Monday, December 17, 2012

Citrix Receiver - There are no apps available at this time

Configuring the Netscaler Access Gateway for iOS device access we where able to get the initial setup, but then all subsequent logins to the account would result in an error:
"There are no apps available at this time"

There is a lot of info out there on this issue, but I only found a handful that where useful.
This helped me resolve the issue:

  1. Set the policies so that the Receiver policy has a higher priority
  2. Ensure that you don't misspell Receiver!  The guide I followed had the ei backwards, I read it like a robot and that cost me 2 hours of troubleshooting! Doh!

In the end, my policies look like the following which work a treat.


Netscaler / Access Gateway 401 - Unauthorized: Access is denied due to invalid credentials

Setting up the Access Gateway on a Netscaler to replace an 2010 appliance.
Found this guide to be very good for initial setup:
http://blogs.citrix.com/2012/04/10/netscaler-for-the-xendesktopxenapp-dummy/

After setup though we where still having issues with the following error:
401 - Unauthorized: Access is denied due to invalid credentials
You do not have permission to view this directory or page using the credentials that you supplied.

Looking at the Web Interface logs we found:
Event ID:      18001
A communication error occurred while attempting to contact the Access Gateway authentication service at https://xxxxxxxx/CitrixAuthService/AuthService.asmx. Check that the authentication service is running. The message reported by the underlying platform was: Unable to connect to the remote server. [Unique Log ID: 88ee87ee]

With this I was able to find Shaun Ritchie's excellent blog:
http://www.shaunritchie.co.uk/access-gateway-401-unauthorized-access-is-denied-due-to-invalid-credentials

Resolution for us was to add an entry into the hosts file pointing the FQDN to the Access Gateway virtual server internal IP address.
Note: can also be changed in DNS for your domain.

Friday, September 7, 2012

Lenovo ThinkPad T530 cannot install video driver - NVIDIA

Recently we purchased a new Lenovo ThinkPad T530 2392-4DU, unfortunately we had to downgrade it to Windows XP for the time being.  All installed very well except the graphics driver.

When I tried to install the NVIDIA driver it would error with "NVIDIA Installer cannot continue - This graphics driver could not find compatible graphics hardware."

I tried switching to Intel integrated which wouldn't install and reported "This system does not meet the minimum requirements".

After talking to Lenovo support and for a reason unknown to me we troubshot the UEFI / SATA Controller Mode option (case of support rep not listening and going by a script) I was told that the installer package erroring was a Microsoft issue.  Yeah, right.  After explaining the issue again and that it wasn't a MS issue, but a Lenovo driver issue I was told that they can't help, so sorry.  Long wait on hold for the manager and now it's being escalated, they'll call back next week.

Good golly.  Searching around online referencing the past T520 model and I found this:
http://support.lenovo.com/en_IN/downloads/detail.page?submit=true&componentID=1345028200599&DocID=HT062424

Change it to Discrete Graphics, reboot, install NVIDIA driver.

Thursday, May 24, 2012

Windows 7 Trusted Sites for all users - Active Setup

On a recent deployment of laptops I needed to add a certain domain to trusted sites for all user accounts (local and domain) on a number of domain attached computers.  Idealy I would use GPO to do this, but I also had to hit the local user accounts (in fact, local accounts would be used almost exclusively for these laptops).

With Windows XP we could do this by adding the proper keys to HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\etc.  This would apply the domain to the trusted sites for all users on the computer (note that the site was not visible in Internet Options, but still applied), but in Windows 7 the HKLM option doesn't work anymore.  Of course adding the value to HKCU functioned the same as in the past, but I can't do this for each local account all on these computers. Not to mention should I ever need to change it.

Note: There is a GPO to add trusted sites, but when it's enabled it removes the ability for the end user to then add to the list (greyed out).


After poking around I found several mentions of using Active Setup which sounded very promising.  Only problem was no one (that I read) really points out how to use it.


To start, here's a great writeup of what Active Setup is: http://www.sepago.de/helge/2010/04/22/active-setup-explained/
And this wiki site briefly hits on it: http://wpkg.org/Adding_Registry_Settings

But again, neither of these really says how to use it.  So, by looking at the sites above we get a brief rundown of how it works.  blah blah blah by checking on user logon the values in the HKCU with the values in HKLM it knows if it's been applied and runs if it hasn't.

Cool, so if we add a value to HKLM and it hasn't be added to HKCU then it applies, yeah!  Even better, we CAN manage HKLM from GPO.  So, using Active Setup we can apply settings to the Local Users using Computer Configuration GPO's.


To add an Active Setup key:
  1. Navigate to regedit
  2. HKLM\Software\Microsoft\Active Setup\Installed Components
  3. Here you see the list of GUID's from other software / setups
  4. Add a new key, in my example I'm going to call it {newtrustedsite}.  It can be called anything, but has to be unique (duh)
  5. Within this add a new string value named "Version"
  6. Give Version a value, but don't use period.  Use commas instead. For instance "1,0,1"
  7. New string named "StubPath". Here what you want it to do.  Could be an application to execute, script, other cmd line something.
  8. We're going to add a trusted site so my StubPath looks like this "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contoso.com" /v https /d 2 /t REG_DWORD /f

All done.

User logs in and it detects that it hasn't been "installed" and runs the command adding the key.  Now the user checks his trusted sites via the GUI and see's it and can even modify (to include delete the key you just added).  When you want to updated the key you just make your changes to the StubPath and increment the Version value.

Now to push via GPO you just use either an adm or push with registry preferences under Computer Configuration.

Friday, May 18, 2012

Windows could not parse or process unattend answer file

Had a lot of issues with cloning a Windows 7 system when using an unattend.xml

Windows could not parse or process the unattend answer file for pass [specialize]. The settings spefcified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].

After much searching I found this which was spot on:
http://jamiebaldanza.org/2010/03/31/copyprofile-does-not-process-and-causes-windows-could-not-parse-or-process-the-unattend-answer-file-for-the-pass-specialize/

Thank you Jamie!

I had set the copyprofile paramater and had ensured that only the administrator account was present by removing the other profiles through the user control panel.

Seems that when I removed the users through the control panel it did not delete the values in the profilelist registry value.

To fix rather than making a new sysprep image I did the following:
  • Exported the wim from WDS
  • Mounted my image from the wds server
    • imagex /mountrw d:\ 2 c:\mountedimage
  • Modified the system registry values
    • Open Regedit
    • Highlight HKEY_LOCAL_MACHINE
    • File - Load Hive
    • Navigate into your mounted image to Windows\System32\Config
    • Select the SOFTWARE  (no extension)
    • Give a temp name to the hive
    • Navigate into the temp hive mount and remove the obsolete keys
    • Select the temp hive name
    • File - Unload Hive
  • Commit changes
    • imagex /commit c:\mountedimage  (I found that using commit and unmount in seperate command limited the amount of times I get the error that it couldn't fully unmount)
  • Unmount
    • imagex /unmount c:\mountedimage
  • Imported the wim back into WDS as a new build
    • Right click my install images group and "Add Install Image"

Wednesday, May 16, 2012

Add Driver Package to Capture Image - Windows Deployment Services 2008 R2

Using Windows Deployment Services 2008 R2 with a Capture Image of Version 6.1.7600 I have now had two instances where the network doesn't load.  In both cases I've found that this is due to the network driver missing from the capture image.

I've found a lot of posts and blogs on how to add the drivers to the image and some do it the easy way, but a good number of them don't.


After booting from the capture image you attempt to enter the servername / ip address for the WDS and hit connect. This results in:

Error: The network location cannot be reached. For information about network troubleshooting, see Windows Help.

At this point if you press Shift F10 to open command prompt and type wpeutil InitializeNetwork followed by ipconfig it will result in a blank response.  Running ipconfig /renew results in "The operation failed as no adapter is in the state permissible for this operation"


Add the driver to WDS:
  1. Download the NIC from the manufacturer and extract the .inf / other files.
  2. Place the driver files on the WDS server. In my case I put them in the following directory: C:\Drivers\Lenovo\E520\x64 and x86
  3. Open your WDS console
  4. Right click on Drivers
  5. Add Driver Package
  6. Select driver from a folder
  7. Navigate to the Drivers folder
  8. Next
  9. You should see it list all the drivers it finds
  10. Check the ones you want and press next
  11. Next
  12. It will copy the drivers
  13. Next
  14. Select or create a new driver group
  15. Finish
Add the driver to the Capture Image:
  1. Ensure your capture image isn't in use
  2. Go to Boot Images
  3. Select your Capture Image
  4. Right click and "Add Driver Packages to Image"
  5. Next
  6. "Search for Packages"
  7. In the results pane select the drivers you want to add
  8. Next
  9. Image will be mounted, drivers added and dismounted
  10. Finish
PXE Boot your machine to your capture image and connect.

Note: you can test the NIC prior to adding it to the image by getting the NIC drivers on a floppy or USB, PXE booting to capture, pressing Shift F10 to open cmd prompt, running drvload "path to .inf" and then issuing wpeutil InitializeNetwork.

Thursday, May 3, 2012

Windows 2008 R2 View Print Server Properties

In Windows 2003 / 2008 to view the installed print drivers you could open your print server properties by simply right clicking white space in the printers windows.

With Windows 2008 R2 the process is just as easy, but since it's now different, it can be very difficult to find...
  1. Open Devices and Printers
  2. Highlight any object under the Printers and Faxes section
  3. At the top of the window three new options appear next to the normal "add a device" and "add a printer"
    1. See What's printing
    2. *Print Server Properties
    3. Remove Device

Tuesday, February 21, 2012

Exchange 2010 SP1 ActiveSync device lockdown

The other day I began working on locking down ActiveSync so that only pre-approved devices could sync.  I found that there where a lot of things available that gave portions of the solutions or hinted at parts, but none that gave the full solution (excuding one site which I didn't find until later). 

I'm not going to give a full layout of all the options, but below I intend to layout the method that I'm using.  From this it can easily be modified to do add rules for the needs or your organization.

ActiveSync in Exchange 2010 SP1 can control devices by allowing (default), blocking, and quarantine of the device.  This is handled by identifying the device via the Device ID.  The Device ID appears to differ depending on the device type, but for example with Apple's iPad the id is the Serial Number with Appl appended to the begining. So, ApplDFGGYUDVBFJ2 is what one might look like if your serial number was DFGGYUDVBFJ2.  My understanding is that Andoid is not generated from the serial number.

I'm going to cover doing this through Powershell. It can also be done through the Exchange ECP via this excellent post by the exchange team (this is the one I found after I was done doing it through Powershell)
http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx

  1. Open the Exchange Management Shell
  2. Get-ActiveSyncOrganizationSettings | fl DefaultAccessLevel
    1. This will report your current default level, most likely it's set to Allow
  3. Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients admin@didyourestart.com
    1. Here we are setting the default level to Quarantine and then specifying an email address to be notified when a device is quarantined. You will want this so that you can see what the DeviceID is of new devices (makes for easier adding of devices for allow access)
  4. You'll now find that if you try to connect your iPad it will be quarantined. Quarantined devices can be found via the Exchange ECP as described in the link above to blogs.technet.com or via Powershell
    1. Get-ActiveSyncDevice | where {$_.deviceaccessstate -eq 'Quarantined'} | ft DistinguishedName
    2. This can also be used to find the DeviceID.  On iPad this results in simular to following
      1. CN=iPad§ApplDFGGYUDVBFJ2,CN=ExchangeActiveSyncDevices,.....
  5. Next step is to allow this device access for the user
    1. Set-CASMailbox -Identity username -ActiveSyncAllowedDeviceIDs "ApplDFGGYUDVBFJ2 "
  6. You can view the list of allowed devices at anytime by using the following
    1. Get-CASMailbox -Identity aarons | fl ActiveSyncAllowedDeviceIDs
To set a user to have multiple devices seperate with a comma:
Set-CASMailbox -Identity aarons -ActiveSyncAllowedDeviceIDs "ApplDFGGYUDVBFJ2","ApplDFGGYUDVBFJ3"

To set a user back to no allowed devices use the following:
Set-CASMailbox -Identity aarons -ActiveSyncAllowedDeviceIDs $Null


Note: I found that sometimes it could take awhile for a device in quarantine to generate an email stating it was in quarantine.  This appeared to be because it didn't actually go to quarantine, but it was just straight out denied.  In my tests this occured when the mailbox was large or contained a large number of messages.


The other part of this controlled setup that we origninally implemented was to also disable ActiveSync for all users and then explicitely enable it for users at the time of need, but if all devices go to quarantine or are blocked this no longer matters and stands in as a way to disable ActiveSync for all users without actually disabling ActiveSync (in case someone still wants to disable ActiveSync: Get-CASMailbox -identity username | Set-CASMailbox -ActiveSyncEnabled $False , you can exclude the -identity username to make it apply to all users)