Category: Technote

Fixing IE cookie trouble with RES WM

By Max Ranzau

 

delcookiesFrom the Worlds Greatest Browser (Right…) Dept: In Internet Explorer 10 and up, the WebCacheV01.dat file was introduced. This file lives in %LocalAppdata%\Microsoft\Windows\WebCache. The webcache folder is hidden. The issue at hand is that the webcache file is always in use, which makes for a rainy day if you try to roam/copy IE cookies, or otherwise store them with RES User-Settings. The issue was described back in April by Rob Beekmans on his blog here.

As of now, the problem is rumored to have been addressed by Microsoft on Server 2012, but is still very much alive and kicking on Server 2008, which at the time of writing still represents a large contingent of server deployments out there.

While Mr. Beekmans illustrated the issue, my partner-in-crime the good Mr. Aarts tackled the issue head on, providing a neat and shareable solution with the RES community in the shape of a Workspace Manager buildingblock. By running a couple of strategic Powershell scripts in the users session and including a couple of extra (freeware) utilities as custom resources, the buildingblock solves the problem described above. The Workspace Manager BB includes the following:

  • A PowerShell command to set the PS execution policy to unrestricted to make sure we don’t get any unnecessary prompts when running the following items unattended:
  • A PS script running at logoff, which backs up the current webcache to a location of your choice *1). The script will create two backup .zip files for the two folders WebCache and INetCookies as well. The script will also leave 5 rotated backup file sets.
  • A PS script running at logon to restore the latest backup of these two folders to their original location
  • Both logon/logoff scripts closes all open file handles before making the backup/restore operations.
  • 7zip and SysInternals Handle64.exe are included as RESWM custom resources.

As you may infer, the above essentially extends the WM User Settings with a basic Hybrid Profile – style copyout-copyin script system. This is necessary, as UserSetting would face the same issue as any other UEM; that the target files are locked. I’d say there’s a loud and clear feature request waiting to be implemented here that could solve a lot of potential headaches for customers.

script1Important: As you can see on the screenshot, there is a couple of places you may need to modify the logon/logoff scripts. The destination where the backup files are to be stored defaults to H:\ – you may need to change that. If you already are using a UNC path like \\server\share\%username% for your User Settings, you perhaps want to consider using that as well. Just remember to add a subfolder for this, like \\server\share\%username%\IEbackup or similar. We could of course have added an environment variable so you only had to change the storage destination once, however it’s two edits. Chances are you may survive it :)

Click the brick to download the buildingblock: legobrick-cropped

The beginning of the end – for PwrGate

By Max Ranzau

 

einFrom the NostraRanzau Dept. This article describes some very interesting developments which I came across in in the Service Release 4 for Workspace Manager 2012 back around end of 2013. We’ve been used for for eons that new managed applications would contain a reference to RES’s own launcher, pwrgate.exe. With this well hidden change, it’s actually possible to let shortcuts retain their original exe+path. There are some caveats as this is early code – nevertheless this is worthwhile knowing about

doc-icon2<<< Click here to read the article

Workspace Manager 2012 SR4 Highlights

By Max Ranzau

 

From the Look-Somebody-Had-To-Write-About-This Dept. It’s been a couple of weeks and fairly unannounced the Service Release 4 was released on Nov 11th. I’ve been up to my eyeballs in training so blogging’s been kinda put on the backburner a while. Anyway, here is an overview of selected items I found interesting in the this SR. You can download the full releasenotes at the end of this article and have a closer look yourself.

  • Several performance enhancements in both the console and the agent. Pretty much all the Composition items have received a noticeable performance overhaul and things load faster into the console in general. License processing, Drivemapping and many other things have received a tune-up. Of special notice is the Context | Directory Services, where there now is a new option to “Get group membership using tokens (faster)”. You’ll want to look into this option for multi-domain environments, especially if there’s cross-domain resolving going on.
  • The App-V integration has also seen several overhauls. When you do a Execute Command configuration|action on an App-V managed app, you now have a checkbox to run outside the virtual bubble. In application UserSettings, it’s now also possible to edit what’s being picked up in the Targeted items to capture. Previously WM would grab everything but the kitchen sink for a virtual app. User Restore of App-V items have also been improved however there’s no details as to the specific improvement.
  • A new Lockdown and Behavior option to hide log off in startmenu has been added. Let’s hope this feature isn’t on per default as hide shutdown on workstations is in SR3 (for further details, see Things WM does per default)
  • Registry modification under Composition now has the ability to ignore registry redirection on x64 platforms. This is quite useful if you want to make sure a given registry key goes where it’s supposed to without interference from the OS.
  • Special registry types like OutputReport, ReportStyle, REG_NONE are now supported. I have no idea what these do just yet, but I guess we’ll find out along the way.
  • User Settings now support a direct path for specifying the location of the Personal Settings folder. Check the releasenotes for further info. This is important.
  • Application Icons either pinned or in the startmenu have received yet another overhaul. Hopefully the old blocky icons are now a thing of the past.
  • New registry setting to control if the User Settings caching process is launched (if you’re not using laptops, use this reghack to turn it off). See the updated WM registry guide here. Note, there are several other registry items in this release under the fixes section. I’ll update the registry guide with these asap.
  • There is however one particular new setting which stands out. Look for InterceptManagedApps in the releasenotes. From SR3 Update 8, an interesting new feature has been added to preserve the original command line of managed applications. This is one to watch as it effectively will no more PwrGate.exe shortcuts. Expect a future article about this particular item once I’ve tested it.

In summary this service release is mostly performance enhancements, and the obligatory bugfixes – yet there are several interesting thing to dig into. For more information, go have a look at the releasenotes.

Click here to download:

 

 

What’s up with that other WM service?

By Max Ranzau

 

From the Inquisitive Minds Want to Know dept. Since the release of Workspace Manager 2012 SR3, you may have noticed an extra service has been added, besides the well known RES service (aka “Workspace Manager Agent”), which takes care of synchronizing the local DBcache with the SQL datastore. The other service, is seen in the Services.msc as “RES Workspace Manager PE”, shortnamed RESPESVC:

respesvc

I asked one of our software folks what the purpose of this service is. I was told that RESPESVC plays a role in environment variable injection into intercepted processes & injection of DLL’s in Windows processes for logoff scenario’s. If you are wondering about what the PE part is short for, RESPESVC is RES Privileged Execution Service. In SR4 it will also do Dynamic Privileges, moving that over from the RES service, making the technical architecture of that feature a lot simpler.

I know a few of you likeminded professional tinkerers are wondering; can one do anything interesting with this service? Does it’s credentials need to be reconfigured like with the RES service if you are running SQL authentication? In both cases the honest answer is no. There’s nothing to see here, move along :) This service just needs to be left alone, running with it’s default LocalSystem credentials and the world will be a better place, architecture wise. If this changes, I’ll be sure to let you know.

 

How to roll Workspace Security into a production env

Animated, Gears, boxprod-envFrom the Industrial Might & Logic Dept: Once in a while you may come across the scenario where you need to take control over an existing production environment. While new VDI implementations are sprouting up all over the place, it’s not within everyones budget to put in new plumbing and start building from scratch. Over the years I’ve dealt with several customers who had a beat-up production environment where they were spending their workdays putting out fires (and fighting off Ogres) instead of being anywhere near a proactive state. Proactive is a much abused word, but in my context it simply means being ahead of the curve instead of trying to catch up and never emptying out an ever-growing inbox of trouble. While this may sound like a happy story of rainbows and robot-unicorns to some, I assure you a proactive state of secure workspace management is a reality within your grasp, when you consider using the RES Workspace Manager. Let me share a story on how I did it and give you some useful tips on how you can do it too:

doc-icon2<<< Click here to read the article

Things Workspace Manager does per default

defaultAnimated, Gears, boxFrom the I-Wonder-What-Happens-When-I-Press-This-Button Dept. An existing article has been moved to the Technote Library. This one covers some interesting behavior of the RES Workspace Manager, which you as an integrator need to be aware of. Out of the box the Workspace Manager does not change anything on the target environment, when you roll the software out. However, when you enable the Workspace Composer, several changes are in fact applied to the target computer, which you would do well to familiarize yourself with.

doc-icon2<<< Click here to read the article.

 

How to manage settings for a software suite

linked-usersettings

Animated, Gears, boxFrom the Mostly Nuts and Bolts Dept. A new article RG056 has been added to the Technote Library. This article describes how to organize settings for a group of applications belonging to the same suite, using RES Workspace Manager 2012. A prime example of a suite is obviously Microsoft Office. The idea is to create a common container object, where all the applications can store their settings in, thus common settings are shared. This article will show you how to accomplish this, using one of the less known configuration items within RES Workspace Manager; namely User Settings Linking. These have traditionally been used to link virtual apps with their local counterparts installed elsewhere, so this article effectively illustrates another way to use them.

doc-icon2<<< Click here to read the article.

 

 

New technote: Guide to Environment Variables

Animated, Gears, boxFrom the WhereDoesHeGetThoseWonderFulToys Dept. It took a while to get the whole thing stood up, but here it is, a complete and current (as of Workspace Manager 2012 SR2) overview of all RES Environment Variables. The guide also covers known system environment variables and references how these tie into a RES managed environment. Finally the guide also includes buildingblocks a couple of small diagnostic tools that will show the current values of the variables within a session, without using nor exposing the Command Prompt to the users. Enjoy!

doc-icon2 <<< Click here to open the Guide.

4 new registry tweaks for Workspace Manager

registry-gFrom the Nuts & Bolts Dept. As the RES WorkspaceManager Updatepack 6 has been finished, we took the time to trawl through the release notes to see what’s been fixed. As always please remember: The RES update packs are not available for direct download and have not been fully regression tested like a Service Release is. You can request these from RES Support if you believe you are affected by one or more of the issues, or if Support recommends you to apply an updatepack. Updatepack 6 contains some rather nifty registry settings, which you can check out here in the one and only WM Registry Guide:

doc-icon2<<< Click here to view the latest registry tweaks in the guide.

Note: if you want to get an earlier heads-up on updates and new articles on this site, consider following @RESguru on Twitter.

What’s new in RES Hyperdrive 2.1

Animated, Gears, boxA  new technote has been posted to the Technote Library. This time Rob Aarts is going into the details of the latest release of RES Hyperdrive 2.1 so you can familiarize yourself with the new features. The article describes the new “non-caching” mode, integration and management from Workspace Manager, The new admin dashboard and much more.

doc-icon2<<< Click here to read the article