is a fantastic city. If you get the opportunity to visit, take it. While you are here, I recommend visiting the Museu d’Història de la Ciutat (History Museum). There are some very well preserved Roman excavations worth viewing.

This was a session to demo the new features in App-V 4.5, mainly aimed at those people already familiar with App-V. It was presented by Gene Ferioli, a senior program manager on the App-V team. Gene worked with the SCCM team on the App-V integration for SCCM 2007 R2.

This session was pretty straight-forward but the most interesting part was when Gene demonstrated automatic loading of virtualised applications from a USB thumb drive. The App-V team have written a proof of concept utility (SFTMON) that runs in the background and monitors for the insertion of removable media. It then parses the device for manifest XML files created for 4.5 sequences and uses those to automatically add the applications into the local cache.

This is all achieved with SFTMIME commands, so there’s nothing stopping anyone else from creating a utility like this. The team may post this code on the App-V blog or make it available as a resource kit tool, but no firm plans have been made so don’t expect to see this soon.

This was a pretty cool demo which has great use cases. Essentially you could take all of your applications with you, plug in the thumb drive and way you go. A couple of the other app-virt vendors support this scenario today, but this is great news for App-V users.

Another interesting note is that there is currently a design change in to create a notification bubble that let users know when their applications have finished loading to 100%. Whether this actually makes it into the product some time in the future is another story.

This session was about DirectAccess in Windows 7 and Windows Serve 2008 R2 as well as Terminal Services Remote Desktop Services changes in Windows Server 2008 R2. The DirectAccess feature looks pretty compelling but it will take some time to get to there. However, the Remote Desktop Services stuff was actually pretty cool.

DirectAccess

DirectAccess is essentially access to the corporate network without a VPN.

DirectAccess provide seamless access to the corporate network  (corpnet) over IPsec and IPv6, however you can tunnel this inside IPv4 and TLS for where you can’t get direct IPv6 connections. DirectAccess leverages policy based network access – this mean that DirectAccess is integrated with Network Access Protection for policy and remediation services.

On the client-side there is a name resolution agent that directs requests for corporate resources to corporate DNS servers and requests for Internet resources to public DNS servers. Sounds like no more split tunneling issues that you would have with standard VPN connections.

DirectAccess requires a domain connected machine but does not actually require a user to be logged on for it to be connected to the corpnet. This means that anyone responsible for management of workstations can access those machine just like they were on the local LAN. Things like Group Policy can also be applied when the machine is outside the network too.

Today we have increased TCO because we need to get those mobile machines into the network to manage them, but with DirectAccess this is no longer an issue (of course those machines will need to be running Windows 7).

To get DirectAccess you will need Windows Server 2008 R2 to support the server-side connection (what the speakers were calling a Thin Edge DoS Prevention Server) and the Windows 7 client. Unfortunately we won’t see DirectAccess coming to Windows Vista.

There were also some specific Windows Server 2008 R2 Domain Controller requirements if you are looking at two-factor authentication. I’m not sure if that meant all DCs in the domain or forest or just DCs that the machine would be authenticating too.

The demo of DirectAccess was pretty straight-forward – if you are away from the corporate network you can still access internal or external resources just like you were onsite. It does look to be pretty seamless to the user.

Windows Server 2008 R2 Remote Desktop Services

You’ve probably already seen that Terminal Services has been renamed to Remote Desktop Services in Windows 7 and this has been done to bring into into line with its new capabilities where it supports VDI scenarios too. Of course all of the components have been renamed so now we have Remote Desktop Gateway, Remote Desktop Connection Broker, Remote Desktop Web Access and Remote Desktop Easy Print, all of which support or are supported by Terminal Server and VDI connections.

The new broker supports both TS and VDI sessions and you can see this with a unified view of your applications and desktops when you sign into the new Web Access.

I was glad to hear the speaker stress that Terminal Server is more scalable than VDI – somewhere in the range of 3 to 10 times more scalable. So if you’re thinking of replacing your TS infrastructure with VDI, you should probably be looking at applying the best tool for each usage scenario.

There was a quick list of improvements to Remote Desktop Services (you should be able to get a more detailed list soon)

• Remote Desktop Services Gateway security improvements (this was a bit vague)
• True multi-monitor support – up to 10 monitors supported
• Bi-directional audio (a bit late to the party with this one)
• Consent signing support i.e. a usage policy that users must consent to before logging in
• 2D and 3D remoting for DirectX 10.1
• DXGI, which is a replacement for GDI, which I gather has better support for remoting standard WinForms type applications
• RemoteApp language bar support – this mean that your remote application can integrate with your local language settings
• Integrated single sign (I assume this is an improvement over Windows Vista and Windows Server 2008)
• User Profile Cache Quota (applies a global quota for profile directory and removes the need to delete profiles at logoff)
• Application install improvement – no more Install mode to install applications

At this stage there are no concrete details on what features will make it into the updated Remote Desktop Client for Windows Vista and Windows XP, but there will most certainly be some features dependant on Windows 7 as the client.

The Web Access feature gets a make over (a big improvement over Windows Server 2008 if you ask me) plus forms-based authentication – much better than the auth dialog you see today. There’s also some client side interaction too, after you successfully authenticate you get a system tray notification that handles status information and allows you to disconnect (similar to what Citrix has today).

The connection experience was demoed and it did look pretty cool. The presenter was using a Windows Server 2008 R2 machine as the host connecting to a remote desktop that woke up a stored VM of Windows 7 running in Hyper-V. He then showed the Gears of War trailer streaming over this connection which played perfectly (this would be a LAN based scenario however, streaming over a slower connection wouldn’t be quite as nice). This stuff works on Terminal Server and VDI connection too.

There was also some improved RemoteApp integration. In Windows 7 there is an additional Control Panel applet in which you configure your connect to the farm and the applications are automatically added to your Start Menu – applications as well as desktops. This is very similar to Citrix’s PNAgent and the user experience looks pretty good.

Finally there were a few other random points:

• The speaker spoke of folder redirection as ‘profile virtualisation’, which just made me cringe
• Still no user based filtering in the Web Access at this time and it sounds like there are no plans to add this for RTM
• Microsoft are not doing anything to RDP to cope with high latency in this release
• There will be no changes to licensing requirement; however it sounded like there might be some technical changes, but don’t quote me on that one..

After experiencing some initial troubles with Internet access from my hotel room, I might be able to start posting some pieces from Tech∙Ed here in Barcelona. Some of these might be out of chronological order, but first up here’s a general odds and ends from my first few days here:

 

• Barcelona is a fascinating city, but my Spanish needs some work (lots of work in fact)
• Monday night was the exhibitors drinks and mingle time - there was lots of beer, finger food and Xbox (I had to have a crack at The Force Unleashed on the Xbox - it’s exactly the same as on the PS3, but I much prefer the Xbox controllers;
• The HTC Touch Diamond and Pro are everywhere, I’m sure I’m seeing more of those than iPhones;
• The Microsoft Education guys were giving out stubbie coolers. Unless you’re from Australia, you probably won’t get how great that is, but I’ve finally got one to take back to London with me to keep by beer cold;
• I got a chance to catch up with Sander Berkouwer from dirteam.com and Patick Lownds from the Microsoft Virtualisation User Group UK (yes that’s virtualisation with an s)
• The MSI Wind is not really the laptop for taking notes at a convention like this. There’s not quite enough power points around to plug into so I keep running out of power, but Windows 7 does run on this machine quite well.
• On Windows 7, there are several different builds being used by presenters here, with build 6938 being the latest I’ve seen. Not everyone has had the superbar enabled in the post M3 builds.

There’s more to come on the sessions I’ve attended as soon as I can clean up my notes and post them.

Microsoft posted a knowledgebase article yesterday titled: With Microsoft Application Virtualization 4.5 you are unable to Sequence Adobe Reader 7.x or 8.x due to NETOP FEAD Installer error. Essentially the NETOP FEAD installer is not compatible with the 4.5 Sequencer (or perhaps that’s the other way around).

Based on the issue described in the article, it appears that people are encountering this specific issue as a result of not performing a scripted installation of Reader during sequencing (i.e. not extracting the setup file and using a custom transform for installation).

So why are scripted installations important? Here’s my three top reasons:

1. Your documentation might be rock solid, but we’re only human and we make mistakes. Scripted installs provide a predictable and repeatable installation process that is far less susceptible to error. 
2. Scripted installs, in turn, make documentation easier. Rather than building a process illustrated by screen shots, a script will fill out that document in far more detail.
3. Finally, a scripted installation will also make sequencing faster. No having to type commands or click through Explorer windows.

In the case of Adobe Reader, if you’ve used my articles on deploying Reader 8 and Reader 9 via a custom transform and script, you won’t have issues and should be able to sequence those applications successfully.

OK, shameless plug there

At some point in your migration from Windows XP to Windows Vista you’ll no doubt be looking to manage which Control Panel applets are available to users. Controlling access to applets is no different than earlier version of Windows, but given that there are approximately 48 default applets in Windows Vista compared to 29 in Windows XP, more consideration will need to be given to those which you make available.

There’s a good chance that list will be different for everyone, but here’s my approach: Hiding Control Panel applets is not a replacement for ensuring users are not logging into their workstations with administrative access. Without administrative access, users cannot make system wide changes. Restrict applets too much and you can make support difficult.

I consider the task of restricting the available applets as a means of de-cluttering the interface, not ‘locking the system down’.

Here’s what Control Panel applets I would consider to be relevant to most users in a Windows XP environment:

A couple of these may not be completely necessary, but they give users enough access to manage their environment to suit the way they work. Note that there’s nothing in these applets (yes, including Network Connections) that lets standard users change system settings. There are also many Group Policy settings that allow you to be fairly granular for settings within these applets.

This is what I’m looking at providing for users in Windows Vista:

As you can see there’s many more icons, but Vista does provide many more features. There are a few applets here that you may wonder why I’ve not hidden them:

• Network and Sharing Center: especially useful to laptop users for providing connectivity information
• Problem Reports and Solutions: Vista does a good job of providing solutions for device and software compatibility issues
• System: Information list here is useful for support personnel, hard to see this info if this applet is unavailable
• User Accounts: this will allow users to change their user picture

Here’s a short list of recommendations when configuring Group Policy for the Control Panel:

• Leave the standard Control Panel view as the default – don’t be tempted to force Classic view. The default view in Windows Vista is less cluttered and search makes finding the right option easier.
• Provide the complete list of Control Panel applets across all device types in a GPO on the user’s OU using the Show only specified Control Panel items policy
• Remove additional applets from the previous list for special case machines (e.g. Terminal Server) in a loop-back policy using the Hide specified Control Panel items policy
• Using applet names in these policies provides more granular access than using the .CPL filenames (plus they’re easier to read)

There are also a couple of other settings that remove options that users don’t need to see:

• User Configuration / Policies / Administrative Templates / Windows Components / Windows Explorer / Remove Hardware tab
• User Configuration / Policies / Administrative Templates / Control Panel / Regional and Language Options / Hide Regional and Language Options administrative options

And finally, here’s what Control Panel under Windows 2008 Terminal Server might look like:

So, what do you think - am I off my tree for giving users so many options? Or can I get some support for the ‘enabling users’ camp?

There are numerous ways to customise the default user profile in earlier versions of Windows, including:

• Create a user account, configure the profile, then copy over the top of the local default profile or save a copy to your NETLOGON share;
• Use the [GuiRunOnce] section in an unattended answer file for Windows XP/2003.

The first option carries over to Windows Vista and Windows Server 2008 however the second option is not available in quite the same way. Windows Vista’s setup is a very different beast and customising the default profile with scripts requires using the auditUser pass and setting the CopyProfile value.

There’s some great detail about using this process to modify the default user profile at FireGeier’s Unattended Vista Guide plus there’s a post at MSFN.org that my help you understand the process too. However, I think there’s a simpler way. It’s perhaps not a flexible as deploying via the UNATTEND.XML file but it doesn’t require running SYSPREP to get the job done.

You can edit the default profile by directly modifying the Windows Vista or Windows Server 2008 image. This involves mounting the image and making your changes:

• Mount the image in read/write mode;
• Load the \Users\Default\NTUSER.DAT hive into the Registry. It’s worth looking around at this registry hive to see the differences between it and the user hive once a user has logged in;
• Add the required modifications and unload the hive;
• Commit changes to the Windows image.

Be sure to set the CopyProfile value to False in the UNATTEND.XML, otherwise these changes will be overwritten. Here’s a script that performs those steps for me:

Click to view script

@ECHO OFF
REM ---------------------------------------------------------------------------–
REM  Script configures the Default User Profile in a Windows Vista/2008 image
REM ---------------------------------------------------------------------------–
 
REM Mount the Windows image
IMAGEX /MOUNTRW "D:\install.wim" 1 D:\mount
 
REM Load the default profile hive
REG LOAD HKU\Default D:\mount\Users\Default\NTUSER.DAT
 
REM Configure the default user profile
REG ADD "HKU\Default\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "HKU\Default\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "HKU\Default\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v FontSmoothing /t REG_SZ /d 2 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v FontSmoothingType /t REG_DWORD /d 2 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v WallPaper /t REG_SZ /d "" /f
REG ADD "HKU\Default\Control Panel\Colors" /v Background /t REG_SZ /d "10 59 118" /f
REG ADD "HKU\Default\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Command Processor" /v CompletionChar /t REG_DWORD /d 9 /f
REG ADD "HKU\Default\Software\Microsoft\Command Processor" /v PathCompletionChar /t REG_DWORD /d 9 /f
REG ADD "HKU\Default\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REG ADD "HKU\Default\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_EnableDragDrop /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuFavorites /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuLogoff /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuScrollPrograms /t REG_SZ /d "YES" /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v IntelliMenus /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHelp /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocs /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPics /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowNetPlaces /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowPrinters /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSetProgramAccessAndDefaults /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_AutoCascade /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_NotifyNewApps /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_AdminToolsRoot /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuAdminTools /t REG_SZ /d "NO" /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_SortByName /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "HKU\Default\Software\Microsoft\Internet Explorer\TabbedBrowsing" /v PopupsUseNewWindow /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d YES /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f
REG DELETE "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Run" /v Sidebar /f
 
REM Unload the default profile hive
REG UNLOAD HKU\Default
 
REM Unmount the Windows image and commit changes
IMAGEX /UNMOUNT /COMMIT D:\mount

As you can see I’m adding registry entries that will configure the user environment which does mean that there’s a bit of work required to find them in the first place, but it does allow me to document every change to the profile, so I think the effort is worth it.

Extending this process, there are a few other things we can change in the Windows image that will impact the default environment:

• Modify the default theme file in \Windows\Resources\Themes\aero.theme. I’ve used this file to do things such as remove the default wallpaper. Theme files are just text files so they’re easy to maintain;
• Configure Internet Explorer defaults by using INSTALL.INS created with the Internet Explorer Administration Kit. This is useful for preventing IE from adding the default favourites or RSS feeds at first launch. Place a copy of INSTALL.INS in \Program Files\Internet Explorer\SIGNUP and \Program Files\Internet Explorer\CUSTOM.

Then there are a couple of additional tools that I’ve used to make changes to the default user environment once Windows has been installed and added to the domain:

• Group Policy. Some settings such as preventing Windows Media Player from displaying the first run dialog are useful;
• Group Policy Preferences. GPP allows you to set registry values as a preference, i.e. apply once only.

By modifying the Windows image directly, your custom default profile will be available on machines whether you use an unattended or manual deployment.

Here’s a few more articles worth reading:

• Configuring default settings for Windows image deployment
• Support guidelines for migrating roaming user profiles data to Windows Vista or to Windows Server 2008
• Managing Roaming User Data Deployment Guide

A number of useful App-V (resource kit) tools have been released which look very useful:

Application Virtualization Application Listing Tool

The App-V Application Listing Tool (ListVApps) is a tool which lists all the virtual processes that are running at a specific time on a specific computer. You can use the tool to get information about the priority and owner of each process, the size of its virtual memory, its session identifier and processing time. User with administrator privileges will see all running virtual applications.

Application Virtualization Cache Configuration Tool

The App-V client cache tool (AppVCacheSize) allows administrators to increase the Microsoft Application Virtualization client cache size through a scriptable command line interface. AppVCacheSize uses the specified parameters to configure the desired cache size, as well as toggle between using a free disk space threshold or set a maximum cache size.

Application Virtualization Client Log Parser Utility

You can use the fields and values contained in the output file to filter information obtained from the log files. The output file generated by the application log parser utility contains the following fields: System, OS, Build, Date, Time, Module, Log Level, hApp, App, User, Thread, and Message. The information contained in the output file can also be imported into Microsoft Excel for subsequent evaluation. This log parser simplifies the task of looking through log files, being able to filter by log level, build report, launch failures, mini-dumps, minimum disconnected operation mode entries and more. Afterwards, the appropriate party can import the data for analysis and/or utilization.

Application Virtualization SFT Parser Tool

This one looks interesting, but a PKG Parser would be nice too:

You can use the Application Virtualization SFT Info utility to extract the following information from SFT files:

• Validation of SFT files—Process corrupted SFT files, and recover information from corrupted SFT files.
• XML export of contents of SFT—Export the contents of an existing SFT file. You can evaluate SFT segments or SFT metadata and construct a textual tree view of all file information SFT file.
• Listing of all of the files in the SFT—Identify and print the files contained in the SFT with their full paths. This is a good method to quickly identify the contents of a package.
• Statistics about properties of the SFT metadata—Identify statistical information, such the largest file contained in a package. This can be very useful for identifying packages that are too large in size and are causing issues loading on the client.
• Get relevant information on a file in the package—Display size, timestamps, attributes, and version information associated with the package.
• Ability to skip processing of file data if using functionality that requires only the metadata—Allows working with very large packages quickly.

and finally:

Application Virtualization Dynamic Suite Composition Tool

This is a GUI tool for managing DSC.

Dynamic suite composition is a Microsoft Application Virtualization (App-V) feature that enables applications to be sequenced separately from the plug-ins and middleware applications they rely on, while still being able to utilize the virtual resources such as file system and registry settings, in the virtual environment. The packages will run and interact with one another as if they were all installed locally on a computer. The primary package will also assume the secondary packages entire virtual environment, including the virtual file system. If there is an installer associated with a virtual application package, the installers will be automatically updated.

As is the case with most tools released like this, official support channels are only via the App-V forums on Microsoft TechNet.

I don’t know why I keep getting involved with Java. I know I’ve written about it more than a few times before, but it’s not because I like Java… So before I get into a tirade about it, here’s yet another post on the subject..

Introduction

We’ve had some issues taking an existing sequence of the Sun JRE created in 4.2 and running it on a 4.5 client (maybe more on that at a later date), so I’ve gone back to drawing board to get version 1.3.1_10 working in the bubble, while 1.6.0._03 and 1.6.0_07 exist on our client machines.

Justin Zarb has a post on running different versions of the JRE which works great, but I would prefer to get it working without resorting to scripting. To do that I’ve taken advantage of behaviour of the sequencer that takes registry keys deleted during the sequencing process, and hiding them from the resulting bubble when the application is executed on the client.

To achieve separation between the JRE in the bubble and the JRE installed on the system, I’ve followed this basic process:

1. Configure a sequencing virtual machine that does not have (or ever had) any version of the JRE installed
2. Add the registry keys for the version or versions installed on your client machines
3. During sequencing, delete those keys added in the previous step and create dummy entries for other keys and folders you want to fully virtualise
4. Install the older version of the JRE

By implementing steps 2 and 3 you essentially create the anti-JRE which enables you to completely hide the versions of the JRE installed on workstations in your environment – no scripting at runtime required.

Here’s an example of this process in play: the first image below shows some of the HKCU\Software\Classes\CLSID keys, added by 1.6.0_07, seen in the real (non-virtualised) registry:

By adding those keys to the sequencer machine and deleting during sequencing, we end up with only the keys added by the 1.3.1_10 installer. Here is the same HKCU\Software\Classes\CLSID key seen inside the bubble:

Building the Pre-sequencing Environment

All sequencing was performed on a clean installation of Windows where no versions of the JRE had ever been installed. This was done to ensure complete control over the sequencing environment and to ensure

To capture the keys that are installed by 1.6.0_03 and 1.6.0_07, I sequenced those versions and opened the resulting package in the most excellent SFT Explorer. From there you can export the registry keys created by the installer.

From that exported registry file I’ve created a script that will add those keys to the sequencing machine (keys only, values are not required):

Download the pre-sequence script here

This script is then run before sequencing takes place so that the same keys can be deleted before installing the older version of the JRE, and those deletions are then picked up by the sequencer.

Installing and Capturing the JRE

I’ve scripted the install process to make things simple, so here’s the process the occurs during sequencing:

1. Delete the keys created during by the pre-sequencing step. The JRE installer does recreate some of those keys, but with different values, and the sequencer will pick them up and virtualise correctly;
2. Install version 1.3.1_10 of the JRE using an unattended script (SETUP.ISS created using SETUP –R, before sequencing);
3. A dummy registry key is created under HKCU\Software\Classes\CLSID, but this step isn’t completely necessary;
4. A dummy file is created in the default install location of the Sun JRE (%ProgramFiles%\Java%). This will allow the default install folder to be fully virtualised, hiding the real folder from the bubble;
5. The Control Panel applet for the just installed JRE is run, so that the sequencing engineer can check settings, such as Internet Explorer integration, is enabled.

Here’s a copy of the install script:

Download the install script here

After installation and capture is complete, a few steps must be completed in the Sequencer before saving:

• Remove the JAVAW.EXE application item that the sequencer picks up;
• Add a shortcut to IEXPLORE.EXE. You can then copy and customise the resultant OSD file if you are using this process for web applications;
• Ensure that CSIDL_PROGRAM_FILES\Java is set to ‘Override Local Directory’;
• Ensure the registry key USER\%SFT_SID%\Software\JavaSoft is set to ‘Override Local Key’;

Testing the Package

Once you have completed the sequence and are running the package on your client, you should see the virtualised JRE as the default Java machine in Internet Explorer inside the bubble:

Whilst running Internet Explorer normally, the installed version of the JRE will be the default:

Adobe have made Flash Player 10 available, but unfortunately there’s still no support for 64-bit browsers, but then Silverlight 2 doesn’t have 64-bit support either.

If you’re looking to install Flash Player 10 on Presentation Server/XenApp, make sure you’ve got XenApp 5.0 for Windows Server 2008 first or hotfix PSE450R02W2K3028 for Presentation Server 4.5 Hotfix Rollup Pack 3 for XenApp 5.0 and Presentation Server 4.5 (x86 here and x64 here).

If it’s direct downloads you’re after for deployment in your organisation, the same direct download links work, just be sure to apply for a distribution license before-hand.

Adobe have made Flash Player 10 available, but unfortunately there’s still no support for 64-bit browsers, but then Silverlight 2??doesn’t have 64-bit support either. If you’re looking to install Flash Player 10 on Presentation Server/XenApp, make sure you’ve got XenApp 5.0 for Windows Server 2008 first or hotfix PSE450R02W2K3028 for Presentation Server 4.5??Hotfix Rollup Pack 3 [...]

Even though I log onto my domain machine with a standard user account, I???ve been prompted by UAC to elevate when running Registry Editor. After putting up with it for a couple of months, I finally got around to doing something to fix it today. To see what was going on I used Process Explorer to [...]

Even though I log onto my domain machine with a standard user account, I’ve been prompted by UAC to elevate when running Registry Editor. After putting up with it for a couple of months, I finally got around to doing something to fix it today.

To see what was going on I used Process Explorer to see the differences in privileges between a standard process and an elevated Registry Editor. Here’s Notepad running with my standard token:

And here’s REGEDIT running with the elevated token. As you can see, the difference is the SeLoadDriverPrivilege privilege:

I use TrueCrypt to protect data on one of my USB thumb drives. TrueCrypt, of course, loads a driver when you mount an encrypted disk, and some time back I had been attempting to avoid the UAC prompt involved with mounting the encrypted disk. Sure enough when I took a look in the Local Security Policy editor (SECPOL.MSC), I had given the Users group the ability to Load and unload device drivers:

Removing the right for the Users group, didn’t help me with TrueCrypt, but at least now I can open REGEDIT (which I use far more often) without a UAC prompt.

At the next Vista Squad meeting tomorrow night (Wednesday 15th October), along with Ray Booysen, I???ll be presenting on User Account Control and developing & running as non-admin. There’s a few things we’ll cover, including: User Account Control ??? what it is and what it isn???t. With any luck we might have time to compare UAC [...]

At the next Vista Squad meeting tomorrow night (Wednesday 15th October), along with Ray Booysen, I’ll be presenting on User Account Control and developing & running as non-admin. There’s a few things we’ll cover, including:

• User Account Control – what it is and what it isn’t. With any luck we might have time to compare UAC to similar elevation processes in Linux and Mac OS
• Developing applications on Windows Vista as non-admin. Does Visual Studio work as non-admin?
• What challenges IT pros face when deploying applications that expect admin access

One of the great strengths of Vista Squad is that it gets both IT pros and Developers together in the same room, so I’m hoping to make this an open discussion rather that just a presentation.

That means though, we need you. There’s usually more devs than IT pros, so if you’re in London tomorrow night and you’re interested in coming along, you can sign up here.

Now this looks good: Microsoft Application Virtualization Management Pack for Systems Center Operations Manager 2007. If you’re deploying applications via any virtualisation/streaming solution, monitoring is essential.

The Microsoft Application Virtualization 4.5 (App-V) Management Pack enables IT professionals to use Microsoft System Center Operations Manager 2007 to monitor App-V server systems. The Management Pack is designed to maximize Application Virtualization Server availability for handling Application Virtualization Client requests. This component delivers an enterprise-level solution to proactively monitor Microsoft Application Virtualization 4.5 server systems.

Feature Summary

• Monitor and detect Application Virtualization service failures. 
• Monitor connectivity errors with external App-V dependent services such as SQL and Active Directory Domain Services. 
• Monitor when the backlog of queued requests crosses thresholds. 
• Monitor the general health state of the App-V Server. 
• Monitor machine-wide health metrics as related to App-V Server components. 
• Visually monitor trends in the backlog of queued requests on App-V Servers. 
• Monitor the number and type of alerts across the App-V infrastructure. 
• Monitor response time when communicating with external services. 

Now this looks good:??Microsoft Application Virtualization Management Pack for Systems Center Operations Manager 2007. If you’re deploying applications via any virtualisation/streaming solution, monitoring is essential. The Microsoft Application Virtualization 4.5 (App-V) Management Pack enables IT professionals to use Microsoft System Center Operations Manager 2007 to monitor App-V server systems. The Management Pack is designed to maximize [...]

Here’s a download that’s quite timely as I’m looking at application compatibility as a component of my Windows Vista deployment project:??Windows Vista Application Compatibility Downloadable List for IT Professionals The Application Compatibility List for IT Professionals is a Microsoft Office Excel-based spreadsheet containing software applications which have earned the status of ???Certified for Windows Vista??? or [...]

Here’s a download that’s quite timely as I’m looking at application compatibility as a component of my Windows Vista deployment project: Windows Vista Application Compatibility Downloadable List for IT Professionals

The Application Compatibility List for IT Professionals is a Microsoft Office Excel-based spreadsheet containing software applications which have earned the status of “Certified for Windows Vista” or “Works with Windows Vista.” 

Additionally, this list contains applications with a status of “Compatible.” “Compatible” means that the application has been reported by the publisher as compatible with, or supported on, Windows Vista. These applications have not gone through the Microsoft Windows Vista Logo Program. 

The Application Compatibility List for IT Professionals is current as of July 31,2008 and published as of the Date Published..