Categoriearchief: Blog

Blog posts

Ivanti Workspace Control vs User Workspace Manager Matrix

Now that the acquisition off RES Software is more and more adopted and spotted a place on the calendar off most IT departments it’s time to share some experience from the field.

Things that keep IT Manager awake are how to migrate their Workspace(s) to a new Workspace Management tool like UWM. Best option could be to wait until a refresh off the current workspace environment or infrastructure is needed or already planned on the IT calendar.

The other thing they struggle with is the adoption off other Workspace Management tools (Like UWM) in their environment, RES Workspace Manager (Ivanti Workspace Control) is very intuitive and easily adopted by (new) admins. If you want your admins to do the same tasks using UWM they will need training!

Don’t worry. I can advise you about the best choice(s) for your situation or help your team to migrate your workspace(s). See my contact page about how to contact me.

Another important thing that’s on their list is to find out if UWM can do the same thing for their Workspaces? Don’t worry, that’s why I created this Workspace Control (RES) vs User Workspace Manager (Appsense) table for you.

Workspace Control (RES) vs UWM (Appsense)

Item Description Workspace Control (RES) UWM (AppSense)
Desktop Composition
Logon Script Replacement UI removes the need to use VBS or PowerShell YesYes
Manage and Deploy Group Policy settings Yes Yes
Desktop Icons Manage items on the desktopYes Yes
Session and Environment Variables Manage session and environment variablesYes Yes
Printers Map printers, drivers, set default printer, save printer preferencesYesYes
Configure Start Menu Manage the Start MenuYes Yes (Except Tiles)
Pinned items Pin items on Taskbar or StartmenuYesNo
Manage Tiles in Startmenu Manage tiles in startmenuYesNo
Trigger on logon, logoff, process start/stop, connect/disconnect Yes Yes
Pre-session trigger Actions can be run early in logon process for settings like DPI and session timeouts No Yes
Desktop Created trigger Logon actions can be delayed until after the Windows desktop is visible to the user Yes – “after logon” Yes
Computer Start and Stop Non-session triggers YesYes
Additional configuration Triggers Configure settings during User Workspace SessionConnectivity Change, Session Reconnect, Session Refresh by admin or user.Lock, Unlock, Network Ready, Connectivity Change
Contextual Configuration rules Set configuration based on Workspace ContextYes Yes
Parallel Processing Fast logons as agent runs actions in parallel Most Composition actions can be set to start in a new thread All actions can run in parallel using a configurable thread pool
Real-time configuration changes on desktops Applied config can be applied immediately to clients workspace?Yes (Refresh Workspace)Partial, Best practice is to delay config changes to next logon
Desktop Refresh Update desktop with new settings without a logoff/logonYesNo
Target configurations at user groups or devices Configurations Settings for groups or devicesYesYes
Configuration Rollback Version control and approval workflowYes (buildingblocks per changed item)Yes (Config files with all last changes)
Configuration distribution methodScale-out vs scale-up Relay Servers for > 3k endpoints, or low bandwidth sitesAdd more IIS servers
Profile Management
Profile Storage to (SMB) File Share Persist user settings using SMB file shares as storage Yes Yes
Saves profiles in native Windows format YesYes
Profile rollback/reset Allow Servicedesk, Admin or user(s) to rollback Profile Settings.Yes Yes
End user Self Service Allow user(s) to use Self Service Yes Yes
Central reporting Yes Yes
Personalization Analysis Explore and edit user data in central store NoYes
Bulk changes Profile data edit/delete NoYes
API and PowerShell for managing profile data No Yes
Profile operations console for Help Desk YesYes
UWP App support Manage Windows Store appsNo Yes
Application Control
Application Whitelisting Yes Yes
App digital certificate Yes Yes
Monitor/Audit mode Used in pilot, brownfield or initial rollout Yes Yes
Metadata Support Allow/deny using app metadata such as vendor, version, etc… Yes Yes
Trusted Ownership Checking No Yes
Trusted Process Allow or deny based on parent process YesYes
Admin rights elevation and de-elevation for applications Granular control over processes that should run with admin privilege YesYes
Control elevation of child processes and common dialogs No Yes
Admin rights elevation and de-elevation for Windows components Elevate select control panels and other components No Yes
Local administrator restrictions Prevent local admins from killing services, executables, uninstall … No Yes
Self-elevation and selfauthorization Allow certain users to authorize and elevate apps and installers, with audit trail Partial - (User installed Applications)Yes
Offline change request Help desk workflow to allow installs, elevation and execution for offline users over the phone No Yes
URL Control Yes Yes
Per Device Application licencing Audit and limited access to device-based licencing apps like VisioYes Yes
Control over non-exe filesAllow/deny DLLs, batch Partial – executable files and DLLs Yes
macOS and Linux whitelisting Files, Folders and User Data Application control only Yes No
Robocopy functionality, with scheduled sync Yes Yes
Folder Redirection Yes Yes
Drive Mappings Yes Yes
Audit of file access YesYes
Controlled use of O365 OneDrive Storage Policy-controlled access, usage and audit No Yes
Application Performance
Thread throttling Temporarily clamp CPU usage by rogue threads No Yes
Memory trimming Reclaim unused allocated memory Yes Yes
CPU base priority change Moves problem threads to lower priority Yes Yes
CPU smart scheduling Replaces Windows CPU scheduler No Yes
Contextual control over performance features Condition Engine targets performance controls Yes Yes
Other
Deployment or “push” of agents Without 3 rd party solution YesYes
Integration with SCCMAgents and configurationsYesYes
Scriptable interface Script a workspace configuration without console or UI YesYes
Configuration snippets Yes Yes
Integration with Ivanti Automation Yes No
Integration with Ivanti (RES) Identity Director Yes No
App-V deployment to desktops Initiate package streaming Yes No
App-V application configuration and personalisation Ability to customise and personalise SCCM delivered applications Yes Yes
SCCM application deployment to desktop Initiate package installs Yes No
SCCM application configuration and personalisation Ability to customise and personalise applications delivered by SCCM Yes Yes
Application UI lockdown Remove edit boxes, restrict access to WinForms and buttons within applications No Yes
USB control YesYes
File Save control Prevent and restrict users from saving files or file types to local drives YesNo
Auditing Database Event log, CSV file, SCOM pack, Database
Logon Analysis Workspace Analysis web console EmMon and LogParser tools
VDX integrationVDX (Reverse seamless) application management from Workspace console YesNo
Manage Workspace with multiple admins at the same timeBuild new environment with multiple Workspace Admins at the same timeYesNo (Config file is locked when admin configures settings)
Intuïtieve ConsoleWorkspace management config is easy adopted by new adminsYes (Application Centric Approach)No (Multiple consoles needed for configuring single application)

Howto: Manage Windows 10 Workspaces using RES ONE Workspace v10

In this chapter I share my best practice for managing Windows 10 workspaces using RES ONE Workspace v10. I assume you already have experience with RES (Workspace) and Microsoft (Windows).

 

Choose the right Windows 10

First off all, some NRRR (Not Really RES Related) things. If you want to manage the tiles in the start menu you have to choose for Windows 10 Enterprise. It’s important to determine which service branch is going to be used in your environment.

See this chapter for the full story about choosing the right Windows 10 version.

 

Performance matters!

Users don’t like waiting (what about you?) so make sure your Workspace performance as you would accept it yourself. For more information and best practice about performance tuning Windows 10 see this blog. As a RES RSVP I am under NDA but I can tell you that the best performance upgrade from RES ONE Workspace is coming soon!

Keep watching my blogs for more information!

 

Automate!

My advise is to automate the installation/configuration off the golden image using tools like RES ONE Automation. This way your image is documented from the start and it’s easy to rollout a fresh new version.

This seems like lots off work but it saves time when managing/operating the environment. The (zero touch) rollout off Windows is made easy using the free MDT and WDS tools. See this blog post for that. Don’t worry, i will share a RES ONE Automation building block for helping you out here.

 

Security from the start!

One off the first thing we enable in the RES ONE Console is security (managed applications). My advice is to enable web security on the backend (not the frontend). In Server Based computing environments like Citrix or Microsoft Remote Desktop I advise to use the Read Only Blanketing Security feature also.

Make sure you get the business policy for removable devices like USB sticks or disks on paper. RES Security has plenty of skills on board to manage complex remove device policy’s.

New applications can be easy onboarded using the learning (security) mode. In this way processes are authorized on the managed application and not in the global authorized process list. off course it’s possible to move the authorized processes from global to application level.

Also see these resources for making sure you understand RES Security:

httpss://www.youtube.com/watch?v=XJCVkJAryAg

And these blogs about RES Security:

 

Setup The User Profile

To make a long story short: Don’t setup user profiles, Use local profiles instead. Don’t spent to much time in tweaking the default profile (leave it default). when you add or remove programs the default settings usually are reflected to the default user profile. Make sure your Workspaces are running from fast storage like SSD/flash.

Use (RES) Zero profile to save and apply user settings when needed in the user workspaces. That’s easy right?, don’t worry I will help you in setting up Zero Profile later in this chapter.

 

Manage several workspaces using ONE Workspace management console

RES ONE Workspace allows you to manage several Workspaces by creating workspace containers, use this cool feature to create your Test, Desktop and Server based computing workspaces in one management console.

httpss://www.youtube.com/watch?v=KC2C79HWoUE

 

Location and Devices

Use RES location and devices to make your Workspace dynamic, for example for location based printing or to make specific applications available only at the headquarters. your brain is the limitation in possibility’s here.

 

Browser configuration

As more and more applications are web based (private or public cloud) setting up a decent browser configuration is important. I don’t recommend to use Edge (yet) so let’s start with Internet Explorer 11 (IE11).

 

 

Default browser message?

When using outlook 2007 or 2010 you might keep getting the ‘Choose Default Browser’ message.

Set IE11 as your default browser using this post.

MMmmmm Cookies!

Off course you want your users to be able to roam cookies, but Microsoft only allows you to do so with roaming profiles with a persistent local profile. don’t worry RES found a solution for this. they tweak the local profile to roaming and set the required IE configuration.

 

 

Master / Slave Setup

Set all the Configuration (Zero Profile, tasks, variables, registry ect.) on one (master) IE11 application and link all other (slave) IE11 shortcuts to this master for the configuration and required user settings. let me help you with this buildingblok.

 

 

What about the other browsers?

Off course there are still applications that require Firefox or Chrome, my best practice is to deliver those browsers virtualized (Thinapp, App-V or whatever). Limit the browser to allow only the URL that’s required for the application to work and check the browser combability for those apps yourself because I noticed that for several applications IE11 just worked.

Use the Master / Slave setup I mentioned with these applications. Setup one (Firefox or Chrome) application and link the other applications that need these browser to this master application configuration.

 

Microsoft Office

Another frequently player on the user workspace is Microsoft Office, so it’s important to setup this one in a decent way also. use the default (built-in) RES templates to setup Zero profile for this applications.

you’re not capturing all settings with these templates. don’t worry, I will share my best practice buildingbloks for managing Office 2010 here for you.

 

Office add-in(s)

Make sure you find the locations off the add-ins which are installed in the golden image and next you delete them! Apply them in the user Workspace for only the users that require them. Place the add-in configuration on the application (not global).

 

Zero Profile configuration

User profiles contain a lot of junk so don’t manage, store and backup everything! Try roaming profiles if you want to capture all user settings ;-).

My advice is to configure Zero Profile for the common applications and use the wel known ‘beep system’ to configure the settings that the users miss. Use the built in (RES) templates and the built in (RES) tools to sample and capture user settings.

You might get lost in which application captures which settings, dont worry. use the user settings overview to get you back on track.

Don’t forget to instruct your users how to use the self-service feature to restore their own application settings.

 

 

 

 

 

 

 

Modern Apps?

My experience with modern apps that they are not used in business environments, another thing about modern apps is that they don’t allow saving user settings. My advice is to remove the modern apps using this PowerShell one liner:

Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online’

 

Built-in Applications

Don’t forget to deliver the built-in apps like notepad, calculator and sniping tool because your users (also) need them. Microsoft decided to transfer calculator to a modern app so we need to install the ‘old’ calculator. use this link to download the old calculator.

 

File type association(s)

Do NOT configure file type association for the native installed applications. Use RES process interception for these applications. make sure that process interception is only configured for the applications that need to start using file type association (for example when many shortcuts are created and linked to a ‘Master’ application (like iexplore.exe for example) configure process interception only for the master application.

 

Printer troubles?

NRRR again, I didn’t find environments without printer problems (yet). In most cases the customer weren’t even aware off them ;-). Most problems occur with the (printer) drivers. The solution is simple: Take the time to find and install the right printer drivers on your print server and install the right drivers on your base image.

My advice is to not allow automatic printer driver installation. because this can slow down you login time dramatically and users don’t like that!

Packaged Drivers

Another thing with printer drivers is the way they are delivered/installed on the client. The right driver is installed on the client but a message pops up every time the user logs on about installing the driver. This can happen when your printer driver is not packaged.

To find out whether the driver is package-aware using print Manager. Open the drivers section, if the driver is package-aware it will have the ‘true’ status in the packaged column. See this Microsoft KB for more information.

There is a little trick printers that makes a system think that the driver is package-aware. To do it, open the
HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\…\Driver name\ branch of the registry on the print server and change the value of ‘PrinterDriverAttributes’ key for the specific driver by adding 1 to the current value.For example, If the attribute value has been equal to 5, change it to 6.

The same has to be done for the driver attribute in HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx NT x86\Drivers…\Driver name\.

After the restart, your printers will connect without any warnings.

 

Elevated processes that require environment variables…

I had some issues using RES dynamic privileges when using environment variables. I noticed that after setting the ‘EnableLinkedConnections’ registry key solved this issue’s.
See this Microsoft KB for more information. There were some issue’s with the early Windows 10 builds but all seems to work fine now.

 

Antivirus

Again this NRRR but i have seen many workspace improvements after a decent configuration off the virus scanner. for example make sure you download and apply the Best Practice – Antivirus Recommendations from RES.

When using VMware ESXi and vSchield antivirus protection make sure that your VMware tools version in the image meets the version on the hosts.

 

Branding

Off course you want your Windows 10 workspace to look good! this means the lockscreen, user account pictures ect. needs to be set. The default user account pictures are stored in ‘C:\ProgramData\Microsoft\User Account Pictures’ and the default lockscreen picture can be best stored at ‘C:\Windows\web\screen’.

Again I can help you with this buildingblock.

 

Missing Tiles in startmenu?

I noticed that sometimes the Start Menu was empty (no tiles), while items were pinned in previous sessions. See this excellent blogpost from John Billekens for a workaround for this issue.

 

What’s that?, you want more? Check these related blogs:

I really hope this blog will help you and your organization rolling out Windows 10 in a efficient way. If you have a question, comment, compliment or suggestion, let me know.

Thanks for reading, Rob Aarts

Choose, Prepare and deploy Windows 10 in your organization

In this blog i wil show you the things you need to no when you are planning to rollout Windows 10 in your organization. This blog is based on my own experience while I was helping organizations rolling out Windows 10 in their environment(s).

In this blog i share my experience when delivering the Windows 10 workspace using VMware Horizon View. The Workspace is Managed by RES ONE Workspace.

This blog covers several chapters:

I really hope this blog will help you and your organization rolling out Windows 10 in a effecient way. If you have a question, comment, compliment or suggestion, let me know.

Thanks for reading,
Rob Aarts

Howto: Choose the right Windows 10

I hope this chapter helps you in making the best choice(s) for your organisation.

Which Edition?
One choice is about which edition to choose (Home, Pro, Enterprise or Education) version that fits best for your environment. the folowing table can help you in making the choice.

Check all features on the folowing Microsoft Website

32 or 64 bits?
In virtual environments the general recommendation is to use 64 bits.

Which Service Branch?:
It’s important to determine which service branch is going to be used in your environment. Microsoft recommends that business critical systems should opt for the Long Term Servicing Branch (LTSB), while day-to-day devices should probably use Current Branch for Business (CBB). More important to consider is the possibility to defer updates on these branches compared to the Current Branch (CB) servicing option. Windows 10 will give enterprises less time to implement new features, which will likely impact companies’ change procedures, and selecting the right service branch will be an important part of managing these changes over time.
User experience is of course top priority for every company migrating to a new OS. Therefore, it is crucial to have a Pilot/route to life plan in place which clearly addresses issues in the migration process in an early stage.

The following table provides an overview of the planning implications of the three Windows 10 servicing options so that organizations can be well informed before they start a Windows 10 deployment project.

Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see immediate feature upgrade installation with CB servicing.

Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see deferred feature upgrade installation with CBB servicing.

Receive only servicing updates for the duration of their Windows 10 deployment to reduce the number of non-essential changes made to the device. For more information, see Install servicing updates only by using LTSB servicing.

The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.

Manage Start Screen Tiles?:
Start layout control is supported in Windows 10 Enterprise and Windows 10 Education. Start layout control is not supported in Windows 10 Pro.
Source: httpss://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy

Note: RES ONE Workspace uses the Microsoft Start Layout Group Policy to manage and deliver Tiles on the Microsoft Windows 10 Start Screen and wil not be able to manage the tiles on Windows 10 Pro.

Also see:

Howto: Deploy Windows 10 using Microsoft MDT & WDS;

This chapter shows how to setup Microsoft Deployment Kit and Windows Deployment Server. First we start installing Windows Deployment Server:

Open the WDS Management Console, right click on the Server and choose Configure Server.

Ad the folowing options to your DHCP scope:

Option Value
66 The Hostname or IP adres from the WDS Server
67 boot\x64\wdsnbp.com

Then we download and install MDT (in my case 2013) on the same Server

Mount your Windows 10 ISO file and browse to the DVD.

Because we use RES ONE Automation Manager we configure the RES ONE Automation Manager Agent.
Example for the Quiet install Command:
Msiexec /i "RES-AM-Agent-x.x.x.x.msi" SITELICENSE="RES-519E-03D1-FCBA-434A-80FF-88F8-FD8D-2F04" INVOKEPROJECT="{301620AE-B250-2B87-AA02-01B6224E1F83}" /qn

TIP: The ‘INVOKEPROJECT‘ parameter can also be used for invoking a runbook, Just by filling in the Runbook GUID.

We inject VMware Tools drivers for instance to use the network in the Virtual Machine.

Open Windows Deployment Services Management Console and add the PXE boot image.

 

If you would like to make your Windows deployment Zero touch then follow these instructions:

  • Download these files (fill in the required information) and place them in your deployment share location.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Also see:

Howto: Deliver Windows 10 using VMware Horizon View (Best practice)

In this chapter we create the (golden image) Virtual Machine in vCenter. make sure your ESXi hosts are all the same version. To make sure you are compatible i aslo recommend using at least ESXi 6.0 (or higher).

This sounds like common sense but please make sure you have decent storage solution in place. local SSD still works fine but is inefficient for doing maintenance in your VDI environment.
Using a Virtual SAN gives you all the benefit off local storage with flexibil maintenance possibility’s

Use the vSphere Web Client for creating the VM like i did in the example below. Create the VM using these resource settings:

  • 2 CPU’s;
  • 4GB Memory;
  • VMXNET 3 network adapter;
  • 128MB video settings with one monitor (these settings can be configured in the Horizon View Pool settings later;
  • If your ESXi Hosts have a 3D cards for example NVIDIA K1 or K2 you can also enable 3D here, the amount off 3D memory depends on your resource requirements. These settings can be configured later on in the Horzion View Pool Settings also;
  • You can delete the Floppy drive, pretty sure your not needing that anymore.
  • You can also delete the serial ports, parallel and floppy disk controller.

Because we need to adjust the BIOS settings of the Virtual Machine, in the ‘VM Options’ we enable the option to force the VM to start in the BIOS the first time we start the VM.

Then we disable the option to unplug devices like Network and Harddisk, open ‘Advanced’ and then ‘Configuration Parameters’ and add ‘devices.hotplug’ with the value ‘False’

Then we start the VM and adjust the ‘Boot’ options, we configure the Network boot in first place. The ‘Hard Drive’ (which isn’t that hard 😉 second.

Another practical tip is to enable ‘Numlock in the BIOS’, we can do that by choosing ‘Keyboard Features’ in the ‘Main’ Screen.

I also recommend to disable the Serial and Parallel ports and floppy controller in the BIOS.

Exit the BIOS and hit F12 when asked, if your PXE configuration is working you will see the Microsoft Deployment Kit starting to deploy your image 😉

Next we create the VMware Horizon View Pool, i recommend using version Horzion View 6 or higher for delivering your Windows 10 virtual Workspace.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Also see:

 

Howto: Windows 10 performance tuning

In this blog i wil show you how to optimize (tune) your Deployment.

I can be short about this one because this job is done easy and fast using the VMware OS Optimization Tool (OSOT) tool which can be downloaded for free here.

 

 

 

 

 

 

 

 

The tool is straight forward, just double-click to install and follow the instructions from there. You can create/import/export your own templates.

A standard Windows 10 machine is filled with a lot of Universal Apps compared to a Server 2016 set. I think the cleaner the desktop the better.
The OSOT tool does not depend on VMware Horzion View so you can use the tool for tuning your Windows VDI on other platforms too.

My advice is to first check which applications you may need before removing them.
To remove all Universall Apps from your image you could use the following PowerShell command:

Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online

All (new) user profiles will get a nice clean desktop.

Also see: