February 10, 2021

Stop Using Windows 10 LTSC



Windows 10 comes in all kinds of variations. If you have ever run Windows 10 in a virtual desktop capacity there has no doubt been a consideration of using the Long Term Service Channel (LTSC) as opposed to the Semi-Annual Channel (SAC) that is traditionally used on physical endpoints. The two supported versions of LTSC out there as of this posting are Windows 10 1607 LTSB (this was the channel name before Microsoft changed it from Branch to Channel) and 1809 LTSC. As you see, these are locked in time versions of Windows 10 that have 5 years of support before upgrades are needed and if/when upgrades are performed and you can leapfrog from one version of LTSC to another version of LTSC to remain supported. The Semi-Annual Channel has servicing timeline of 18 months from release. Meaning you should be off that particular version 18 months after it is released to maintain support. If we look at the benefits of LTSC vs SAC, we can clearly see some very appealing things for it. 

Here are examples of the big ones: 
  • No Windows Store
  • No Microsoft Edge (we are talking about classic Edge not Chromium Edge)
  • No Cortana 
  • No feature updates
  • Less of the question “Who Moved My Cheese” (If you get that reference)

These few items have had administrators and engineers spend countless hours over the years trying to disable them in their virtual desktop environments via scripts, registry changes and disabling services. If we take a step back and look at it, running Windows 10 LTSC gives all of the good things and none of the bad things of running Windows 10 as a virtual desktop. I used to make the comparison as running Windows 7 with a Windows 10 wrapper and if you were running LTSC in your virtual desktop environment you were probably very happy.

Then on February 1st 2018, Microsoft had to come to mess it all up. They posted an article stating that Office 365 Pro Plus would no longer be supported on any version of Windows 10 LTSC effective January 14th 2020. With the wide adoption of Office 365 and the availability of E3/G3 or E5/G5 licensing and the ability to download the offline office clients from these subscriptions it is imperative to maintain support. Microsoft has always taken a stance that LTSC should only be used where the key requirement is that functionality and features don’t change over time. Examples include kiosks, medical systems, industrial process controllers, and air traffic control devices. These systems can have very detrimental effects on functionality if upgraded or are systems that do not have the ability to be updated due to security and network related reasons.

This caused panic and a need to pivot for the IT departments to shift away from LTSC back to the SAC and now administrators and engineers needed figure out a way to be able to test/accommodate these updates to prevent any issues in their virtual desktop environment.

The long story short or TLDR version of this. When deciding if LTSC or SAC version of Windows 10. This really should be a no-brainer and SAC is the only way to go. For those that say they will never go to Office 365 from their on-prem exchange as I have all of these requirements that prevent it, all I can say is “never say never”. You do not want to be reason why an entire environment is not supported. If you are working with a VAR/partner and they tell you that LTSC is the way to go for your virtual desktop image, you may want to re-evaluate that partner as they may be leading you down a bad path.




October 12, 2020

How to Replace the Self-signed Certificate for Nutanix Prism Element and Prism Central

Purpose:

Demonstration on how to replace the self-signed certificate on Nutanix Prism Element and Prism Central.

Introduction:

There are many blogs out there about how to replace the self-signed certificate in Nutanix Prism Element and Prism Central with a domain signed certificate. A lot of the blogs reference the need to create the Certificate Signing Request (CSR) in the command line of OpenSSL on a Linux or Windows machine. There are alternatives to this, the certificate can very easily be created using the Microsoft certificate snap-in and then using OpenSSL to convert the certificate into an acceptable format for Prism Element and Prism Central to use. This is useful as a lot of workloads (Citrix, VMware, etc...) are being migrated to Nutanix for the hyper-converged benefits and this eliminates the certificate warning and improves security posture for the environment.

Configuration Steps:

Launch the Microsoft Certificate Snap-in for the Local Computer.

In this case I going to create a custom request as I want to be able to define the Subject Alternative Name and use the same certificate for Prism Central and Prism Element. At a minimum there at least needs to be one Subject Alternative Name which is the Common Name or popular browsers such as Mozilla Firefox, Google Chrome or Chromium Edge will produce a certificate warning stating the Subject Alternative Name is missing.

Right Click in the Certificate Snap-in, go to All Task -> Advanced Operations -> Create Custom Request.


Click Next

Since we are creating a custom CSR and do not want to be dependent on an Active Directory Enrollment Policy, select Proceed without an Enrollment Policy

On the Template dropdown, select (No Template) Legacy Key -> Click Next

Expand Details -> Click Properties

On the Friendly Name fill in the friendly name of the certificate. In my case prism.domain.lab.

Fill in all of the certificate details such as the Common Name, Organization, Organizational Unit, Locality and State under the Subject name section. Under the Alternative Name section fill in All of the Alternative Names, in my case prism.domain.lab, prism, prismcentral.domain.lab and prismcentral. This allows for both short names and fully qualified domain names to not produce certificate warnings. 

Under the Private Key tab make sure that the Key Size is 2048 bit (always use this) and that Mark private key exportable is checked or after completing the signing the certificate cannot be exported. -> Click Apply

Save the CSR to a location for easy access

Now head over to your Domain CA Web Enrollment portal, typically from a browser go to: https://domaincafqdn/certsrv. Click Request a certificate.
Click advanced certificate request

Click Submit a certificate request by using a base-64 encoded CMS or PKCS #10 file


Open the CSR generated earlier, copy and paste the contents of this into the base-64 encoded certificate request or PKCS #10 or PKCS #7 field. On the Template select the appropriate Web Server Template defined by your Domain CA administrator. In my case Web Server 2048Bit SHA256.

Once the CSR has been submitted and the request has been answered by the domain CA the file should be saved in a place for easy access. In my case the file is named prism.domain.lab.answer.cer

Now back on the machine where the CSR was generated in the Microsoft Certificate Snap-in Right Click -> All Tasks -> Import 

Click Next


Click Browse


Browse to the previous location where the answer file was saved. -> Click Open


Click Next


Make sure the Personal Store is selected -> Click Next


Confirm settings -> Click Finish

Now the certificate needs to be exported as a PFX file which contains the private key. When exporting from Windows the private key is encrypted with a password. This will need to be retained in order to perform the next steps in OpenSSL which will extract the certificate pieces and remove the password on the private key.

We can extract the private key form a PFX to a PEM file with this command:
# openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exporting the certificate only:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removing the password from the extracted private key:
# openssl rsa -in key.pem -out server.key


Open the .key file and remove the bag attributes and issuer information or Prism Element and Prism Central will not be able to use it. In addition the intermediate and root certificates for the Domain CA need be available and if there is both an intermediate and root they should be copied into a single file and simply named with a .cer format.


Login to either Prism Element or Prism Central


In the settings, go to SSL Certificate -> Click Replace Certificate



Make sure Import Key and Certificate are selected -> Click Next

RSA 2048 should be selected by default. Select the appropriate files. In my example prsim.domain.lab.key for the Private Key, prism.domain.lab.cert.pem for the public certificate and domain1.ca.cer for the CA certificate chain -> Click Import Files

It may take a few moments and the window should reload and now there no longer is a certificate warning on Prism. The certificate installation is the same for both Prism Element and Prism Central.

The certificate can be viewed and it should be the same certificate from before.




July 22, 2020

Don't Use Your Physical Image in Your Virtual Environment


Are you using SCCM, WDS or other deployment tools or have been asked to when deploying your virtual desktops or virtual application servers? If so, there can be some serious issues with this. I am often asked about by folks wanting to deploy Citrix or VMware Horizon images using the same image that is used for physical endpoints. Not only is this a bad idea, it can present performance ramifications and also make it so that best practices are not followed.

I always have been a believer that hand building the operating systems for virtual desktops and application delivery servers is the best approach because it ensures we know what went into the image. I understand the grips of manually installing the applications and the extra work but the extra work now can save a lot of headaches later and the reason of "this is how we build out images" is not a good enough reason to justify using the same image in the virtual environment.  Often and in most cases the deployment person and the virtual desktop environment are not the same person. They build images on physical endpoints or on a completely different hypervisor, they never optimize the image and just let things fly. Since these are physical endpoints they have dedicated hardware and rarely if ever do they experience any issues from being unoptimized. In the datacenter, on a virtual desktop or an application delivery server which share host resources with other virtual machines we need to optimize things as much as possible.

Here are two examples of recent environments where there were issues with using SCCM to deploy the same image as physical endpoints:

  1. First was in the medical field and the customer wanted to move from persistent Windows 10 desktops to pooled non-persistent virtual desktops as the administrative overhead of having a persistent desktop and having to administer the desktops with deployment tools was not feasible. Also, when presented with justifying the need of having a persistent desktop pool and having the response be “that is how we have deployed it before” there really was no reason to have it. When it came time to build the Windows 10 non-persistent image, the customer completely disregarded my suggestion on building the Windows 10 base image by hand and use WDS to deploy the “standard” image that is deployed on physical endpoints. The end result was that a known bug in the image in which the start menu stopped responding to left clicks. This bug also existed on physical endpoints but was hacked around by copying profiles over the default profile but when this was done on the non-persistent desktop image, it caused Citrix Profile Management to create temp profiles on each login. After countless days of the customer trying to remediate this, the only successful way to do so was to break out the iso and install the operating system by hand and manually installing the applications and everything is functioning correctly. 
  2. A second example of this was a large law firm migrating from an on-prem Citrix environment to VMware Workspace ONE. When it came time to build their images for the RDS Linked Clone pool they stressed a need to use an existing task sequence that was built for Windows 10 and force it to target a Window Server 2016 operating system. The issue here is that applications were installed before the RDS Session Host role was installed afterwards. It has commonly been a known and best practice for RDS Session Hosts servers that the RDS Session Host role to be installed prior to installing applications due to the need to potentially capture applications settings into the RDS shadow key. In this environment, there are small abnormalities in application behavior even today due to the incorrect installation sequence.

Long story short, when building the images for your virtual desktops and application delivery servers be careful how you approach this. As the common adage is "you can’t build a house on a bad foundation" and doing things incorrectly could lead to a bad user experience.

Johnny @mrjohnnyma