Monday, 19 October 2015

Quick Query to Find Devices without Forefront Endpoint Protection

The status of the endpoint protection agent is stored in SMS_G_System_EPDeploymentState SCCM database view but the key to the query is filtering on the DeploymentState field. The query below will return any machine that is not fully managed via Configuration Manager.

select SMS_R_System.Name, SMS_G_System_EPDeploymentState.DeploymentState, SMS_R_System.Active, SMS_R_System.ADSiteName, SMS_R_System.IPSubnets, SMS_R_System.IPAddresses, SMS_R_System.SystemOUName from SMS_R_System inner join SMS_G_System_EPDeploymentState on SMS_G_System_EPDeploymentState.ResourceID = SMS_R_System.ResourceId where SMS_G_System_EPDeploymentState.DeploymentState != 3

What you need to understand is the different values of the DeploymentState column as the value 3 is the only true successful state. The values can be described as follows:

1 - Unmanaged
2 - To be Installed
3 - Managed (Success)
4 - Failed
5 - Reboot Pending

Happy reporting!

Thursday, 1 October 2015

Real World ClickOnce and App-V 5: AFE Navigator 7.5


The reason I thought it would be good to look at a ClickOnce applications and App-V 5. Out of the box App-V does not handle the packaging of ClickOnce applications without changing the Sequencer configuration and jumping through some hoops afterward. Remko Weijnen provides a great overview as to how ClickOnce has played out in the enterprise and why some people just don't like leaving it alone with its default deployment architecture.

Why Sequence ClickOnce Applications?

What I want to illustrate is a real world scenario using an application called AFE Navigator. The issue with this application is that it is a rather large ClickOnce application which is around 80MB. Now imagine every user installing this in a Remote Desktop Services environment where there profiles begin to bloat by 80MB a user. It was clear that App-V would be more than convenient to properly distribute the application by providing a master copy of the application that all users can share.

Sequencing AFE Navigator

First what you need to do is launch the Sequencer (I am using 5.0 SP2 HF4 in this example), go to the Tools menu and open the Options... tab.

In the options window go to Exclusion Items and remove the LocalAppData exclusion.

Of course you get the warning message confirming the deletion of the exclusion. Click yes to continue.

Click OK when complete.

Now you are ready to package AFE Navigator, click Create a New Virtual Application Package to begin the Sequencing process. I'll assume you know how to start up the sequencer to save a few standard screenshots.

I will stop on the Package Name screen as I do define the primary virtual application directory as being a folder off the root of C:\ rather than trying to figure out a way to make the ClickOnce application install to that folder. In App-V 5.0 SP3 and newer you will not see the option to specify the PVAD by default.

I will skip over most of the sequencing because there isn't much that is needed other than the shortcut used to launch the application. Before I finish sequencing I manually create a shortcut which points to the ClickOnce application. The shortcut would have the following properties.

Shortcut path: \\Server\Share\AFE Navigator\AFENavigator\AFENavigator.application
Icon: \\Server\Share\AFE Navigator\AFENavigator\setup.exe
Working Directory: \\Server\Share\Apps\AFE Navigator\AFENavigator

* Remember to launch the application at least once while sequencing to capture the locally installed files.

Now the big question is updates, ClickOnce is designed to have the application automatically check for updates each time it is launched. By default the VFS is not write enabled in the App-V sequencer so these upgrades will not work which is good in my opinion. If you did enable a writeable VFS future updates would be redirected as user settings for the application and would bloat the size of the user profile which wouldn't happen if we packaged the latest update. That is why I would recommend installing different versions of the application in different folders on the network share so the packager can access the latest version then package and deploy the the upgrade as a new sequence.

In the end the question is should we package ClickOnce applications in general? Some people do not like ClickOnce because it installs to the user profile and others might view App-V's ability to reset the application state via App-V application repair as an important feature for supporting users. Personally I find these applications mostly benign and small so I think this is going to come down to preference rather than a solid recommendation.

Interested in App-V training? Check out my offerings at: