If you plan to use the Microsoft App-V Stand-Alone Mode some Registry Settings are required for the Application Virtualization Client as described in detail on this App-V site here. But instead of setting these registry keys manually or through a custom script, you can also manage these settings through Group Policy.

First download the Microsoft Application Virtualization Administrative Template (ADM Template). The ADM Template provides configuration options for the App-V 4.5/4.6 Client settings such as Client Permissions, Client Interface behavior and Client Communication Settings.

Once you have added the ADM Template to your GPO object you can find them under the “Classic Administrative Templates (ADM)” branch as shown in the picture below.

Then configure the Group Policy Settings as shown below.   

Once the GPO is enabled run the command  gpupdate /force on the client to ensure that all GPO settings get applied. Then open the Registry Editor and validate that all settings are configured as described here

Now install your previously sequenced application through the generated MSI installation package. If all goes well, you should be able to launch your Virtual Application in Stand-Alone mode now.

Additional Resources:
Microsoft App-V 4.5 Client in Stand Alone Mode Whitepaper by Tim Mangan
App-V 4.6 Release Q & A
TechNet Virtual Lab: Learning to Configure App-V for Standalone Client Mode

If you have BranchCache deployed within your enterprise environment you might be interested in the
BranchCache Bandwidth Saving Calculation PowerShell Script for the SMB Protocol which allows you to collect and measure the amount of WAN bandwidth that is saved by your BranchCache deployment.

Get the documentation and script from here

When installing Applications or operating system hotfixes the installation process sometimes requires replacing or deleting files that are in use, if that is the case these files can only be replaced or deleted during the next system reboot.

When you plan to install multiple applications in a row you can run into the situation where an application cannot be installed due to a pending FileRename operation from a previous application installation. So if you plan to install several applications in a row without a reboot, it’s highly recommended to check if a given application does actually require a reboot or not. If you launch the installation process manually you will most likely get a “Reboot required” prompt at the end of the installation. But if you run your installation packages in silent mode with the REBOOT=ReallySuppress option you will not notice if a reboot is required or not.

The information for Pending FileRename Operations is stored within the Windows Registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ under the key PendingFileRenameOperations if this key does not exist there are no Pending FileRename Operations, if the key does exist the key value data contains the files that need to be replaced or deleted.

Mark Russinovich provides two useful utilities that deal with Pending FileRename Operations PendMoves.exe and MoveFile.exe. PendMoves.exe allows you to list any pending filemoves and FileMove.exe allows you to configure the system to replace or delete a file during the next system reboot. The tools can be downloaded from here and for more information you might also want to read this article. For those that are looking for a script based solution have a look at the WMI script from Tom Mills which does the same as PendMoves.exe.

Other interesting resources describing Pending FileRename Operations are:
Microsoft TechNet: A Restart from a Previous Installation is Pending
Description of the new features in the package installer for Windows software updates

Just going through an AGPM Installation (Advanced Group Policy Management) where I had to choose an Account for the AGPM Service which can be the Local System Account or a domain user account. Instead of just clicking next next…. I found some good guidance in the Ask the Directory Services Team blog – AGPM Least Privilege Scenario article. Also read Locking down AGPM fit for least privilege.

Never heard of AGPM before ? Then watch this 4-5 minute Tour on Advanced Group Policy Management. And finally here’s a video provided by Kurt Roggen showing how to install the AGPM Server.

Assume you are at a client site and plan to deploy a Windows Server (2008 / 2008-R2) or Windows Clients (Windows Vista / Windows 7) and want to check if they do already have KMS Services running on their network.

It’s very simple. Just open a command prompt and type the following command:

nslookup -type=srv _vlmcs._tcp

If KMS Services are present on the network the results will be listed as shown in the picture below.

Related Content
Upgrade your existing KMS Service to support Windows 7 and Windows 2008 R2
Volume Activation changes in Windows7
Fundamentals of Volume Activation

Most IT pro’s probably don’t have a problem in getting access to the Windows 7 operating system installation sources because they can access them through their corporate volume license agreement and/or MSDN or TechNet subscription. But unfortunately there are still some out there who do not have such easy access to these sources.

For the use of Windows 7 on a primary device (the one that one uses on a daily basis) an official version of Windows 7 that comes either from the Corporate Volume media source or a separately acquired copy or pre-installed with a new computer must be used.

But if you need Windows 7 just for evaluation purposes Microsoft provides the following 2 options:

Windows 7 Enterprise 90-day Trial
The Windows 7 Enterprise 90-day trial program allows you to download the Windows 7 Enterprise 32 or 64 bit installation sources which can be used for evaluation purposes during 90 days. The Windows 7 Enterprise 90-day trial can be downloaded from here. Note that prior downloading the sources you must fill in a form which also includes a question about your occupation. If you select a profile that does not fit to this program, you don’t get access to the sources.

Microsoft Windows 7 90-Day Eval VHD
This is a preconfigured virtual machine set contained within the Virtual Hard Disk (VHD) format. To run Windows 7 within the VHD you must have access to a system that has Microsoft Hyper-V installed. The Microsoft Windows 7 90-Day Evaluation VHD can be downloaded from here. I recommend to read the Readme prior downloading the sources.

Finally let me also mention the Windows 7 Test Drive which provides access to a Windows 7 client that runs remotely on a Microsoft hosted virtual infrastructure.

Intel vPro/AMT enabled systems allow you to remotely reboot a system from a redirected CD-ROM aka as IDE-R.  So if one of your users devices doesn’t boot its OS properly anymore, you can remotely boot that system with a diagnostics CD that you have stored on your local disk drive.

As long as that recovery CD has a text based interface such as the SystemRescueCD the system can be remotely managed through the remote VT100 terminal, but unfortunately that doesn’t work for graphical interfaces such as WinPE. So we need an alternative method to remotely manage that device. Since Microsoft’s own remote desktop (RDP) does not work under Windows PE, we are going to use VNC which is small and FREE.

Assuming that some of you might be interested to try this out themselves, here’s what you need:

• Intel  Manageability Developer Tool Kit
• Windows Automated Installation Kit (AIK) for Windows 7
• UltraVNC

You will need two clients, where one serves as your administration console and the other as the client which you are going to remotely manage. Make sure that at least the second client (the one that your remotely manage) have vPro/AMT enabled. Here’s a video that explains how to configure your client in SMB mode, which is good enough to test this scenario.

First install the Intel Manageability toolkit on the Administration Console client, which contains the Manageability Commander Tool and allows us to connect to the AMT enabled device, configure IDE-R and power on and off the machine remotely.  Register the client within the console through File, Add, Add Intel AMT Computer.

Once the client is registered click on the “Connect” button.

When the connection is established, select the Remote Control Tab and click on the “Take Control” button.

Now let’s move to the VNC Installation and configuration. Install UltraVNC Server and Viewer on the Administrator Console client.  When installed, start the VNC Server and configure it.  There are a lot of configuration settings available, configure at least the following ones: Authentication – set a password for full and view only access. Misc – To avoid graphics related issues, i proactively disabled Aero and Wallpapers. Query on incoming connection – Default Action set to Accept.

Now copy the following files located under C:\Program Files\UltraVNC\ into a new separate folder like C:\PE_VNC. These are the files that we will integrate into WinPE.

authadmin.dll
authSSP.dll
ldapauth.dll
logging.dll
logmessages.dll
SCHook.dll
vnchooks.dll
workgrpdomnt4.dll
MSLogonACL.exe
uvnc_settings.exe
vncviewer.exe
winvnc.exe
ultravnc.ini

The last thing we need to prepare now is the bootable ISO which includes WinPE. I assume you are familiar with creating a WinPE boot image, if not have a look at the Walkthrough: Create a Custom Windows PE image documentation on TechNet. Once you are at “Step 5 of the above referenced Walkthrough (Add Additional Customizations) you can add the VNC Server sources that you copied into C:\PE_VNC.

To avoid that you get the “Press any key to boot from CD” message when remotely booting the client from the redirected CD-ROM, you must remote the bootfix.bin file from the boot folder within your mounted image.

if you are familiar with WinPE, I also recommend that you look at the Walkthrough: Create an Optimized Windows PE Image. Optimizing your WinPE image can help you to reduce the size of your WinPE image, which helps reducing network traffic and boot time. By optimizing my WinPE image I managed to reduce its size from 152 MB down to 98 MB.

Now that we have our WinPE ISO file, let’s go back to the Intel Manageability Commander Tool. Select Disk Redirect menu, Change Target CD-ROM, Redirect to Image File and point to the previously created ISO file. Then select the Disk Redirect menu again and select Redirect Active.
Finally we can now boot the remote client from the redirected CD-ROM. Select Remote Command, Remote Reboot to Redirect CD.

Because now the whole ISO file content is being transferred over the wire, you will have to be patient, booting from a redirected CD-ROM can easily take a few minutes.  Remember that we removed the bootfix.bin file form WinPE, so if all goes well, the client will immediately boot into WinPE.

There is one thing which i have not yet figured out, and that is a convenient way how to find out the assigned IP address of the remote client, but maybe that is just an issue related to my test environment. So for the my own convenience I added some code to the startnet.cmd batch file, which displays the assigned IP Address.

Below you find the most important part of the startnet.cmd

: enable networking
wpeinit
: disable firewall
wpeutil disablefirewall

:: +——————————————————————–+
:: Start a minimized command prompt for troubleshooting
:: +——————————————————————–+
echo  * Starting a fallback console for troubleshooting…
start /min cmd.exe /k trouble.cmd

:: +——————————————————————–+
:: Launching VNC
:: +——————————————————————–+
echo  * Starting VNC…
x:
cd x:\vnc
start winvnc.exe

Echo  * Gathering IP Address
IPCONFIG |FIND "IP" > %temp%\TEMPIP.txt
FOR /F "tokens=2 delims=:" %%a in (%temp%\TEMPIP.txt) do set IP=%%a
del %temp%\TEMPIP.txt
set IP=%IP:~1%
echo %IP% >%temp%\ip.txt
echo The current IP address is "%IP%"

So let’s assume you know the IP address (the user was kind enough to read it for you) you can now initiate a remote desktop session through the VNC Viewer. I personally had an issue where the VNC viewer crashed right after establishing the connection with the remote client. I managed to get rid of that by setting the Connection Options to only use 256 Colors instead of Full Colors.

If all went well you should now be able to remote control your client.

I hope this was useful. As always, feedback and comments are more than welcome.

Alex

I’m just about to expand my knowledge a bit around App-V. I haven’t done any hands-on yet, because I usually first focus on gathering all the useful resources available on the net, and then start reading these. By doing so, I found these fantastic videos on The Blogcast Repository.

Deployment Scenarios with App-V 4.5
Planning Considerations before Implementing App-V 4.5
The App-V Client (part 1)
The App-V Client Part 2- Deep Dive

By the way, if you are not familiar with The Blogcast Repository but like video based trainings, have a look at the Repository, there is lots of other Microsoft related Technology training material there.

Just found this post on Trevor Sullivan’s Tech Room blog which explains how to automate the Windows 7 Remote Server Administration Tools (RSAT) installation. Read the entire article here

Adobe Flash and Shockwave are probably one of those most installed applications on home and enterprise computers. Working within the End User Computing environment for large enterprise customers since quite a while, I can’t remember of just one company that wouldn’t maintain Adobe Flash and Shockwave in their list of enterprise standard applications.

But when it comes to distributing these applications, many companies seem to go down the difficult route instead of taking the easy one. When distributing applications within Enterprise environments, you want them to install automatically, hence you need a software package.

Many companies seem to create their Adobe Flash and Shockwave installation packages by capturing the installation sources that are used when initiating an end user installation from the Adobe website as shown in the picture below.

The challenge of this method is that you need to capture the sources while the web based installer is running (these are stored temporarily on the system) and that you probably want to get rid of any additional software that is being installed such as the Google Toolbar in this case.

Many people seem not to be aware that Adobe does provide redistributable media for enterprise deployment of their Adobe Flash and Adobe Shockwave players. On the download pages of the appropriate Player, you will see a link called “Distribute Flash Player” or “Distribute Shockwave Player”

By clicking on one of these links you are being redirected to the Adobe Player Licensing website where you find the links to apply for a license and obtain the installation media to distribute the players within your enterprise.

License Flash Player ›
License Shockwave Player ›

You will have to provide some information like Company name, number of seats and the operating system used. Once you have submitted your request, it takes about 5-10 minutes until you will receive an e-mail with the links to download the players.

Well, that is what I consider as taking the easy route, clicking on a link, filling in a form, and after let’s say 15 minutes you get the install_flash_player_10_plugin.msi for Flash and sw_lic_full_installer.msi for Shockwave and you’re ready to go.

A similar method is available for Adobe Reader. I plan to post an article about that soon.

Mark Russinovich explains why he’s retiring “NewSID”. In short, he explains that he heard that people were having some issues with it on Vista, which made him do some research on whether SID changing is still necessary… Turns out he couldn’t find anyone in Microsoft who could tell him why duplicate SIDs could be a problem. Because it’s not a problem. And: It never was. Anyway for people that did OS deployment the correct way, this tool wasn’t needed, as the proper way is to use sysprep.

Read the entire article here

Thanks to Claude for the pointer.

Windows Virtual PC requires that your hardware supports hardware-assisted virtualization. There are a number of third party utilities around already, but now Microsoft released one as well. It’s called the Hardware-Assisted Virtualization Detection Tool and can be downloaded from here

If you launch the tool manually it will tell you if your system meets the requirements for running Windows Virtual PC or not, quite similar as the Securable utility I wrote about in the Detect XP Mode Support article.

But since I usually work in enterprise environments, I’m more interested in command line automation than in visual user interfaces, so let’s see what we have here.

When downloading the tool you get the havdetectiontool.exe, which is a self extracting executable. So the next step is to extract the content which we do by running the havdetectiontool.exe /x command which will prompt you for a location where to store the content. Once extracted you will see a havtoollauncher.exe and a subdirectory called Sources that contains the havtool executables for both 32 and 64 bit clients.

I was not able to find any command line options for the havtoollauncher.exe itself, so i moved on the to the 32 bit version of the havtool.exe. And yes, indeed the tool does provide command line options, Hura!

Executing the following command will parse the output into a log file:

havtool /log havresult.txt /q

Content of havresult.txt

System CPU doesn’t support Hardware Assisted Virtualization.
BIOS Vendor : Hewlett-Packard
BIOS Version : F.22    
System Manufacturer : Hewlett-Packard
Final returnValue = 1

Executing the following commands will set the result into the Errorlevel variable and then create a new System Variable called HAV and sets its value with the Return code.

havtool /q
SETX /M HAV %ERRORLEVEL%

Setting a system variable is just one example, you could also write a custom registry key or log file. Once you have marked your system with the result, you can use your system management software such as SCCM 2007 to collect the data and create your custom reporting.

With the launch of Windows 7 Microsoft also released an updated version of the Microsoft Baseline Security Analyzer also known as MBSA. The version is 2.1.1 which is indicating that this is basically just a minor revision of the previous MBSA 2.1, and that is exactly what it is . MBSA 2.1.1 does not appear to bring any new features other than adding support for Windows 7 and Windows Server 2008 R2.

Hoping to find at least something new, i had extracted the content of the the MBSASetup-x64-EN.msi of both versions, but could not find any differences other than some updated readme and about files and the new compiled executables. Also when launching the new MBSA it’s only showing 2.1 and not 2.1.1.

The MBSA 2.1.1 can be downloaded from here

if you have watched the Windows XP Mode IT Pro Deployment Video, you might be interested in the scripts they’ve used to automatically install XP Mode and create virtual machines. You can download them from here

If you consider using XP Mode, then I recommend watching this video. This video contains a good tutorial on how to install and configure XP mode including a lot of additional hints. Furthermore the video explains how to create a customized XP Mode VHD for deployment on multiple clients.

The video can be downloaded from here