Hello everyone, here is a technically digested overview of some of the features in the new Service Release 2 of RES Workspace 2015. Fair warning: These notes were mostly created from the releasenotes in the pre-release, so there may be some nuggets which did not make it into this recap. Second, this is not an exhaustive list, it’s the items which I found the most interesting and/or useful in my work.
One important thing to keep in mind when doing the upgrade. If you have all agents connected via relay servers, you must reconfigure one of them to point directly to the datastore before doing the SR2 upgrade. I guess RES is probably
reconfiguring the matrix changing the database schema. Then upgrade the relay servers and finally all the agents.
Office 2016 Support. This is one of the most anticipated features in my opinion. Not only does SR2 include new User Settings templates for the 2016 suite, but it also supports Outlook 2016 for Email Template configuration. Nothing more to say about it other than it seems to work as advertised, when taken for a spin around the block in the RESguru Skunkworks.
Windows 10 Support. This one you need to pay close attention to: While Workspace seems to work swimmingly on Windows 10 in regards to User Settings, configuration and security – which in my optics usually are the most important bits – there are some things to be aware of. One such thing is creating new tiles do not take effect upon a session refresh: Users will need to log out and back in before these changes take effect. I personally view this as an issue, since we’ve been accustomed to shortcuts appearing at refresh since the early days of PowerMenu 2000. I know from my talks with the product teams they are hard at work to fix this. Workspace SR2 specifically supports the Win 10 build 10240 as of July 2015 and Win 10 v.1511 (OS Build 10586.29). Be sure to check your build/version first, by running the winver.exe command. RES tracks and support Win 10 updates as of May 10, 2016 — KB3156421 (OS Build 10586.318) for Win 10 1511, See update history here. Finally, it’s worth mentioning there is a page in the Workspace SR2 release notes, titled “Microsoft Windows 10 known limitations”. It’s two pages long so I won’t rehash it here, yet do make sure you read and understand this thing before you throw yourself into a Windows 10 project.
Actions: New timing option ‘At application end’ for Execute Command. This is one of those things that have been sitting on the backlog for what feels like half a century. And let’s be honest; it’s one of the features which the goonies in green have been knocking RES for not having. Long story short, this allows you to fire off Sync jobs, cleanups and whatnot upon termination of an application. It goes almost without saying to use common sense on this feature. Any app which places itself in the system tray never really terminates.
Ability to specify account in console for SQL windows authentication. I’ve always hated dealing with the combination of WM and windows authentication with a vengeance. Mainly due to that it was cumbersome to make sure all the pieces line up. For example; before SR2 you had to make sure the account you were logged in with running the windows console had database access. This has been fixed, so now you can just configure the SQL windows credentials.
Advanced Settings: Bypass composer setting now also supports groups. While it was useful to be able to exclude certain people from being hit by workspace manager, such as admins, it was previously a hardcoded list inside the Workspace console. By now enumerating AD groups, this allows us to control it externally. For example, we can now build a Service to request temporary admin permissions or similar elevations, one could also build a service around this for admins to request Workspace manager to lower it’s shields for a bit.
CSV export of agents: Once you have searched for your agents, there’s now an icon in the Workspace toolbar to export a list of agents. I could see this being useful for several automated purposes. Now all we need is a command-line switch for pwrtech.exe to be able to unattend this export. If you are interested here are the headers for the export: Computer name,Run Workspace Composer,FQDN,Domain,Operating system version,Last console user,Agent version,AppGuard version,NetGuard version,RegGuard version,ImgGuard version,Laptop,XenApp version,Citrix Site,VDX Engine version,VDX Plugin version,Last contact,Synchronization status,Connection,Connects to,Relay Server discovery,Relay Server list,Relay Server name,WebGuard version.
Overall performance enhancements. SR2 has seen a boost on the performance side. Areas such as the DBcache, FileSync, Direct datastore connections, Relay Servers, authorized files / filehash imports and XenApp environments with more than 1000 published apps. Logging has been enhanced to truncate excessive repeating log entries. Essentially if something goes bump in the night more than once per minute for an hour, truncation happens. See the releasenotes for more info. Another item worth mentioning is that SR2 includes new kernel filter drivers, thus a reboot on all affected computers is necessary when installing SR2
New product packaging: Besides the above technical enhancements, there are also some major changes on the product packaging and pricing side. I’ve covered these in a separate article.
New File Hash Monitor tool: Okay so I cheated a bit and gave the official corp blog a once-over after writing this article. I noticed something that wasn’t in the original, uhm prerelease-release notes: The File Hash Monitor tool. Allow me to fill in a few blanks. Essentially this is a separate download from the RES portal here, which allows you to pick up filehashes ahead of time. When you install it, you specify a scan interval, a target CSV file and some target folders where your executables are, for example C:\Program Files\. Much like the Relay Server, a configuration tool is installed alongside a service called RESFHM. The service will start generating the CSV file within a few moments after initial configuration. The resulting CSV file looks like this:
Once you have your CSV file cooked and done, you can import it into Workspace by running the console executable like this: PWRTECH.EXE /IMPORTHASHES=<your_csv_file> [/CREATEIFNOTEXISTS]. See page 386 in the admin guide.
One rather cool thing which I think should be emphasized, is the ROFHMT (please tell me we’re not going to call it that ;) has the ability to scan executables inside container files such as MSI, CAB, RAR, ZIP, etc. (see screenshot above to the right). You can add your own extensions as well and customize what tool is used to decompress them. Per default it’s set up to use the freeware 7Zip to handle these.
Commandline export of the Security log: Now it’s possible to pull out XML exports for some of the security logs. Use the console binary to run the export as: PWRTECH.EXE /EXPORTLOG /TYPE=<Logtype> /OUTPUT=<log filepath> /START=<startdate> /END=<enddate>. Currently for ‘logtype’ the following logs are supported:
|APPLICATION||Managed app security log|
|REMDISK||Removable disk security log|
|NETWORK||Network security log|
Start and end dates are optional yet must be be in YYYYMMDD or YYYYMMDDhhmmss if specified. Also, make sure that the user you run the pwrtech.exe command line with, has at least read permission in the administrative roles for the security subsystem who’s log you want to export.
While it’s cool to be able to do these exports, there’s still an item left on my xmas wishlist: Will we ever be able to clear the logfiles from within the console? Doing the Workspace baseline security on a new installation, this is paramount and yet still the only way to do it is by either hacking the datastore directly or using Patrick’s excellent, yet unsupported Log Management Tool. Oh well, there’s always the next FR/SR to look forward to.
In conclusion: Overall SR2 is a solid update, well worth the subscription advantage. Besides the above enhancements and performance boosts, this update fixes 50+ issues and bugs. Good work! Read the final releasenotes here: