Archive
I need your help Server Based Computing / VDI Experts!
Hi Guys and Gals. I’m currently fighting the good fight with Microsoft support and require your help and backing in order to close down a long standing bug in the Windows Explorer Shell.
As you are all aware, hiding the c: drive and restricting access has been a utility we use frequently in shared computing and VDI environments. Restricting this functionality removes views of the shared drive from users and adds a layer of security and complexity* to ensure the users in question have access to only what they need in order to do their jobs day to day.
*I’m not looking to argue the merit of doing this either, it really depends on the business case or environment to dictate whether this option is set. I’m NOT saying it should be done in every case.
We all know it’s not fool proof, there are certain ways for users to circumvent this layer and I particularly don’t want to discuss them here to give potential devious users a landing page for idea’s!
The problem:
Prior to windows Vista, when you hide the c: drive and an application requests access to a c: drive folder, be it from an “open save dialog” or otherwise, Windows detects this event knows that the folder is restricted and merely redirects them to the desktop which they can see then browse to where they wish to open or save a document. This has worked fine to memory since windows server 2000.
But with the changes to Windows Vista’s windows explorer, repeating the above steps will result in the following annoying, unnecessary and interrupting error message “This operation has been cancelled due to.. bla bla blah”:
This issue can be easily recreated, simply hide and restrict the c: drive, then click start > run > browse… bang.
The more annoying problem here, is after the error message, windows simply redirects back to visible folder. In most cases this is the documents library. So the error message is simply poping up then reverting to the functionality seen in previous operating systems.
So to review:
- Issue introduced in Vista / 2008 and above.
- error message displays.
- Previous redirect functionality is still there and occurs after ok is pressed.
To Microsoft!
Being a pedantic individual, along with my colleague we brought this to Microsoft support and somehow lost months in the conversation as follows:
- Microsoft then redirected us to RES Software.
- Who (although very nice about it) sent us back to Microsoft.
- At which point I got involved.
Now with the correct audience and suitable severity, this problem has been identified as “introduced in Windows Vista” as an “Added Security feature“. How an annoying pop up box, masking previous functionality is a security feature is anyones guess, but it’s bloody annoying…
We have raised this as a bug and have requested Microsoft to fix it. The change in question was deemed as large change or substantial change due to WIndows explorer being used by all of the operating systems and basically told, without significant backing, this change wont be implemented.
Bureaucracy and broken policies, yes but that doesn’t help my customer.
Here’s where I need you:
In order to bolster this change and fix an issue in our beloved operating systems for Server Based Computing and VDI environments I need to hear from you and your customers to confirm they have had this issue, or currently face the issue and wish for a fix.
- If you are a customer and suffer this issue, email me.
- If you are a consultant and have customers with this issue, email me.
- If you or your customer have enterprise support with Microsoft, I ESPECIALLY want to hear from you.
What’s in it for you?
Microsoft have provided us a work around, as a process that watches window messages and suppresses this dialog box when it occurs. If you get in touch, I’ll recompile this application with Microsofts permission and pass it on to you for use in your environment while we get “The Man” to fix it!
This fix is a bit of hack, as it’s scraping window messages but it’s light weight and scalable. Use this process for now and I’ll provide you with updates on a fix as and when I get them.
How do you contact me?
Please drop me and email on andrew{at}andrewmorgan{dot}ie with the following information:
- Customer name:
- Affected users:
- Has enterprise support: (yes/no)
Once I have that information, I’ll send you back an executable via dropbox and keep you updated on the call process. This information is merely going to be fed straight to Microsoft with my personal guarantee of confidentiality. No funny business.
If you can’t share customer information, but have suffered this issue in the past, no problem! Please comment on this blog post the number of seats that were affected and roughly how many times you’ve seen it.
That’s it!
Thanks for entertaining my request for help and hopefully you too want to get this issue fixed as much as I.
Announcing ThinKiosk 3.1
With great pleasure I’m announcing the general availability of ThinKiosk 3.1. Quite a bit of change under the hood and some nice features added to match.
New features:
VMware View enhanced support:
VMware View has gotten some love in this update, A big thanks to Jarian Gibson for the help.
You can now enforce end of session options for VMware view:
You can also now choose to wipe the last users details from the Kiosk between View sessions:
FTP policy management:
With ThinKiosk 3.1, you no longer are tied to manage the thinkiosk devices by Group Policy or local registry settings, you can now also use an ftp server with a shared xml configuration file:
Just configure a Device as you would like it to appear, unlock the admin menu and you can export the configuration to xml:
Then move it to your ftp server!
Encryption:
The unlock password in group policy can now be encrypted to save it appearing in plain text to anyone capable of viewing the policy. ThinKiosk 3.1 ships with a password encryption tool you can use to encrypt your password.
You can also test reversing the password to plain text to make sure you get it right before applying it en-mass and locking yourself out!
This encryption functionality has now been added to both the offline configuration tool:
And by default the FTP password will be encrypted too!
Battery Awareness:
ThinKiosk is now aware of batteries in laptop devices and will report their status.
When the battery begins to run out, ThinKiosk will throw a warning in the foreground as below:
You can additionally disable this functionality with the offline configuration tool.
Pre launch Citrix Receiver:
A rare issue seen with the latest versions of the receiver was a bit of a hang, pause or complete lock up as receiver came to life. To combat this, you can now choose to early launch the receiver for Citrix, allowing it to gracefully start up in the background before the user requires it.
Early launch process:
A number of customers needed to have third party software launched as soon as ThinKiosk started each day. I’ve now added the ability to early launch a process 
You can also choose to launch this process as hidden, away from the user.
Browser navigation buttons:
ThinKiosk can now act as a locked down browser by adding back and forward buttons.
AM / PM clock:
This feature was asked for quite a few times, so now you can set the clock to 12 hour.
Debug Mode:
A fully fledged debug window has been added to help timing issues. The debug menu can be accessed via command line (-debug) or via the admin menu in ThinKiosk.
Zorder awareness:
In rare situations (and I’ve been unable to reproduce it) ThinKiosk can jump above the citrix session when a log off of the web interface happens or during the login process.
Zorder awareness will tell ThinKiosk to send itself to the back of the Zorder when the browser finishes rendering. It will also display a hide button, which will send ThinKiosk to the back in this rare event.
Please use this setting as a troubleshooting tool, not a production setting. If this setting fixes the issue for you, please drop me an email and I’ll write it in. As I’ve been unable to reproduce this issue, it’s a bit rough around the edges.
Citrix Storefront timeout screen:
ThinKiosk is now aware of the timeout screen and will automagically redirect back to the login screen if it see’s it.
Hide ThinKiosk when a desktop is active:
If you wish to outright hide ThinKiosk while a desktop is active, you can now do so!
Even More sites:
Support for up to 20 sites has been added, thanks Martijn!
Sticky Home Page:
A request came through to allow the home page always be site 1, this has now been included.
Bug Fixes:
- support for environment variables in custom tools and prelaunch commands. (thanks Nathan).
- Offline config tool not setting password correctly.
- VB Powerpack accidentally bundled with ThinKiosk 3.0
- In process launch mode, power options were intermittently being applied.
And it’s still free!
ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation or paying for enterprise support to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!
Citrix Personal vDisk Image Inventory, a potential solution to the golden image nightmare?
While at Citrix Synergy in Barcelona this week, I attended the Citrix Personal vDisk deep dive session. The session was interesting and informative but there was a mention of the inventory and scanning piece of the personal vDisk suite that really got me asking myself “what if?”.
From my understanding of the presentation, when you add a revision to the golden image, Personal vDisk scan’s both images then compares these items to the personal vDisk in an attempt to figure out which bits belong in the vDisk and which bits belong in the base image.
If you’ve read my previous blog post on golden image management with PVS (questionable assumptions and why I don’t trust people), you know I have a great fear with auditing and control of this image. Without having to read the old article, it basically translated to “Provisioning server is great, but I don’t trust people to audit and document the changes they have made to the golden images”.
While sitting in this session, I had another “lightbulb moment” . If the Personal vDisk has baked in technology that audits the changes to the golden image layer and registry, could it be extracted from personal vDisk? If so, wouldn’t this give you a granular view of changes to the golden image from point to point? I.E. a list of changes between snapshots (MCS) or versions (PVS)?
The more I think of it, the better this idea sounds. Imagine having a catalog of changes, searchable for file or registry key names that would help you track back changes, or even view changes made to the golden image to be reviewed before or after you seal the image? This technology would work well with Citrix Provisioning server, XenClient and Machine Creation Services, delivering a matrix of changes to the golden image.
I can’t see wrapping a gui around this auditing as being a challenge, this is Citrix we’re talking about! and as Citrix has mostly adopted Microsofts vhd file type, it would be a single image type to scan.
For me, this would address my concerns with moving most implementations from automated installs, to snapshot mechanisms while still achieving auditing and a deep view of the changes to the file system.
So Citrix, please consider this approach, it would be an immediate value add and put your image management head and shoulders above your competition.
So what do you the readers think? Would this give you more confidence of changes by others? Do you see this technology and a post change report as an extra safe guard on change management?
ThinKiosk 3.0 General Release
It gives me great pleasure and relief to announce the general availability of ThinKiosk 3.0!
ThinKiosk 3.0 is another ground up redevelopment of the tool, 2 months ago I broke the program beyond recognition to add support for shared libraries and reduce the number of active components in the program. It’s fast, lightweight, it’s been a long time coming and I am absolutely thrilled with the result!
WIth that out of the way and without further ado, there are hundred’s of changes to ThinKiosk, below are just the highlights:
Additional support:
- Added support for Citrix StoreFront services 1.2 (Cloud Gateway).
- Added support for VDI in a Box 5.1 (no open prompt!)
- Added support for internet Explorer 10 as the local browser.
- Added support for Windows 8 as an end point.
- Added support for Windows Embedded Standard 8 as an end point.
New Features:
EULA:
This isn’t exactly a new feature, but I want to be as forthcoming about this as possible. I’ve added an EULA to ThinKiosk. There is nothing untoward, there’s no lock in, it just says its free to use, you can’t resell it, and you can’t sue me if you do something stupid.
Ultimately, it just protects me (a free tool developer) from lawsuits.
Languages:
The Norwegian language has now been added, thanks Thomas!
All current languages have been updated (spanish, french, dutch, italian, German)
Startup marquee:
On particularly old or slow pc’s the startup time for ThinKiosk can be quite lengthy while ThinKiosk loads the embedded browser.
To address this delay, a splash screen with progress marquee has been added to provide feedback and keep the user entertained.
Screenshot and email functionality:
You can now allow ThinKiosk register the [PrintScreen] key, which in turn will allow the user to use this key to send an error or issue directly to the helpdesk, including support information via SMTP.
By default, email and screenshot functionality is disabled, until you add SMTP options via policy or offline config too.
Thanks Shane for the idea!
Progress bar:
When loading slow to load URL’s, it can be difficult to tell whether the website has hung, or it has just taken some time to load. By default ThinKiosk 3.0 will ship with an “on demand” progress bar to tell you when ThinKiosk is busy.
Wireless Networks:
Beta support for Wireless Networks has been added via the control panel
This functionality will only currently work with:
- Windows 7
- Windows Embedded Standard 7.
- Windows Thin PC
Note: this setting is disabled by default, but can be enabled via the group policy or offline config too.
Language Selection:
Probably the most requested feature so far, I’ve finally added a drop down for Language selection as below:
This drop down will allow the users to change the language on the fly. This option can be disabled via group policy or the offline config tool.
New items in the admin menu
The admin menu now contains some very useful commands for administrators when troubleshooting end points:
- Task Manager.
- Internet Explorer Control panel.
- Restart /Exit ThinKiosk.
- Remote Desktop connection.
- Offline Configuration Tool.
Desktop launching dialog:
When using Web interface log off on session launch, ThinKiosk performed the task so quickly that the user was often left a little confused as to what has happened and why they have been kicked out before the session finally launched. ThinKiosk will now provide feedback when a new session launches or when workspace control is busy reconnecting and has a 2 seconds hold down timer before it kicks the user off the web interface.
End of session options:
Previously when a remote session ended, you had an option to log the local user off. This was particularly useful if you were using Citrix Pass through authentication. A recurring request was to add the ability to restart, or shutdown the pc. This is now included in the offline config tool and group policy.
Classic Colours:
A number of fussy individual’s didn’t appreciate my lightsteelblue colour scheme change, for you guys (you know who you are) you can now disable the colour change on startup via group policy or offline config tool if grey is your thing.
Process Launcher:
A new feature in ThinKiosk 3.0 is the process launcher. Instead of loading ThinKiosk as a browser session, the process launcher simply launches the process you specify, and only displays the ThinKiosk menu bar at the top for user convenience.
This process launcher, will launch the process you configure, watch the process and relaunch it if the user accidentally closes the window!
Process launcher also has all the user empowering options available, along with power management. This functionality is all free as aposed to paid for solutions delivering half this functionality!
As below, you can use the Process launcher for Microsoft Remote desktop connections:
Or VMware view!:
Or basically any process you would like to use. This functionality is quite new, so if find issues with it, I want to know about it!
Offline Config Tool improvements:
Restructure:
The offline config tool has been reordered to provide a better structure to settings.
Policy awareness:
The offline config tool will now detect values specified in group policy or in user key’s it cannot control and warn you that these values exist.
The apply button has been removed from the offline config tool, it wasn’t needed or working exactly as I wanted it to.
Bug fixes / enhancements:
ThinKiosk Layout changes:
Resizing ThinKiosk has been moved to a more native location as below:
The clock and language selection are now enabled by default:
Advanced functionality:
ThinKiosk can no longer be run as a standalone executable, the shared.dll must be available too, Don’t say I didn’t warn you.
Changing zones in internet explorer while ThinKiosk is running used to result in a crash (e.g moving a domain from the internet zone to trusted sites). This crash is now handled and you will receive a warning icon to restart ThinKiosk at your next convenience. Please note, circumventing this crash will disable Auto log off and log off redirection until ThinKiosk is restarted.
When navigating to a url with an untrusted SSL certificate, by default an embedded browser will not allow you to continue without prompting for scripting errors. These scripting errors in turn stopped Citrix Web Interface from working in multi farm environments. Support has been added to allow scripting errors only when an untrusted ssl cert is requested.
ThinKiosk will now amend the feature controls neccessary for embedded browsers on a per user basis. This will allow for better native support for ActiveX and Mime types. This will cause a quick restart as soon as ThinKiosk launches if a change is neccessary. This will also handle the upgrade to Internet Explorer 10 seamlessly. This process can be disabled via the offline config tool / group policy.
All shared code between ThinKiosk and the Offline config tool has been moved to a shared library! it wasn’t fun, it wasn’t easy but it will make things alot easier for me in future when making changes.
And it’s still free!
ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!
Download:
The download links for ThinKiosk are available above, or here:
ThinKiosk 3 features preview
As requested, here’s a sneak peak of what to expect in the up coming release on ThinKiosk 2.3. I hope to have a release candidate available early next week. I’ll need my favourite translators to step forward again to help ThinKiosk reach multi language organisations and users!
Without further ado:
Additional support:
- Added support for Citrix StoreFront services 1.2 (Cloud Gateway)
- Added support for VDI in a Box 5.1 (no open prompt!)
- Added support for internet Explorer 10
- Added support for Windows 8
- Added support for Windows Embedded Standard 8
New Features:
On particularly old or slow pc’s the startup time for ThinKiosk can be quite lengthy while ThinKiosk loads the embedded browser, a splash screen with progress marquee has been added to provide feedback and keep the user entertained.
Screenshot and email functionality. you can now allow ThinKiosk register [PrintScreen] which in turn will allow the user to send an error or issue directly to the helpdesk, including support information via SMTP. Thanks Shane!
Progress bar! When loading slow to load URL’s, it can be difficult to tell whether the website has hung, or it has just taken some time to load. By default ThinKiosk 2.3 will ship with an “on demand” progress bar to tell you when ThinKiosk is busy.
Added beta support for Wireless Networks via the control panel (this needs testing).
New items in the admin menu. The admin menu now contains some very useful commands for administrators when troubleshooting end points:
- Task Manager.
- Internet Explorer Control panel.
- Restart /Exit ThinKiosk.
- Remote Desktop connection.
- Offline Configuration Tool.
When using Web interface log off on session launch, ThinKiosk performed the task so quickly that the user was often left a little confused as to what has happened and why they have been kicked out before the session finally launched. ThinKiosk will now provide feedback when a new session launches or when workspace control is busy reconnecting and has a 2 seconds hold down timer before it kicks the user off the web interface.
Restart or Shutdown on Session End. previously when a remote session ended, you had an option to log the local user off. This was particularly useful if you were using Citrix Pass through authentication. A recurring request was to add the ability to restart, or shutdown the pc. This is now included in the offline config tool and group policy.
A number of fussy individual’s didn’t appreciate my lightsteelblue colour scheme change, for you guys (you know who you are) you can now disable the colour change on startup via group policy or offline config tool if grey is your thing.
Bug fixes / enhancements:
Changing zones in internet explorer while ThinKiosk is running used to result in a crash (e.g moving a domain from the internet zone to trusted sites). This crash is now handled and you will receive a warning icon to restart ThinKiosk at your next convenience. Please note, circumventing this crash will disable Auto log off and log off redirection until ThinKiosk is restarted.
When navigating to a url with an untrusted SSL certificate, by default an embedded browser will not allow you to continue without prompting for scripting errors. These scripting errors in turn stopped Citrix Web Interface from working in multi farm environments. Support has been added to allow scripting errors only when an untrusted ssl cert is requested.
ThinKiosk will now amend the feature controls neccessary for embedded browsers on a per user basis. This will allow for better native support for ActiveX and Mime types. This will cause a quick restart as soon as ThinKiosk launches if a change is neccessary. This will also handle the upgrade to Internet Explorer 10 seamlessly. This process can be disabled via the offline config tool / group policy.
The offline config tool will now detect values specified in group policy or in user key’s it cannot control and warn you that these values exist.
The apply button has been removed from the offline config tool, it wasn’t needed or working exactly as I wanted it to.
The offline config tool has been reordered to provide a better structure to settings.
All shared code between ThinKiosk and the Offline config tool has been moved to a shared library! it wasn’t fun, it wasn’t easy but it will make things alot easier for me in future when making changes.
Tons more error catching in ThinKiosk.
Profile:
Donate:
If ThinKiosk or any of my blogs, scripts or applications were useful to you, please consider donating!
Recent Comments