01/19/15

Opinion: Isolation – To be or not to be?

isolation

For several years now, I’ve held the opinion that isolation is becoming less and less important when it comes to Application Virtualization of general end users applications. You see, isolation was great when DLL hell was a major issue but developers have got better at producing a higher standard of application. DLL Hell is all but gone, in my experience at least. If you’ve ever demo’d AppV, ThinApp or any other application virtualization solution before, you’ve likely presented yourself launching multiple versions of Microsoft Word side by side on the same machine. That’s still pretty cool but now some applications are even developed to work side by side with previous or later versions of themselves! So, what’s to be gained with isolating your applications?

Not all applications will allow multiple versions to work side by side. And although dll hell is not a widespread problem any more, application conflicts can still occur, particularly on a shared RDS session host or a XenApp Terminal Server in which you may have many, many applications hosted and running concurrently. Containerization is also becoming popular which relies heavily on isolation.

Am I saying isolation should be scrapped entirely?

No, not at all. I still see the value in it, for the reasons I stated in the previous paragraph BUT I’d love to have the option to switch the isolation off when, I so please!. If I have an application with drivers, I can either spend hours trying to extract the drivers or just proceed with a traditional local install. If I have an application with COM+, I can again spend valuable time extracting this. It’s not a good use of my time! We also all likely hear that companies get around 80% of their applications packaged and delivered with a solution like App-V or ThinApp. How are they handling the other 20%? Wouldn’t it be great to handle all applications the same way and without issue?

In my efforts to extract drivers in the past, I believe I could see part of the challenge for Application Virtualization vendors and why drivers are a limitation for so many in the market e.g. Microsoft App-V, VMWare ThinApp , Spoon.net, Cameyo etc. Developers are not consistent with how they deliver their drivers. I’m sure these vendors would love to have a way to simply detect the application you are trying to package has a driver, automatically take that driver out and deliver it side by side with the virtual application, maintain the isolation and integrity of the app BUT I’d also bet that it’s very difficult or impossible to try to code a solution to handle these when there’s no standard being followed.

Continue reading

Share/Bookmark
01/19/15

Dealing with Drivers in App-V

This is really just me relaying my experience in dealing with applications that contain drivers. Like I said in my previous post, vendors are not consistent with how they deliver their applications, so I may not cover absolutely every possibility but these are examples of some that I have.

1.) Separate Driver Installer extracted

In some glorious cases, vendors actually split out their drivers into separate packages. I’d love if this was the standard but it’s not! If you run the install you may find a Drivers folder or Drivers MSI in the extracted installer under %temp%

Drivers1

For a great example, check out Nicke Kallens great blog post HERE

2.) Vendor MSI

In a few cases, you may notice during an install of a vendor supplied MSI, there may be a feature for the actual driver install, if it’s optional.

FoxitEvernote

If you are lucky enough, your application install may have an optional feature in it. If you go to the custom setup option during the install, you can usually tell if such an option exists. You can then open the MSI and go to the Feature table and find the name of the feature you want:

Feature

You might be able to just install the MSI with the ADDLOCAL= parameter with the Feature e.g. msiexec /I FoxitPhantomPDF706_Business_enu_Setup.msi ADDLOCAL=FX_Evernote

In which case, Add a scrip to the MachineScripts of your App-V application Deployment Configuration file to install the driver as above.

Continue reading

01/19/15

How to: Retrieve Bitlocker Encryption Keys from MBAM DB

I really like storing the Encryption key within AD. But customers, in the past have opted not to use it in their MBAM setups. This is because they didn’t have the greatest management of their environment in place, there were quite a number of Domain Admins in the company, all of whom could easily access the keys if they so chose to. It would be as simple as getting the Bitlocker Key Viewer that’s a part of RSAT and browsing to the Computer Object. Well, if you find yourself in this scenario and you want a quick way to retrieve keys, you can just run a query on the Database.

Keys
You’ll want to navigate to the Hardware and Recovery Database and query the RecoveryandHardwareCore.Keys table

SELECT TOP 1000 [Id]
,[LastUpdateTime]
,[VolumeId]
,[RecoveryKeyId]
,[RecoveryKey]
,[Disclosed]
FROM [MBAM Recovery and Hardware].[RecoveryandHardwareCore].[Keys]

Will list the keys.