Randomizing the Windows Update start time
When working with persistent desktops in a virtual environment like VMware Horizon View, software installations have to be handled very carefully to avoid overwhelming shared resources. While some products like Microsoft’s System Center Configuration Manager include randomization features to spread out installations over a short window, Microsoft’s Windows Update does not include a similar function.
If you’ve ever had to configure Windows Update via group policy, you are probably familiar with the main “Configure Automatic Updates” screen. Below is a pretty typical configuration for desktop computers where you want installs to happen automatically in the middle of the night.
When the scheduled install time of 03:00 AM hits, all of the computers will begin installing their updates at the same time. To work around this problem, you could configure multiple group policies with different start times or even directly modify the registry
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTimesetting on different sets of computers. In either case this is not very useful, since you can only set the scheduled install time by hourly increments.
A better option is to use the Windows 7 Task Scheduler to perform the Windows Update operations. With the Task Scheduler, you can be extremely granular with your scheduling. The best feature of the scheduler is that you can delay task for a random interval:
Here is a script that I’ve adapted from a post on MSDN explaining the Windows Update API. This script will talk to your Windows Update server to identify required updates, download and install the updates, then reboot if nobody is logged into the computer. If a user is currently logged in, they will see the normal Windows Updates prompts to reboot. The script will also log the details to a log file created in the same directory.
The script can be easily installed to run from the Task Scheduler with the schtasks.exe command. Create a task with the settings you want, export it to an XML file, then use this command to install it.
schtasks.exe /Create /F /RU "SYSTEM" /NP /XML "WindowsUpdateRandomizer.xml" /TN "Windows Update Randomizer"
VMware View Dual Mouse Cursors with Portrait Monitor
In our VMware Horizon View implementation we ran across a weird problem where the user would see a dual mouse cursor on any monitor configured in Portrait mode. I’m sharing the solution here in case anyone else runs into this issue.
We use repurposed Dell Optiplex 760 desktop computers with Windows ThinPC as our VMware View Clients. If a computer has a monitor rotated in Portrait mode, the mouse cursor in View is corrupted and appears as 2 cursors that are offset. If the computer has dual monitors and only one monitor is rotated in Portrait mode, the problem only exists on that monitor.
We tried a number of different troubleshooting techniques which did not work: disabling cursor shadow, changing cursor styles, changing to XP or Windows 7 Pro, using old versions of the View client, trying different versions of the video driver, etc.
We did notice that the problem was specific to our Dell hardware (with an integrated Intel video adapter). Testing with other computers did not result in the same problem. Unfortunately, we have hundreds of this specific model we had hoped to repurpose as ThinPC View clients.
After working with VMware tech support, they suggested the following solution which worked:
Create a text file called C:\ProgramData\VMware\VMware Horizon View\config.ini. Add the following line to the file:
This solution works on the latest Horizon View Client 3.0.0 and on the older 2.x.x and even older 5.x clients.
Originally the VMware tech directed us to VM KB 1754 for instructions about how to add the config.ini. Following these directions, we at first tried putting the config.ini file in the C:\ProgramData\VMware\View folder, but this had no effect. It wasn’t until we tested by putting it in the “VMware Workstation” folder that it worked correctly. Just to be clear, this is to fix Horizon View. We are not using VMware Workstation at all, but this folder did exist on our ThinPCs.
What is also interesting is that the only place where this setting appears in the VMware KB is in VM KB 1281, an article targeted at the old Windows-based GSX Server.
**Update July 14, 2014**
The 3.0.0 View client now has fixed the path for this file so it should now be in the VMware Horizon View directory instead of the VMware Workstation directory.
InstallAware errors with SCCM
Had a ticket escalated to me from our applications team where a setup.exe installation program would work fine when run manually, but would fail to install when run through Microsoft System Center Configuration Manager (SCCM).
The installer for this particular application was made by InstallAware. A quick google search for InstallAware SCCM turns up a lot of people having problems installing programs packaged with this toolkit on SCCM. Some of the posts are worth a read as interesting examples of how NOT to provide tech support.
The only useful suggested steps are:
- Set ALLUSERS=TRUE on the command line (doesn’t help)
- Running the command with PSEXEC -i -s (doesn’t help)
- Changing to the toolkit’s Native Engine instead of MSI (not an option as an end user)
Here’s how I got it working
First step was to turn on logging in the SCCM package using the /L=”C:\Windows\Temp\Logfile.txt.”
Reviewing the log revealed this error message:
MSI (s) (68:34) [09:38:04:280]: Executing op: FolderCreate(Folder=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Net Deed Plotter,Foreign=0,,)
MSI (s) (68:34) [09:38:04:282]: Executing op: FolderCreate(Folder=C:\Windows\TEMP\mia277A.tmp\SetupNetDeedPlotter.exe\,Foreign=0,,)
MSI (s) (68:34) [09:38:04:284]: Note: 1: 1312 2: C:\Windows\TEMP\mia277A.tmp\SetupNetDeedPlotter.exe
MSI (s) (68:34) [09:38:04:286]: Note: 1: 2205 2: 3: Error
MSI (s) (68:34) [09:38:04:287]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1312
Error 1312. Cannot create the directory 'C:\Windows\TEMP\mia277A.tmp\SetupNetDeedPlotter.exe'. A file with this name already exists. Please rename or remove the file and click retry, or click Cancel to exit.
MSI (s) (68:34) [09:38:04:289]: Note: 1: 2205 2: 3: Error
MSI (s) (68:34) [09:38:04:290]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (68:34) [09:38:04:292]: Product: Net Deed Plotter -- Error 1312. Cannot create the directo. A file with this name already exists. Please rename or remove the file and click retry, or click Cancel to exit.
Action ended 9:38:04: InstallFinalize. Return value 3.
The setup program obviously is creating a temporary folder in C:\Windows\Temp\mia277A.tmp and extracting itself there before installing. So the question is: why is it trying to create a directory where the setup executable is already located?
At the top of the log file is a Variables section which details installation parameters and detected settings (locations of Program Files, Common Files, etc). A quick review of the Variables revealed this setting:
The first line of the error message above shows that the installer was at the point of installing shortcuts (it was creating a folder under Start Menu\Programs). It is now clear that the next line was trying to place a shortcut on the desktop. Since the DesktopDir variable was incorrectly detected by the toolkit, it ran into the error.
(TLDR) So finally the solution
Add the DESKTOPDIR variable to the command line. The directory when installing as SYSTEM is C:\USERS\PUBLIC\DESKTOP. (The variable for this in Powershell is “$env:Public\Desktop.”
SETUP.EXE /S DESKTOPDIR="C:\Users\Public\Desktop"
Hope this helps!
Replacing Outlook 2011 (Mac) with Apple’s Mail, Calendar & Contacts
I recently decided to give up on Outlook for Mac 2011 and try to substitute Mac OS X’s Mail.app, Calendar and Contacts. If you’ve used Outlook 2011, you know that it is lacking in most of the Enterprise Outlook features, but that also means it can be replaced with some other native client. I still have a copy of Office 2010 running on a Parallels VM for when I need the more advanced features (like message expiration dates or voting buttons).
For the most part the integration with Microsoft Exchange 2010 works well, but Mail.app has given me some headaches. Here’s a quick list of my solutions:
Fixing the Outgoing Message Font Problem
In Microsoft Office 2010, the default font for outgoing messages has been changed to Calibri. I would like my messages to appear as normal as possible to my coworkers, so inside Mail’s Fonts & Colors preferences page, I set my font to Calibri 15. However, when the message was received in Outlook 2010, the font appeared as Times New Roman. Looking at the source HTML of the message, I could see that no Font information was included in the message.
To fix this problem, you can select all of your text and set the font before sending each message. A better alternative is to purchase the Universal Mailer plugin (currently $4 for 5 copies).
Forcing Reply and Forward Headers to use Outlook 2010 style
When you reply to a message with Mail.app, it formats the headers of the previous message in a way that makes it obvious that you are not using Outlook:
This can be adjusted using a Mail bundle (plugin) called QuoteFixForMac. Enable the Customized Attributions, HTML and automatic conversion:
Enable the advanced templating (required for CC detection):
Finally, add the following code to the Reply and Forward sections (matches US English Outlook 2010 style):
Although this plugin is freely available, I encourage you to donate a few dollars to encourage continued development.
Creating a fancy signature
My signature block includes a picture for my company logo. Unfortunately when I cut and pasted the signature out of Outlook 2011 into Mail.app’s signature preference page, the picture was transformed into an attachment.
The trick is to save the image file to your desktop, open it in Preview, then copy it and paste it back into Mail. I’m not sure why it works, but it does.
Other Mail Plugins
For more information on Plugins to Apple Mail, check here: http://www.tikouka.net/mailapp/
Cisco ASA Active FTP problem even with ftp inspect enabled
I recently needed to connect to a vendor’s ACTIVE-only ftp site. Although my Cisco ASA 5500 series firewalls were handling PASSIVE ftp without any problems, for some reason it would not pass active ftp.
As usual with active ftp connection problems, the initial port 21 tcp connection would work properly and login successfully. However, the subsequent ftp-data (port 20) connection would fail.
Researching on the Internet turned up the usual recommendation for Active ftp problems: enable FTP Inspection. Unfortunately, this didn’t solve the problem because the firewall was already inspecting ftp traffic. For example:
cisco-asa# show run | b policy-map
I next pulled up the ASA logger and checked the traffic. I could see the initial TCP connection from my laptop (10.1.1.70) to the ftp server, but I also saw a connection attempt from 10.5.162.0. In this case, the dot-zero address was the network address, so it could not have been another computer making the same connection attempt. Instead, this is the ASA’s ftp inspection trying to “fixup” the active ftp session.
It turns out that the 10.5.162.0 ip network was the first network in the group of our standard outgoing NAT rule:
nat (inside,outside) after-auto source static grp-AllData public-NAT
When checking out the NAT rule, I found the problem: the NAT rule was configured as a Static NAT instead of a Dynamic PAT (Hide). Since the ASA thought this was a static (one-to-one) translation, it was choosing the first IP address that it found in the group and using it in the Active FTP connection.
My guess is this problem occurred months ago during the upgrade to 8.3 when all of the NAT rules were re-written. I’m honestly surprised that the ASA would accept a group as a static NAT, but everything else had been working fine.
After changing the NAT to Dynamic PAT (hide), the ASA began correctly identifying the IP address to use in the Active FTP’s data connection.
Disable Time Machine local backups on Mac OS X Lion
If you’re using an SSD and trying to conserve disk space, you might want to disable the Time Machine local backups feature. This feature places Time Machine backups on your local drive while you are disconnected from your Time Machine external hard drive.
sudo tmutil disablelocal
then reboot. To restore the functionality, use:
sudo tmutil enablelocal
Using the Windows Hotkey in Remote Desktop on OS X
I spend a lot of my day in Microsoft Remote Desktop Client for Mac OS X (RDC). Normally when managing Windows servers I use WIN-R to pull up the “Run” command and WIN-E to open Explorer windows. On the Mac, this usually equates to ⌘-R or ⌘-E. While this works great in the VMware vSphere Client or Parallels, it doesn’t work in RDC.
To make it work in RDC, open up the Preferences window and click on the Keyboard tab. Double-click on “Windows Start Key” to change it from option-F1 to the command key (⌘). You’ll have to close and reload the RDC software for the change to take effect.
The downside to this change is that you won’t be able to use the command key for any hotkeys in the RDC app. For example, ⌘-Q will no longer quit RDC. Fortunately ⌘-C, ⌘-X, and ⌘-V will still perform the copy, cut and paste functions.
If you want to use the hotkey to quit RDC, you’ll need to map a different key combination to the Quit RDC command. In the example below, I use option-command-q.
Unfortunately if you have a lot of RDC settings files (I usually have one for each server), you’ll need to edit each of these files to apply the change. Fortunately these files are in XML format, so it’s an easy Find and Replace task.
I know I could’ve used the command line to do this, but I cheated and used Textmate. Create a new project file in Textmate and drag all of the *.rdp files into the project pane. Next click Edit…Find…Find in Project… The RegEx below should do the trick. I’d suggest doing a single replace before clicking on the Replace All button. To do this, perform the find, then select the line item and click on Replace Selected.
Parallels Caps-Lock Fix
I’m a huge fan of Parallels, but for the past few months I’ve been struggling with a problem with my CAPS LOCK key.
I manage a lot of VMware virtual machines using the vSphere Client via Parallels on my MacBook. Even though I never use my CAPS LOCK key, for some reason it gets reversed from what it is on my Mac when working in the vSphere Client.
When it gets reversed, I can turn CAPS LOCK on and it turns it off inside the VM. However, this works only briefly and usually it gets reversed again within a few minutes.
I enabled the fix listed below and have not had any problems for the past week. Can’t tell you how thrilled I am that this problem is fixed.
sudo defaults write 'com.parallels.Parallels Desktop' 'HID Host Hook.CAPSLOCK Sync' -bool false