RESguru Consulting goes live!

Hi everyone, it’s been a while. Plenty has been happening on Planet RES for the last few months, which why I’m here today to bring you a very exciting announcement. For me this year, the American independence day will have double meaning:

As of today July 1st 2014, I am launching RESguru Consulting as a  company. Specifically I am offering consulting, design, implementation and training/workshop options to anyone who is looking at RES Software automation, workspace or self-service solutions.

Having worked actively with RES products for the last 1½ decade, trained hundreds of consultants, admins and several instructors in the ways of the Force, I am now putting my services and experience at your direct disposal.

I am based in the San Francisco bay area, yet available internationally. For further information, call (+1) 610 462 2200, email m.ranzau@resguru.com or reach out via LinkedIn. See my profile page here, for a backgrounder and more information.

To everyone who’s been following and enjoying the site over the years, rest assured – all the content and goodies will stay up on RESguru.com and more are being added in the future.

I look forward to working with you.

Max Ranzau

 

Welcome to RESguru

You have reached the home of the RESguru Blog. This is a technical blog dedicated to the products of RES Software, namely Workspace Manager, Automation Manager, VDX and The IT Store. Although this blog has been been around since early 2009,  I eventually figured out it would make  sense to write a short intro to our new visitors :-).  The old hands who have frequented the site over the years know where to go, so the following  intro is for you, our new prospective patrons.

PS: If you like what you find here, please consider giving the site a Google +1 at the bottom of the page. Click the Read More link below to get a tour of the site

Read more »

Automated VDI Optimization

By Max Ranzau

 

kcaoFrom the BuildingBlock Dept. Here’s a set of buildingblocks for Automation Manager I’d like to share with you. They have kindly been provided by my co-blogger Rob Aarts. Rob asked me to go through the buildingblock and we agreed to document the result in an article. This collection of modules is very useful when implementing best practices for a Windows 8.1 golden pattern/image. Most of the changes below are already documented online ad nauseum in numerous articles across the net, so I will give you a overview of what optimizations are included in this package. The module collection have the following capabilities:

Default profile registry settings: Configures a few recommended registry settings in .DEFAULT user – check this module out as it gives you a nifty way of actually implementing HKCU settings via Automation Manager.

Run the disk cleanup wizard: This gets rid of the temporary files, offline webpages and all that other gunk that would otherwise waste space for no reason in your workload image.

Explorer tweaks: This is a hodgepodge for HKLM based explorer settings to further simplify the workload. You may want to go through this module as it’s not everything in there which may be of relevance for your own implementation. This particular module include:

  • Set registry permissions for SYSTEM on CSIDL {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} (google it, but in short it’s necessary for some of the following tweaks)
  • Remove Network node from explorer tree
  • Remove unwanted personal folders (My videos, My Music and Desktop) for both x64 and x86 based workloads.

Other tweaks: This module is a collection of commands also based on best practices, to disable/enable Windows settings, which in turn further optimizes the VDI workload’s startup time and general performance. The module includes the following:

  • Disable NTFS last access timestamps (slows things down when enabled)
  • Disable Boot logo+log and hibernation
  • Enable windows remote management (we all want that!)
  • Remove the pesky Modern/Metro Win8.1 apps (refer to this technet article on what’s going on)
  • Remove the Fax device (as we for once don’t want the users to go fax themselves… :)

vdi-regRegistry optimizations: More machine based registry settings to either remove general annoyances, speed things up, etc. There are 13 optimizations included in this module: Disable boot optimization, TCP/IP large send offload, system restore, memory dumps, new network dialog, and clearing of pagefile on shutdown. The module also increases disk I/O timeout and service startup timeouts and much more.

vdi-tasksScheduled tasks: As we all know there are loads of things that happen behind our backs in a windows session. Keeping these to a minimum in a workload will keep everyone happy. This module disables 31 different background subsystems. Examples are Windows Defender (yes, it’s nice but it has no business in a workload), System restore, Bluetooth monitoring, several CEIP items (Customer Experience Improvement Programs) and much more.

vdi-svcsServices: The last module in the optimization pack disables 61 Windows services which according to best practices are deemed unnecessary in a VDI workload. There are 3 services which are left untouched (i.e. defined, but not being disabled) by this module per default: Device Setup Manager, Function Discovery Provider Host, Windows Search and Windows Store (if disabled, Windows store-based apps do not work) I will leave it to your own discretion to determine if these 4 additional services are right to disable in your own scenario.

Closing notes: In general I recommend that you breeze through the modules for items that you may want to keep running as these modules together completely strips the workload down to the bare metal for maximum performance yield.

Click the brick to download:  legobrick-cropped

 

Aspen Systems and RESguru Consulting partnership

aspen-logoToday it’s my pleasure to announce a new partnership with Mike Meyer over at Aspen Systems. Mike has been in the virtualization business for as many years as I’ve been in the workspace and automation business. Recognizing our respective strengths we quickly realized there is good business to be made by combining these strengths.

This partnership will effectively allow our respective companies to offer virtualization and workspace expertise combined in north and southern California. Santa Barbara based Aspen Systems has an impressive track record delivering high quality desktop solutions based on Citrix, VMware and other virtualization technologies. RESguru Consulting, based in the San Francisco bay area, brings 15 years of implementation and training experience with RES Software technologies to the table, allowing implementation of fast and predictable managed desktop and automation solutions in the datacenter, as well as in the end-user computing environments. Together we are excited at the prospect of serving current and future clients with well proven technology to increase savings on IT and reduce complexity.

To kickstart this partnership, I’ve created the first of a series of technical articles for the Aspen Systems newsletter that will focus on different aspects of RES technology. The first article is how to use RES Automation Manager in environments where Windows Authentication is required.

doc-icon2<<< Click here to read the article on Aspen Systems’ blog.

 

Secret Weapons of a Master Trainer

By Max Ranzau

 

From the Teacher’s Tips Dept. Having trained a lot of great folks in RES tech over the years, one particular question I often get on the side is this: “Max, what is that digital whiteboard solution that you are using?” I thought I might as well share that with you here, as well as a couple of useful tips. You’ll need these as circumstances have changed around the product’s availability.

cpsFirst of, what I use is called Canson Papershow. It is a quite ingenious solution to white boarding. The Canson Papershow solution differs itself by using a real ballpoint pen tip on real paper. It’s not a recorder pen that plays back later, or one of these Wacom tablet jobs where you can’t see what you’re doing. I’ve even seen folks trying to finger paint on a VGA connected iPad – ye gods! With this kit, everything you write will be drawn precisely in real-time in the whiteboard app on screen as well as on the paper. The kit consists of a USB key, a pen and a special micro-dotted paper pad. The USB key has 3 functions:

  • It’s a Bluetooth receiver for the pen device.
  • It stores the software for the host computer (it supports both Windows PC and Mac)
  • It provides storage for your saved whiteboard drawings (I think the key in total has about half a Gig). The drawings are stored in a vector based format, not as bitmap, so you can edit them later or continue next day of training in the same file.

The pen runs off a single AAA battery. It’ll run for about Read more »

New Utility: DB Cleanup Tool

By Max Ranzau

 

From the Community Hero Dept. It is my pleasure today to present to you a cool new addition to the community toolset surrounding RES Software products. I want to highlight this one in particular as it addresses a situation which has needed attention for a while. It’s about the logfiles in RES Workspace Manager. Back in 2009 I addressed how to clear individual logs, by doctoring the RES WM datastore directly – not something for the SQL inexperienced nor something that is recommended, but nevertheless necessary as the individual logs cannot be cleared from the Workspace Manager console as of yet.

The ability to do this is crucial as, when deploying the software, especially the security components – one needs to repeatedly clear the logs to be able to identify and address potential authorizations. I have described the workflow for this in the article How to roll out security in a production environment.

patrickThe SQL Database Logging Cleanup tool, AKA the DB Cleanup Tool was developed by my RES colleague Mr. Patrick van Grinsven. As the tool name indicates, it serves the purpose of cleaning up the RES Workspace Manager logs, however it does this in an intelligent way, as it will only present you with a limited 1.000 record preview in the tool interface, second it will clear logs out in batches of 20.000 records, to prevent overloading the DBMS unnecessarily.

dbcleanuptool-e

While the interface is designed to be as self-explanatory as possible, here is a brief description of the tool:

  1. Enter your SQL server credentials – Windows authentication is also possible, the checkmarks appear when a value has been entered into the required field. NOTE: Only SQL Server 2005 and up are supported at this moment, so the tool cannot be used for SQL express, Oracle, DB2 or other databases.
  2. When all fields are validated the Analyze button will become available and an analysis of the logging database can be started.
  3. To see the result of the analysis select a log which you would like to query (output is 1000 records max), or to clear.
  4. Before clearing begins, the number of records of the selected log will be determined and cleared. When clearing has finished, the logging table will be analyzed again: A query on the selected log will be done, to see if records were added after the clearing.
  5. The SQL database will need to be shrunk after the operation, which will physically purge the unwated records. There is a technet article here on how to do this. Patrick tells me that this is a feature he may be implementing in the future.

The tool requires .NET Framework 3.5 or newer to be installed (written in C#). The tool has been tested with 300k+ entries in the errors log and it took approx. 1½ min to clear. For performance purposes, it’s best to run the tool on a computer located on the same network as where the SQL server is situated.

And before I let you on to the goodies, let’s just agree to the following: The tool is provided to the community as-is. There is no warranty nor is it supported. For any legal dispute, both Patrick and I will kindly refer you to the M.O.A.D.

Click here to download DBCleanupTool: Download-icon-cropped

 

 

The beginning of the end – for PwrGate

By Max Ranzau

 

einFrom the NostraRanzau Dept. This article describes some very interesting developments which I came across in in the recent Service Release 4 for Workspace Manager 2012. To be accurate the feature we’re discussing today was already available in the SR3.6 updatepack, but since it’s rolled into the official SR4, that doesn’t matter much. 

Anyway, back to the matter at hand. For eons, the way Workspace Manager has created Managed Applications was – and still is to create a shortcut that indirectly refers to the applications executable, by way of a AppID reference. A command line on a RES created explorer shortcut, would look something like this PWRGATE.EXE <AppID>. The AppID number is an integer that refers to a unique number in the RES Workspace Manager datastore, assigned to each application upon creation/import.

This method of launching managed applications has been the same for many years and has served us well. With the introduction of Process Interception in early Workspace Manager 2012, we began to move away from this approach: Process Interception, using the built-in filter drivers, was upon launch of a given process name or wildcard, able to inject Configuration Actions and User Settings into the interceptconfig2environment. This however only worked for already existing shortcuts in the target environment, or if the user launched the given process binary directly. That meant you had to run Workspace Manager’s startmenu subsystem in merge Mode and turn off the disabling of process interception (yes, I know…). For each existing app, for which you wanted to apply process interception based configuration, you created a new Managed app and switched on process interception there as well.

pwrgate-appHowever, up until now – if you created new regular managed apps from scratch within Workspace Manager – not using process interception, the resulting explorer shortcut would still contain a PwrGate.exe command line, as described above. This is the important change in SR4. When you enable this setting ( still a registry key at this point), all new shortcuts will be created with the native binary, specified in the command line of the managed app and PwrGate will be used no more.

Now, let’s roll up our sleeves and try this thing out. On top of an existing environment, I’ve installed the Service Release 4, imported some MS Office applications and configured the startmenu mode to Replace mode. As expected the entire start menu is empty except for my office apps. As you can see on the right, the resulting shortcuts for new apps look the just the same as before. According to the SR4 releasenotes on page 14, we need to do the following to stop creating PwrGate shortcuts:

  1. Per agent where this should happen, go to the right registry path HKLM\Software\Wow6432Node\RES\Workspace Manager (x64) or HKLM\Software\RES\Workspace Manager (x86). Create a new REG_SZ string called InterceptManagedApps = Yes. There are some more options for this value we will talk about further down.
  2. Make sure Process Intercept is turned on (or un-disabled) globally, under Applications|Settings
  3. For each managed app, which should not have a pwrgate shortcut, make sure that the app is set to “Intercept process and apply configuration”, as shown on the screenshot above. Tip: If you have many apps, just rightclick somewhere on the startmenu and chose QuickEdit|Properties|Intercept to batch change all the apps within a given start menu.

Next time you login – voilá! The shortcuts are is back to their native explorer state, pointing directly to the executable, but with RES Workspace Manager controling both the vertical and the horizontal!

Note: The InterceptManagedApp value can also include exclusions for certain apps for which you still want to retain the usual PwrGate <AppID> shortcut for, for one reason or another. One reason I can think of is that if you happen to be using Workspace Manager’s licensing and enforcement system – at least for the time being you probably will still need a pwrgate managed shortcut, that’s just my own guess though. In order to exclude managed apps from having Process Intercepted shortcuts created = Regular PwrGate shortcuts, add them to the value of InterceptManagedApp = Yes|winword.exe|excel.exe|somethingelse.exe|…

bug1I tested this feature out in the initial UpdatePack releases and there were a few kinks that needed to be ironed out. Even though the SR4 behaved as expected, you may possibly experience that Win7 explorer throws some errors such as the one shown on the right when you refresh. This was due to Windows trying to create a new AppUserModelID. There is more info on that on MSDN. According to the SR4 release notes; “the AppUserModelID is used for stacking and pinning application shortcut icons on the taskbar and in the Start Menu, generating the list of Recent items in the Start Menu and the Jump Lists. Therefore, the changed command line used by RES Workspace Manager for managed application shortcuts will cause some unwanted side effects and issues”. While it looks like we got this nailed down in SR4 so it works smoothly, do keep a lookout for it and let the friendly folks in support know if it should rear it’s head again.

As the beginning of the article said, this is the beginning of the end for good ol’ PwrGate.exe While it has served our customers nicely for a decade and a half it will soon be time to let process interception take over the job of launching managed apps completely. Keep your eyes peeled for this functionality in future releases.

 

Workspace Manager 2012 SR4 Highlights

By Max Ranzau

 

From the Look-Somebody-Had-To-Write-About-This Dept. It’s been a couple of weeks and fairly unannounced the Service Release 4 was released on Nov 11th. I’ve been up to my eyeballs in training so blogging’s been kinda put on the backburner a while. Anyway, here is an overview of selected items I found interesting in the this SR. You can download the full releasenotes at the end of this article and have a closer look yourself.

  • Several performance enhancements in both the console and the agent. Pretty much all the Composition items have received a noticeable performance overhaul and things load faster into the console in general. License processing, Drivemapping and many other things have received a tune-up. Of special notice is the Context | Directory Services, where there now is a new option to “Get group membership using tokens (faster)”. You’ll want to look into this option for multi-domain environments, especially if there’s cross-domain resolving going on.
  • The App-V integration has also seen several overhauls. When you do a Execute Command configuration|action on an App-V managed app, you now have a checkbox to run outside the virtual bubble. In application UserSettings, it’s now also possible to edit what’s being picked up in the Targeted items to capture. Previously WM would grab everything but the kitchen sink for a virtual app. User Restore of App-V items have also been improved however there’s no details as to the specific improvement.
  • A new Lockdown and Behavior option to hide log off in startmenu has been added. Let’s hope this feature isn’t on per default as hide shutdown on workstations is in SR3 (for further details, see Things WM does per default)
  • Registry modification under Composition now has the ability to ignore registry redirection on x64 platforms. This is quite useful if you want to make sure a given registry key goes where it’s supposed to without interference from the OS.
  • Special registry types like OutputReport, ReportStyle, REG_NONE are now supported. I have no idea what these do just yet, but I guess we’ll find out along the way.
  • User Settings now support a direct path for specifying the location of the Personal Settings folder. Check the releasenotes for further info. This is important.
  • Application Icons either pinned or in the startmenu have received yet another overhaul. Hopefully the old blocky icons are now a thing of the past.
  • New registry setting to control if the User Settings caching process is launched (if you’re not using laptops, use this reghack to turn it off). See the updated WM registry guide here. Note, there are several other registry items in this release under the fixes section. I’ll update the registry guide with these asap.
  • There is however one particular new setting which stands out. Look for InterceptManagedApps in the releasenotes. From SR3 Update 8, an interesting new feature has been added to preserve the original command line of managed applications. This is one to watch as it effectively will no more PwrGate.exe shortcuts. Expect a future article about this particular item once I’ve tested it.

In summary this service release is mostly performance enhancements, and the obligatory bugfixes – yet there are several interesting thing to dig into. For more information, go have a look at the releasenotes.

Click here to download:

 

 

Stupid spammers – Be gone!

spam-verbotenLike most other bloggers, I got hit until recently by my fair share of blog spam-comments, hoping to make it past the incredible effective spamfilters I have installed here on RESguru.com. You, dear reader never get to bother with this crap as the filters catch most of it and nukes them appropriately. I personally can’t be bothered about it either :)

brainHowever, ever once a blue moon I take a curious look in the filters to see what’s hot in blogspam. It ain’t pretty but it sure is entertaining in a weird way: I can’t help being slightly amazed by the variations of poorly written commentary meant to show interest and flatter/threaten/annoy the blogger, in the hopes that they get one extra hit by posting a link in your website field to what ever crud they are peddeling. For some light entertainment, go have a look at the Museum of Comment Spam. and have a giggle or two. Mind you, these guys (the spammers, that is) aren’t exactly the sharpest crayons in the box…

Well, all good things have to come to a close. I made a nice little change, courtesy of a Mr. Gerard McGarry, in particular how to remove the website url field from the comment form. Nobody cares about that anyway. Net result: Presto! No more spam comments! How’dya like them’ apples, you stupid smappers! ;)

 

What’s up with that other WM service?

By Max Ranzau

 

From the Inquisitive Minds Want to Know dept. Since the release of Workspace Manager 2012 SR3, you may have noticed an extra service has been added, besides the well known RES service (aka “Workspace Manager Agent”), which takes care of synchronizing the local DBcache with the SQL datastore. The other service, is seen in the Services.msc as “RES Workspace Manager PE”, shortnamed RESPESVC:

respesvc

I asked one of our software folks what the purpose of this service is. I was told that RESPESVC plays a role in environment variable injection into intercepted processes & injection of DLL’s in Windows processes for logoff scenario’s. If you are wondering about what the PE part is short for, RESPESVC is RES Privileged Execution Service. In SR4 it will also do Dynamic Privileges, moving that over from the RES service, making the technical architecture of that feature a lot simpler.

I know a few of you likeminded professional tinkerers are wondering; can one do anything interesting with this service? Does it’s credentials need to be reconfigured like with the RES service if you are running SQL authentication? In both cases the honest answer is no. There’s nothing to see here, move along :) This service just needs to be left alone, running with it’s default LocalSystem credentials and the world will be a better place, architecture wise. If this changes, I’ll be sure to let you know.

 

How to roll Workspace Security into a production env

Animated, Gears, boxprod-envFrom the Industrial Might & Logic Dept: Once in a while you may come across the scenario where you need to take control over an existing production environment. While new VDI implementations are sprouting up all over the place, it’s not within everyones budget to put in new plumbing and start building from scratch. Over the years I’ve dealt with several customers who had a beat-up production environment where they were spending their workdays putting out fires (and fighting off Ogres) instead of being anywhere near a proactive state. Proactive is a much abused word, but in my context it simply means being ahead of the curve instead of trying to catch up and never emptying out an ever-growing inbox of trouble. While this may sound like a happy story of rainbows and robot-unicorns to some, I assure you a proactive state of secure workspace management is a reality within your grasp, when you consider using the RES Workspace Manager. Let me share a story on how I did it and give you some useful tips on how you can do it too:

doc-icon2<<< Click here to read the article