Archive
I need your help Server Based Computing / VDI Experts!
Hi Guys and Gals. I’m currently fighting the good fight with Microsoft support and require your help and backing in order to close down a long standing bug in the Windows Explorer Shell.
As you are all aware, hiding the c: drive and restricting access has been a utility we use frequently in shared computing and VDI environments. Restricting this functionality removes views of the shared drive from users and adds a layer of security and complexity* to ensure the users in question have access to only what they need in order to do their jobs day to day.
*I’m not looking to argue the merit of doing this either, it really depends on the business case or environment to dictate whether this option is set. I’m NOT saying it should be done in every case.
We all know it’s not fool proof, there are certain ways for users to circumvent this layer and I particularly don’t want to discuss them here to give potential devious users a landing page for idea’s!
The problem:
Prior to windows Vista, when you hide the c: drive and an application requests access to a c: drive folder, be it from an “open save dialog” or otherwise, Windows detects this event knows that the folder is restricted and merely redirects them to the desktop which they can see then browse to where they wish to open or save a document. This has worked fine to memory since windows server 2000.
But with the changes to Windows Vista’s windows explorer, repeating the above steps will result in the following annoying, unnecessary and interrupting error message “This operation has been cancelled due to.. bla bla blah”:
This issue can be easily recreated, simply hide and restrict the c: drive, then click start > run > browse… bang.
The more annoying problem here, is after the error message, windows simply redirects back to visible folder. In most cases this is the documents library. So the error message is simply poping up then reverting to the functionality seen in previous operating systems.
So to review:
- Issue introduced in Vista / 2008 and above.
- error message displays.
- Previous redirect functionality is still there and occurs after ok is pressed.
To Microsoft!
Being a pedantic individual, along with my colleague we brought this to Microsoft support and somehow lost months in the conversation as follows:
- Microsoft then redirected us to RES Software.
- Who (although very nice about it) sent us back to Microsoft.
- At which point I got involved.
Now with the correct audience and suitable severity, this problem has been identified as “introduced in Windows Vista” as an “Added Security feature“. How an annoying pop up box, masking previous functionality is a security feature is anyones guess, but it’s bloody annoying…
We have raised this as a bug and have requested Microsoft to fix it. The change in question was deemed as large change or substantial change due to WIndows explorer being used by all of the operating systems and basically told, without significant backing, this change wont be implemented.
Bureaucracy and broken policies, yes but that doesn’t help my customer.
Here’s where I need you:
In order to bolster this change and fix an issue in our beloved operating systems for Server Based Computing and VDI environments I need to hear from you and your customers to confirm they have had this issue, or currently face the issue and wish for a fix.
- If you are a customer and suffer this issue, email me.
- If you are a consultant and have customers with this issue, email me.
- If you or your customer have enterprise support with Microsoft, I ESPECIALLY want to hear from you.
What’s in it for you?
Microsoft have provided us a work around, as a process that watches window messages and suppresses this dialog box when it occurs. If you get in touch, I’ll recompile this application with Microsofts permission and pass it on to you for use in your environment while we get “The Man” to fix it!
This fix is a bit of hack, as it’s scraping window messages but it’s light weight and scalable. Use this process for now and I’ll provide you with updates on a fix as and when I get them.
How do you contact me?
Please drop me and email on andrew{at}andrewmorgan{dot}ie with the following information:
- Customer name:
- Affected users:
- Has enterprise support: (yes/no)
Once I have that information, I’ll send you back an executable via dropbox and keep you updated on the call process. This information is merely going to be fed straight to Microsoft with my personal guarantee of confidentiality. No funny business.
If you can’t share customer information, but have suffered this issue in the past, no problem! Please comment on this blog post the number of seats that were affected and roughly how many times you’ve seen it.
That’s it!
Thanks for entertaining my request for help and hopefully you too want to get this issue fixed as much as I.
Announcing SBC Printers, A simple printers interface for XenApp / VDI
A little irk of mine with Windows 7 and server 2008 R2 was the Devices and Printers interface. This mix of peripherals is fine for standard desktops, but in SBC / VDI the devices list generally contained items you didn’t want users seeing, or ejecting for that matter!
Not happy with the Irk, and still on my app developing buzz, i decided to write SBC Printers:
SBC-Printers is a simple little .net 4 application, leveraging WMI for printer enumeration and control.Because SBC Printers is an executable, it can published as a XenApp application. Sbc Printers can also be installed as the default printers interface on the start menu:
So really your users won’t know the difference or care for that matter!
SBC-Printers also comes with securable options for adding or deleting local printers:
The display of add or delete can be controlled via the settings file in the installation directory:
Installation:
- Download the following MSI
- Install the MSI to the default directory.
To restrict the standard printers dialog from users, but leaving it accessible to administrators:
- Browse to c:\program files (x86)\SBC-Printers\bin
- run the powershell script below, make sure to run it as an administrator!
That’s it, once the Powershell script runs. it removes the users access to the registry classes giving them access to the standard devices and printers interface. Which means we’re now ready to provision SBC-Printers to replace it.
Provisioning the replacement to the user:
Now just import the userkey.reg into the users profile on login, you can do this via your user profile manager of choice, or use Group Policy preferences.
That’s it!
As you can see I haven’t streamlined the install process too much, this is mostly down to the simplicity of the tool. If you like SBC-Printers but would like a better installer, just drop me a comment below.
Roll back:
if you need to restore the standard interface, uninstall SBC-Printers then add the (local computer\users) group back to the following registry keys ACL:
- HKCR\software\classes\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
- HKCR\software\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
ThinKiosk 3.0 General Release
It gives me great pleasure and relief to announce the general availability of ThinKiosk 3.0!
ThinKiosk 3.0 is another ground up redevelopment of the tool, 2 months ago I broke the program beyond recognition to add support for shared libraries and reduce the number of active components in the program. It’s fast, lightweight, it’s been a long time coming and I am absolutely thrilled with the result!
WIth that out of the way and without further ado, there are hundred’s of changes to ThinKiosk, below are just the highlights:
Additional support:
- Added support for Citrix StoreFront services 1.2 (Cloud Gateway).
- Added support for VDI in a Box 5.1 (no open prompt!)
- Added support for internet Explorer 10 as the local browser.
- Added support for Windows 8 as an end point.
- Added support for Windows Embedded Standard 8 as an end point.
New Features:
EULA:
This isn’t exactly a new feature, but I want to be as forthcoming about this as possible. I’ve added an EULA to ThinKiosk. There is nothing untoward, there’s no lock in, it just says its free to use, you can’t resell it, and you can’t sue me if you do something stupid.
Ultimately, it just protects me (a free tool developer) from lawsuits.
Languages:
The Norwegian language has now been added, thanks Thomas!
All current languages have been updated (spanish, french, dutch, italian, German)
Startup marquee:
On particularly old or slow pc’s the startup time for ThinKiosk can be quite lengthy while ThinKiosk loads the embedded browser.
To address this delay, a splash screen with progress marquee has been added to provide feedback and keep the user entertained.
Screenshot and email functionality:
You can now allow ThinKiosk register the [PrintScreen] key, which in turn will allow the user to use this key to send an error or issue directly to the helpdesk, including support information via SMTP.
By default, email and screenshot functionality is disabled, until you add SMTP options via policy or offline config too.
Thanks Shane for the idea!
Progress bar:
When loading slow to load URL’s, it can be difficult to tell whether the website has hung, or it has just taken some time to load. By default ThinKiosk 3.0 will ship with an “on demand” progress bar to tell you when ThinKiosk is busy.
Wireless Networks:
Beta support for Wireless Networks has been added via the control panel
This functionality will only currently work with:
- Windows 7
- Windows Embedded Standard 7.
- Windows Thin PC
Note: this setting is disabled by default, but can be enabled via the group policy or offline config too.
Language Selection:
Probably the most requested feature so far, I’ve finally added a drop down for Language selection as below:
This drop down will allow the users to change the language on the fly. This option can be disabled via group policy or the offline config tool.
New items in the admin menu
The admin menu now contains some very useful commands for administrators when troubleshooting end points:
- Task Manager.
- Internet Explorer Control panel.
- Restart /Exit ThinKiosk.
- Remote Desktop connection.
- Offline Configuration Tool.
Desktop launching dialog:
When using Web interface log off on session launch, ThinKiosk performed the task so quickly that the user was often left a little confused as to what has happened and why they have been kicked out before the session finally launched. ThinKiosk will now provide feedback when a new session launches or when workspace control is busy reconnecting and has a 2 seconds hold down timer before it kicks the user off the web interface.
End of session options:
Previously when a remote session ended, you had an option to log the local user off. This was particularly useful if you were using Citrix Pass through authentication. A recurring request was to add the ability to restart, or shutdown the pc. This is now included in the offline config tool and group policy.
Classic Colours:
A number of fussy individual’s didn’t appreciate my lightsteelblue colour scheme change, for you guys (you know who you are) you can now disable the colour change on startup via group policy or offline config tool if grey is your thing.
Process Launcher:
A new feature in ThinKiosk 3.0 is the process launcher. Instead of loading ThinKiosk as a browser session, the process launcher simply launches the process you specify, and only displays the ThinKiosk menu bar at the top for user convenience.
This process launcher, will launch the process you configure, watch the process and relaunch it if the user accidentally closes the window!
Process launcher also has all the user empowering options available, along with power management. This functionality is all free as aposed to paid for solutions delivering half this functionality!
As below, you can use the Process launcher for Microsoft Remote desktop connections:
Or VMware view!:
Or basically any process you would like to use. This functionality is quite new, so if find issues with it, I want to know about it!
Offline Config Tool improvements:
Restructure:
The offline config tool has been reordered to provide a better structure to settings.
Policy awareness:
The offline config tool will now detect values specified in group policy or in user key’s it cannot control and warn you that these values exist.
The apply button has been removed from the offline config tool, it wasn’t needed or working exactly as I wanted it to.
Bug fixes / enhancements:
ThinKiosk Layout changes:
Resizing ThinKiosk has been moved to a more native location as below:
The clock and language selection are now enabled by default:
Advanced functionality:
ThinKiosk can no longer be run as a standalone executable, the shared.dll must be available too, Don’t say I didn’t warn you.
Changing zones in internet explorer while ThinKiosk is running used to result in a crash (e.g moving a domain from the internet zone to trusted sites). This crash is now handled and you will receive a warning icon to restart ThinKiosk at your next convenience. Please note, circumventing this crash will disable Auto log off and log off redirection until ThinKiosk is restarted.
When navigating to a url with an untrusted SSL certificate, by default an embedded browser will not allow you to continue without prompting for scripting errors. These scripting errors in turn stopped Citrix Web Interface from working in multi farm environments. Support has been added to allow scripting errors only when an untrusted ssl cert is requested.
ThinKiosk will now amend the feature controls neccessary for embedded browsers on a per user basis. This will allow for better native support for ActiveX and Mime types. This will cause a quick restart as soon as ThinKiosk launches if a change is neccessary. This will also handle the upgrade to Internet Explorer 10 seamlessly. This process can be disabled via the offline config tool / group policy.
All shared code between ThinKiosk and the Offline config tool has been moved to a shared library! it wasn’t fun, it wasn’t easy but it will make things alot easier for me in future when making changes.
And it’s still free!
ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!
Download:
The download links for ThinKiosk are available above, or here:
Date and time shift when using Lotus Notes in Server 2008 R2 / XenApp
This was an extremely strange / rare issue, so I figured I would share it.
In this customers environment, they are using XenApp 6.5 on Server 2008 R2 for published desktops, this environment is a hosted desktop environment for a number of countries in Europe.
Infrequently an issue could be observed where the users timezones would shift out by one or two hours within the Lotus Notes application. This would case SameTime conversations and Calendar times to display out by the aforementioned value above.
When this issue occurred, it happened to all users on the server. A restart of the server did not fix the issue.
Interestingly, a “TZUtil /g” was reporting the client was in the correct time zone:
If you ran “TZUtil /s GMT Standard Time“, then closed and opened Lotus Notes… The problem was resolved for that user, in that session until they logged off.
It’s worth pointing out, that this issue was only seen in Lotus Notes, not in any other application, java or otherwise.
When comparing the TimeZone settings from a problematic server to a working server, I found the following difference:
These keys are stored under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
And the working server looked as follows:
Now that is weird! So we copied the correct keys from the server to server and the issue was resolved. On all servers once users closed and opened Lotus Notes again.
But what caused this?
With a work around in place, I began to dig deeper into what caused the timezone to change on the servers despite the fact that no users have the ability to do so.
Analysing the logins to the servers, I spotted an administrator account logging into each of the servers as the day went by. This user didn’t log into the correctly working servers so this was the first clue.
Now if you’ve used Lotus Notes combined with XenApp and timezones before, you’ll know its a complete nightmare, interestingly the administrator in question (me, shamefully), was logging onto a XenApp session with a linux timezone to replicate an issue.
More embarrassingly, I then decided to Remote Desktop inside of the XenApp session to the affected servers, and with my admin account being who it was… inadvertently changed the timezone for the servers it seems.
That doesn’t sound right? You rdp’d from a client in a different time zone and it changed the server timezone?
I agree, but I have since been able to replicate this in a test environment. As with Server 2008 Microsoft now handle the timezone redirection themselves as part of group policy and administrative accounts will change the timezone of the server intermittently.
Now most customers probably wouldn’t even notice this, unless they are using lotus notes, as all other applications behaved correctly.
How do you work around this issue?
Ensure that the Group Policy you use to configure timezone redirection is configured to “not apply” to any local administrator on the XenApp server that may log in.
Using powershell as a replacement for the Change Logon command in Remote Desktop Services.
Still on my PowerShell buzz for the week, this is post 2 of 3 on some Remote Desktop Services / XenApp Powershell goodness!
This is one I’ve been meaning to post for quite some time, but other things got in the way. Mainly me forgetting how to use most of the powershell native methods due to having my head stuck in .net the last few weeks… Moving on…
While trying to find a method to check the status of logon’s to a Remote Desktop server via PowerShell, I didn’t have much luck. Either people are string scraping the output of the command using select-string or going to the registry and checking the raw Value with get-itemproperty. I wasn’t happy with either approach so I dug down into WMI and found the following.
From what I’ve found, the settings for enable, disable and the two drain modes are stored under the namespace root\cimv2\terminalservices. Under the class Win32_terminalservicesetting.
There are two properties we are interested in here:
- logons (0 = enabled, 1 = disabled*)
- SessionBrokerDrainMode (0 = Disabled, 1 = DrainUntilRestart, 2 = Drain)
*why oh why 1 is disabled is beyond me, but I digress.
The order of priority is enabled / disabled first, before the drain options are referenced.
So what does this tell us? Well, a change logon /query is simply performing the following simple checks:
Change Logon /query
gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices" | %{
if ($_.logons -eq 1){
"Disabled"}
Else {
switch ($_.sessionbrokerdrainmode)
{
0 {"Enabled"}
1 {"DrainUntilRestart"}
2 {"Drain"}
default {"something's not right here!"}
}
}
}
Ok that’s great and all, we’ve now replicated change logon /enable, but how do we set these values?
Easy! Using the native PowerShell $_.put() method, we can push values back in.
Below you will find each “Change Logon” option in server 2008 R2 and the corresponding WMI property.
Change logon /Enable
$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices") $temp.sessionbrokerdrainmode=0 $temp.logons=0 $temp.put()
Change Logon /Disable
$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices") $temp.logons=1 $temp.put()
Change Logon /Drain
$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices") $temp.sessionbrokerdrainmode=2 $temp.put()
Change Logon /DrainUntilRestart
$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices") $temp.sessionbrokerdrainmode=1 $temp.put()
And that’s it! now if you want to wrap this up in a function be my guest, or if you would like me to do so just drop me a line.
Profile:
Donate:
If ThinKiosk or any of my blogs, scripts or applications were useful to you, please consider donating!
Recent Comments