Deploying Applications with VMware ThinApp

KB ID 0000612

Problem

ThinApp is an “Odd” VMware product, insofar as it’s got nothing to do with virtual machines or virtual technology. It’s a product that turns applications into “Stand alone” thin applications, that can be sent to a user and ran without the need for that user to have administrative access, or the need to install anything.

ThinApp was a product called Thinstall that VMware purchased and “re-badged”, you get a free copy with VMware View 5 (Premier Edition). And it ships with a copy of VMware workstation. (Not because it needs a copy, but VMware recommends you use a clean virtual machine to create your ThinApps on).

If you’ve ever used sysdiff in the past or Novell Zenworks for Desktops, you will be familiar with the process, take a ‘scan’ of a clean machine, then install application(s), then carry out another ‘scan’. The software then works out the ‘difference’ and uses that information to build a software package.

In the example below I’m going to create a stand alone version of Google Chrome, that is pre configured, and has Java already installed, and finally deploy that as a single executable file.

Solution

1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware the name you enter will display on the “splash screen” as your ThinApp loads (as shown).

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next > Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

6. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

7. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

8. Make sure only the executable you require is ticked as an entry point > Next > At the Horizon App Manage Page > Next.

9. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

10. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

11. Select the option to store the sandbox in the user profile > Next > Select whether you want to provide statistics to VMware > Next.

12. You will see this screen ONLY of you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s enters listed here are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

13. Give your ThinApp a name > Next.

14. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

Note: You can use this page to create an MSI file to deploy via group policy if you wish.

15. After ThinApp generates the files it needs > Build.

16. Finish

17. Heres my ThinApp executable file.

18. To test I’ve copied it to a Windows 7 machine.

19. While it’s loading this is what you will see.

20. And here is my ThinApp version of Google Chrome running and pre configured.

Related Articles, References, Credits, or External Links

NA

Creating and Deploying USB Portable Applications with VMware ThinApp

KB ID 0000616 

Problem

The last time I wrote about deploying applications with ThinApp, it was geared towards getting standalone applications onto client PC’s for non admins to run, or putting them in a network share. But if you have a portable application the advantage is you can run it from portable media (Like a USB drive).

Like before I’ll convert Google Chrome to a ThinApp, but the difference is I will set the applications ‘sandbox’ to live in the same location (on the USB). Then I’ll try it out on a different machine.

Solution

1.  It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2.  When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware that the name you enter will display on the “splash screen” as your ThinApp loads.

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next.

6. Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

7. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

8. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

9. Make sure only the executable you require is ticked as an entry point > Next.

10. At the Horizon App Manage Page > Next.

11. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

12. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

13. As you are storing the App on USB I’d suggest (though you don’t have to) set the application to save its sandbox in the same directory.

14. Select whether you want to provide statistics to VMware > Next.

15. You will see this screen ONLY if you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s entered, listed here, are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

16. Give your ThinApp a name > Next.

17. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

18. After ThinApp generates the files it needs > Build.

19. Finish.

20. Heres my ThinApp executable file.

21. Which I’ve copied to my USB Drive.

22. So when use the drive in another machine.

23. You can simply run the executable.

24. While the app loads it will show a splash screen like this.

25. And should load pre-configured.

 

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 Deploying Applications with RemoteApp

KB ID 0000528

Problem

RemoteApp is a solution for delivering applications to your users from a Remote Desktop Services Server.

Why would you want to do this? Imagine you only had one copy of office to update in your entire organisation when a new service pack or security update is released., or Adobe bring out a new version of Dreamweaver that’s on all your machines – you simply update the master copy on the RDS server, or redeploy new RemoteApps.

In the following example I’ll configure the server, and create a RemoteApp application (Word 2010) and finally, deploy it to my domain clients.

Client requirements: Windows XP (SP2), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.

Note: For XP and Server 2003 clients you need to have installed Remote Desktop Connection (Terminal Services Client 6.0).

Solution

1. On a 2008 R2 Server (That’s a domain member), Start > Run > CompMgmtLauncher.exe {enter} > Roles > Add Roles > Remote Desktop Services > Add the following “Role Services” > Remote Desktop Session Host > Remote Desktop Web Access > (If you do not have a RDS Licensing services Licencing server add that also).

2. Select “Network Level Authentication” >Select your licensing mode > Add in the user(s) and/or group(s) you want to grant access to > Set your client experience options > Set the scope for the licensing server (per forest or per domain) > When complete let the server reboot.

3. If you do not already have a RDS Licensing server then activate the Licensing Server and follow the instructions. (Start > Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager).

4. Then Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > Locate Licensing > And click the “Not Specified” > Then add in the licencing server you just activated.

5. Install and configure the applications you want to deploy. Then Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager > Add RemoteApp Programs > Install and configure the desired application.

6. Add the computers that need access to RemoteApp(s) to the LOCAL group on the RDS server called “TS Web Access Computers”.

8. In the RemoteApp Manager select “Create Windows Installer Package” follow the instructions and put the resulting .msi file in a network share that your domain clients can access.

9. Send out the .msi file generated to your clients by group policy.

10. By default your deployed RemoteApps will be listed on the clients start menu under “Remote Programs”.

Related Articles, References, Credits, or External Links

Server 2008 – Terminal Server (Remote Desktop Services) Licensing

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Microsoft LAPS – Deployment and Configuration

KB ID 0001059 

Problem

Microsoft have released the Local Administrator Password Solution (LAPS). What is does is automatically change the load administrator password on workstations, (and servers if required) periodically. It then keeps those passwords securely in AD. Microsoft tried to mitigate attacks from the local admin account back in the days of Windows Vista by shipping with this account disabled, which is fine, but most large deployments I’ve worked on, I’ve been specifically asked to enable the local administrator account and set its password on deployment.

Some organisations create a different account and leave the local administrator account disabled, but they still suffer from the same problem, (all the machines have the same local admin password), and it gets known, if you have a disgruntled ex-employee they may know this password. Yes you can change them all periodically but it’s a bit of a faff. Note: LAPS can manage local accounts that are admin accounts but not necessarily the ‘administrator’ account.

The LAPS solution works by creating some new attributes on the computer object, ms-MCS-AdmPwd which actually stores the password, and ms-MCS-AdmPwdExpirationTime which is the time stamp for the password expiration. What LAPS sets out to do, is provide a random complex password for the local administrator account, and protect that password in AD by use of an AD ACL. In doing so it will protect your machines from a ‘Pass the Hash’ attack which can use common local administrators passwords to compromise a network.

Solution

 

Microsoft LAPS – Step 1 Setup a Management Machine

1. On a management machine download and install the LAPS software, Things will be easier if this machine is also running RSAT tools for Active Directory, and the Group Policy Management Console as well.

2. Be aware you get the documentation form the download page as well. Make sure you get the appropriate x86 or x64 bit version (LAPS supports Server 2003 SP1 and above).

3. Install the software and install ALL the options. (if you apply the defaults it will only install the GPO Extensions), which is what you would want on the ‘controlled machines’ but you want everything on the ‘controlling machine’.

Microsoft LAPS – Step 2 Deploy the software to the machines to be controlled.

1. To be honest this could not be simpler, I just sent the software out as a standard software package via GPO, (watch the video above if you don’t know how to do that). You can script the install and it will also manually install with a /quiet switch to avoid any user interaction. But if you have any amount of machines, GPO is the way to go.

To manually install quietly;

[box]

msiexec /i \\Server\Share\laps.x64.msi /quiet

or simply

msiexec /i c:\laps.x64.msi /quiet

[/box]

2. To check if the client has received the LAPS software, look in Add/Remove programs and you should see it listed (Run > appwiz.cpl {Enter}).

Microsoft LAPS – Step 3 Extend Active Directory Schema

1. It goes without saying that to do this you need to be a member of ‘Schema Admins’. On the management machine run the following two PowerShell commands, to add the two new attributes mentioned above;

[box]

Import-Module AdmPwd.PS
Update-AdmPwdADSchema 

[/box]

Microsoft LAPS – Step 4 Check/Set Permissions to Read Local Admin Passwords

1. On my test network below you can see I’ve got a couple of test Windows 8 machines in an OU called ‘Domain Computers’, this is the OU that I will be working with.

2. The first thing I need to do is grant the rights to the computers themselves to be able to update the password in Active Directory. (If you have nested OU’s, simply apply on the top level OU). Change the value in red to suit your own OU/OU’s.

[box]Set-AdmPwdComputerSelfPermission -OrgUnit ‘Domain Computers‘[/box]

3. To see who has rights to view the passwords in AD (for a given OU), use the following command. Below you can see the default of SYSTEM and Domain Admins is displayed.

[box]Find-AdmPwdExtendedRights -Identity ‘Domain Computers‘[/box]

4. To grant read password permissions to a particular group, use the following syntax, below I have an AD group called HelpDesk setup and I’m adding them into the AD ACL to be able to read local administrator passwords for the Domain Computers OU.

[box]Set-AdmPwdReadPasswordPermission -Orgunit ‘Domain Computers‘ -AllowedPrincipals PeteNetLiveHelpDesk[/box]

Note: If you have multiple groups you can separate/delimit them with a comma.

Microsoft LAPS – Step 5 – Deploy the GPO Extensions to ‘Controlled’ Machines.

1. On the management machine, create a new GPO object, and link it to the OU containing the computers/servers you want to apply the password settings to.

2. Edit the GPO.

3. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > LAPS[/box]

4. The policy that turns LAPS on is the last one ‘Enable local admin password management’ > Enable it.

5. The actual complexity and age of the password is set in the ‘Password Settings’ policy, > Enable it and accept the defaults.

Note: the other two policies are;

Name of the administrator account to manage: Use if you you have manually created another common admin account on all your machines NOT if you have renamed the local administrator account.

Do not allow password expiration time longer than required by policy: Set to Enabled.

Microsoft LAPS – Step 6 – View the Local Admin Passwords for Controlled Machines.

1. You can do this from PowerShell with the following command;

[box]Get-AdmPwdPassword -ComputerName hostname[/box]

2. Or if you have installed the Fat client, you can launch that from; [box]C:\Program Files\LAPS\AdmPwdUI.exe[/box]

3. Or as it’s an AD object attribute, you can view it on the Computers AD object.

Related Articles, References, Credits, or External Links

NA

iPhone – Bluetooth Problem

KB ID 0000374 

Problem

I wrote an article yesterday about tethering via bluetooth, and had a few problems, sorry to say the web was not much help at all 🙁

Basically the iPhone was marked with a yellow warning triangle, and when clicking the troubleshooting option you see the following,

Error: Bluetooth Peripheral Device doesn’t have a driver.

2. I read some forum posts and the general advice was to download iTunes, extract the driver msi out of it and use those drivers, but that didn’t work either.

Error: Bluetooth Peripheral Device – No driver found.

Solution

The reason this is happening, is by default your iPhone installs with the “Wireless iAP” Service enabled. Click Start > Devices and Printers >Locate your iPhone > Right click > Properties > Services > Untick Wireless iAP > Apply > OK.

Note: You can still use the phone as an internet access point.

 

Related Articles, References, Credits, or External Links

NA