During development testing of an APP-V 5 SP2 sequence, I ran into a user account control (UAC) prompt requesting administrator credentials because the publisher of the program was unknown.
To resolve this issue, I used the Microsoft Application Compatibility Toolkit to create an application compatibility database or shim and add it to the APP-V 5 SP2 sequence. The Microsoft Application Compatibility Toolkit is now included in the Windows Assessment and Deployment Kit (ADK).
A shim is a small library that transparently intercepts an API call to the application and allows the program to function correctly by changing the parameters passed to the application, handling the operation itself, or redirecting the operation elsewhere.
Install the application with the executable that which will have the shim applied to it. Start the Compatibility Administrator (32 bit) from the Microsoft Application Compatibility Toolkit. Note that the version of Compatibility Administrator that will be used depends on the executable that will have the shim applied to it and not the chip architecture of the operating system. In this case, the program to be shimmed is a 32-bit application. If the executable to be shimmed is a 64-bit application, then start Compatibility Administrator (64 bit) from the Microsoft Application Compatibility Toolkit.
In Compatibility Administrator (32 bit), right click on New Database (1) [Untitled1] under Custom Databases and select Create New > Application Fix or click the Fix button on the ribbon bar.
On the Program Information dialog box, type the application name in the Name of the program to be fixed text box. Type the vendor name in the Name of the vendor for the program text box. Type the file path and name of the executable that will be shimmed in the Program file location text box. Click Next.
On the Compatibility Modes screen, check the RunAsInvoker check box. The RunAsInvoker compatibility fix enables an application to start by using the token inherited from the parent process.
On the Compatibility Fixes screen, check the ForceAdminAccess check box. The ForceAdminAccess compatibility fix corrects an issue where an application can be manipulated to run as an administrator.
On the Matching Information screen, click Next.
In Compatibility Administrator (32 bit), select File > Save from the menu bar. On the Database Name dialog box, type the name of the application in the Database Name text box and click OK.
In the Save Database dialog box, type the name of the shim in the File name text box and save it in a temporary location and click the Save button. Note that the application shim database has a file extension of *.SDB.
Start the APP-V 5 SP2 sequencer and modify the existing APP-V 5 SP2 sequence. In the sequence editor, select the Package Files tab.
Right click on the Scripts folder and select Add. On the New Virtual File System Mapping dialog box, click the Browse button and navigate to the temporary location where the shim file was saved. Click OK.
In the sequence editor, select File > Save.
Open < APPLICATION NAME >_DEPLOYMENTCONFIG.XML in a text editor. Locate the
When finished, the modified sections of < APPLICATION NAME >_DEPLOYMENTCONFIG.XML should look like this:
In order to install the shim with the APP-V 5 SP2 sequence, the enable package scripts setting must be turned on. This settings can be activated by running the following PowerShell command:
Set-AppVClientConfiguration -EnablePackageScripts 1.
This command sets the value of the EnablePackageScripts entry under the HKLM\SOFTWARE\Microsoft\AppV\Client\Scripting key to DWORD:00000001. The enable package scripts setting can also be enabled by adding the /ENABLEPACKAGESCRIPTS=1 parameters to the APP-V 5 client install. In addition, a group policy template also exists for the APP-V 5 SP2 client where the enable package scripts setting can be modified.
- Bob Morton, Technical Specialist
Comments(9) Add a Comment
While preparing applications for deployment through System Center 2012 Configuration Manager, you may use Global Conditions to determine which environmental requirements must be met before the application can be installed on a computer. Global Conditions in Configuration Manager are divided into three categories: device, user, and custom. The User category only contains a single Global Condition called “Primary Device” that allows you to specify whether or not a Configuration Manager Application can be installed exclusively on a user’s primary device or not.
What if you wanted to test the security group membership of a user before installing a Configuration Manager Application though? You might say: “well, I can simply create a User Collection that targets an Active Directory security group, and deploy the Application to that Collection.” That might be true, but there is another way to handle this as well, if you’d prefer to target your deployments to larger groups (Collections) of users.
PowerShell is perfect for custom tasks like this, because we can plug directly into the Microsoft .NET Framework and take advantage of the functionality contained within it. The System.Security.Principal .NET namespace contains several useful classes for us to work with around security principals. We can put these .NET types to use to retrieve a list of security groups that a user account is a member of.
The script for the Global Condition will be quite simple, and simply spits out a String containing all of the currently logged-on user’s group memberships, separated by semicolons.
The output of this “discovery script” will look similar to the following, with semicolons at the beginning and end of the string. Now, you will never see the output from this script — unless you modify the code to write the string to a log file — but you will be using the “contains” oper
;contoso\Domain Admins;contoso\Accounting;contoso\Information Technology;contoso\Human Resources;
Create a new Global Condition using the settings in the screenshot below:
Name: Check User Group Membership (you can use whatever name you prefer)
Description: This global condition checks the group membership of the logged on user.
Device type: Windows
Condition type: Setting
Setting type: Script
Data type: String
Discovery script: Copy/paste script contents from above
Run scripts by using the logged on user credentials: Enabled
Run scripts by using the 32-bit scripting host on 64-bit devices: Disabled
Once you have created the Global Condition, you are ready to use it in your Application Deployment Types. Add a new “Requirement” to your Deployment Type, select the “Custom” category, select the “Check User Group Membership” condition, select the “contains” operator, and then type the security group that you want to check for in the Value field. Make sure you include semicolons around the group name, to ensure that you don’t get an unintended partial match. For example, if you plugged in “contoso\Accounting” then the group named “contoso\Accounting Administrators” would also be a match. Using the semi-colons around the complete group name helps to avoid these situations.
Once you’ve added this Global Condition, you can deploy the Application to a large user-based Collection, but only the users that are in the security group specified in the custom Global Condition will be allowed to install the Application. This could confuse some users if they see the Application show up in the Web Application Catalog, but then see errors when they attempt to install it. Be sure you have a communication plan in place to ensure that your users know what to expect from your application configurations.
Note: This Global Condition was tested on Windows 8.1 with PowerShell version 4.0, and the script execution policy set to Unrestricted.
In this article, we have reviewed how to use a Windows PowerShell script along with a custom Configuration Manager Global Condition to restrict the applicability of Application Deployment Types to members of a specific Active Directory security group. This custom Global Condition and PowerShell script has only been validated on a computer that is a member of a Microsoft Active Directory domain, and has connectivity to an Active Directory domain controller. Please test this thoroughly in your environment prior to implementing it.
- Trevor Sullivan, Solution Architect, PowerShell MVP
You can read more posts by Trevor at Trevor Sullivan’s Tech Room.
Comments(40) Add a Comment
The Windows Installer service starts by opening the MSI package and reading the installation tables. At this time, the Windows Installer service starts the client process. The job of the client process is to run the user interface for the installation. Typically, the actions that are entered in the InstallUISequence table are run in the client process. The ExecuteAction action in the InstallUISequence table initiates the processing of the InstallExecuteSequence table. If the user interface level is set to none, the Windows Installer service skips the actions in the InstallUISequence table and starts by running the actions in the InstallExecuteSequence table.
The actions entered in the InstallExecuteSequence table are run in the service process. The job of the service process is to make changes to the operating system. The service process manipulates the system security to allow the application to be installed with elevated privileges. An NT service is used to make changes to the target system since an NT service can interact with the security mechanism of the operating systems. The ability to impersonate the local system account permits the granting of elevated privileges required to install the application. When the service process starts, the MSI database is cached in the C:\WINDOWS\INSTALLER directory. If the installation fails, the cached database is deleted. The cached file is referred to as the local package and is used to perform maintenance operations.
The client process and the service process communicate with each other through the values of public properties. The values of private properties are not shared between the client and server processes. The property names that are in mixed case letters are private properties and the properties that are in all upper case letters are public properties. Public properties can have their values set at the command line whereas private properties cannot. During the ExecuteAction action, the client process sends to the service process the value of all the public properties that have been defined in the client process.
At the beginning of the service process, the LaunchConditions action is run. The LaunchConditions action queries the LaunchConditions table for any condition that needs to be checked. If any of the conditions are not satisfied, the LaunchConditions action returns FALSE and the Windows Installer services terminates the installation. Next, the Windows Installer service performs a set of actions that check if the amount of space on the target system is adequate for the application to be installed. This set of actions is called file costing. File costing takes into account the size difference between the files that are being copied and the files on the target system. File costing also calculates the additional space required for maintaining the replaced files needed during a rollback should the installation fail. After file costing occurs, the values defined in the Property table are loaded into memory.
The InstallInitialize action in the InstallExecuteSequence table defines the beginning of the actions that will make changes to the target system. Up to this time, all of the actions have been collecting information. Actions between the InstallInitialize action and the InstallFinalize action that will make changes to the target system are written to an execution script that the Windows Installer service creates in a hidden directory. If an action is written to the execution script, the action will be implemented with the elevated privileges to make changes to the system. The InstallFinalize action closes the creation of the execution script and initiates the running of the script. As each line in the script is executed, a line is created in a rollback script that will be used should the installation encounters an error. Note that actions placed after the InstallFinalize action should not make changes to the system since these changes cannot be rolled back in case of failure.
- Bob Morton, Technical Specialist
Comments(7) Add a Comment
As you are well aware, law firms and corporate legal departments are finding themselves in the middle of a data explosion, and the unfortunate reality is that enterprise storage offerings only satisfy part of the overall data needs. Corporate data must be backed-up, archived, retained and vaulted to an off-site location during its lifecycle. To make matters increasingly difficult, our legal clients tell us their customers are demanding a reduction in cost to manage their legal affairs which means law firms need to look for ways to cut costs, especially STORAGE. We can help!
Project Leadership Associates and Microsoft have partnered on a cloud-integrated storage solution that leverages on-premises storage for active data and inexpensive cloud storage for “cold data”. Not only will you save storage costs by only paying for what you use, but you can reduce the footprint by leveraging de-duplication and compression at the block level.
During the session, attendees will learn how to remove the security, performance, application change and recovery-time barriers to adopting cloud storage in the legal space. Come see how we marry the functionality of enterprise storage with the elasticity and economics of cloud storage to deliver substantial cost savings.
Please join us to learn more about a tried and true technology that will allow you to eloquently tame the growing storage demands generated by your practice, and stop spending a majority of your budget on storage costs.
Date: Tuesday, March 25
Time: 8:30 -11:30 AM
Location: Project Leadership Associates, 120 S. LaSalle St., Suite 1200, Chicago, IL, 60603
Comments(2) Add a Comment
The below is an excerpt of an article previously published in Legal Management - The Magazine of the Association of Legal Administrators. You can read the article in its entirety here.
We often hear the following: Law firms have traditionally been technology adopting laggards. They
cannot afford to be behind the technology eight ball anymore. And without a solid technology
strategy and vision, and the ability to implement the strategic plan, law firms will fold.
Ready for more bad news? Law firm clients demand superior legal services at a lower cost. They are less loyal, less willing to keep you on just because, and more savvy when it comes to technologies
and systems that will make their lives (not yours) easier. How can firms leverage their often massive technology investment as an integral component of a game-winning, long-term strategy?
As law firm service offerings and delivery models evolve, law firm IT and technology solutions are
also undergoing great transformation. The speed of technology change is dictated by the business
value realized with significant behavioral and technology trends in the marketplace.
Project Leadership Associates, a reputable provider of high-value business and technology consulting services to the legal market, and its Law Firm IT Value Evolution Model (see graphic below) illustrate the steady increase of IT value over time. Dan Safran, Project Leadership Associates’ Executive Vice President and long-time technology advisor to law firms and corporate legal departments, sees the IT value opportunity: According to Safran, “Cloud solutions, mobility and collaboration (based on the consumerization of technology) and applications that allow IT to operate as a service to the firm, represent the newer mission-critical technologies supporting the evolving law firm. Looking closer to the horizon, increased consolidation and competition will spur greater need for closer client collaboration, and even better, true integration with law firm clients. Nothing is better for attracting and building long-term client relationships than working hand-in-hand, day-to-day alongside clients, whether that integration and interaction are physical or virtual.”
(Click to Enlarge)
- Dan Safran, Executive Vice President, Management Consulting
Comments(4) Add a Comment