Jaa


Support Tip: App-V v5 integration in Configuration Manager and PowerShell Policy

~ Lars Iwer | Consultant II

ToolsHere’s a quick tip on an interesting issue I saw the other day where a client was unable to open the Microsoft Application Virtualization 5.0 Service Pack 1 client GUI. Double-clicking on the system tray icon had no visible effect and instead, error events 1026 followed by event ID 1000 and 1001 got logged to the event log under Applications and Services\Microsoft\AppV\Client in the Operational Log:

clip_image002

Event 1026 contains a System.Windows.Markup.XamlParseException caused by AppVClientUX.exe

Event 1000: Faulting application name: AppVClientUX.exe […] Exception code: 0xe0434352

Additionally, App-V 5.0 SP1 packages distributed through System Center 2012 Configuration Manager would not install successfully but instead time-out. Looking at AppEnforce.log on the client shows that the installation stops when executing this command:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass import-module 'C:\Program Files\Microsoft Application Virtualization\Client\AppvClient\AppvClient.psd1'; Get-AppVClientPublishingServer | Remove-AppVClientPublishing Server

Root Cause

The PowerShell execution policy was configured via group policy to „AllSigned“.

clip_image004

This leads to PowerShell trying to verify a module’s publisher before running it. The App-V client commandlets are signed but the publisher is not included in the “Trusted Publishers” certificate store by default (both for system and user).

An interactive PowerShell session asks the user for confirmation if the publisher should be trusted. When the user selects “Always run”, the code signing certificate used to sign the module is added to the “Trusted Publishers” certificate store of the current user.

clip_image006

This confirmation leads to the System Center 2012 Configuration Manager timeout since it is waiting for an interactive input.

 

Solutions

1. Change the PowerShell Execution Policy

The simplest way to get the App-V client GUI and System Center 2012 Configuration Manager App-V package distribution working is to change PowerShell’s execution policy to a less restrictive setting (e.g. “RemoteSigned”). However, usually there is usually some corporate policy or other valid business reasons for setting the policy to “AllSigned” in the first place. This leads to the second, preferred solution:

2. Install the Code Signing Certificate

The following steps show a way to distribute the code signing certificate used to sign the App-V Client PowerShell module.

1. Add the code signing certificate to the current user’s “Trusted Publishers” certificate store.

a. Launch a PowerShell session on a client where the App-V client is installed.

b. Run Import-Module AppVClient:

clip_image008

This should bring up the question above which should be answered Always Run.

2. Export the code signing certificate from the user’s certificate store.

a. Run certmgr.msc and navigate to “Certificates – Current User”, “Trusted Publishers”, “Certificates”.

b. Right-click on the certificate issued to “Microsoft Corporation“ issued by “Microsoft Code Signing PCA“ and select All Tasks, Export.

clip_image010

c. Export the certificate as DER encoded binary X.509 (.cer)

clip_image012

3. Deploy the code signing certificate via Group Policy

a. Edit a fitting Group Policy Object Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers (see https://technet.microsoft.com/en-us/library/cc770315(v=WS.10).aspx).

b. Right-click and select the menu item Import.

c. Import the certificate exported in step 2.

After updating the group policy on the client (e.g. using gpupdate /force) the code signing certificate should be present in the system’s “Trusted Publishers” Certificate store. Now it is possible again to launch the App-V client GUI and distribute App-V packages using System Center 2012 Configuration Manager successfully.

Lars Iwer | Consultant II | Microsoft Corporation

Get the latest System Center news on Facebook and Twitter :

clip_image001 clip_image002

System Center All Up: https://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: https://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: https://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: https://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: https://blogs.technet.com/momteam/
System Center – Service Manager Team blog: https://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: https://blogs.technet.com/scvmm

Windows Intune: https://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: https://blogs.technet.com/sus/
The AD RMS blog: https://blogs.technet.com/b/rmssupp/

App-V Team blog: https://blogs.technet.com/appv/
MED-V Team blog: https://blogs.technet.com/medv/
Server App-V Team blog: https://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : https://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : https://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: https://blogs.technet.com/b/isablog/
The Forefront UAG blog: https://blogs.technet.com/b/edgeaccessblog/

Comments

  • Anonymous
    January 01, 2003
    Good story

  • Anonymous
    September 18, 2013
    Please what is been done on how to sequence Visual studio on Appv 5.0?

  • Anonymous
    November 07, 2013
    It is in the pipeline.

  • Anonymous
    August 19, 2014
    I am running into this same issue but on a non-persistent vdi. I have already done the steps you have mentioned and have deployed the certificate to both computer and users. I have app-v doing a user refresh on logon and logons are really slow and when the desktop comes up there are no app-v apps. If I manually run a powershell script to do a refresh the app-v apps show up without any prompts asking to trust the module so I know the certificate GPO is working, it just seems it isn't getting there at logon. I've gone to the point of putting the cert in the base image for computers, I can't however do this for all users.

    Any suggestions on getting the trusted publisher for users there faster?