The case of the failing signed driver install

February 11, 2010

I was asked recently to look at a couple of support cases that had been logged where installations of our Application Manager and Performance Manager products were failing. The logs from the failed installations, obtained from invoking msiexec with the /l*vx syntax, gave the following error:

(Error code 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)

A web search for the error gave many matches which didn’t really help so I then tried to reproduce the error in a Windows Server 2003 x86 virtual machine but the installation worked fine, as it usually does. Analysis of the msiexec log from the failing system indicated that the error was occurring when installing our signed device drivers. So next I ran the great Process Monitor tool from SysInternals, now Microsoft, to try and understand what was happening, file system and registry wise, during the installation, particularly around the area where the msiexec process installs the device drivers.

What this showed me was immediately before our driver catalog (.cat) file was read, the “State” registry value in the following key was being read:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Given the error text from the failed installation, this looked relevant. A quick web search threw up a number of interesting articles, namely:


which led me to try changing the “state” value in the registry in my test VM from 0x23c00 to 0x40000  (WTPF_ALLOWONLYPERTRUST as per the MSDN link above and the wintrust.h header file so effectively much more restrictive than what was in this value by default).

Retrying the previously successful installation in my test VM then gave exactly the same error that our customers had been experiencing. On passing this information on, both customers confirmed that their “state” registry values were either not as per the default or were missing, due to the parent key being absent, and that setting the “state” value to the default allowed the drivers to be successfully installed.

Case(s) solved! But this leaves me with the desire to know what caused this to happen, particularly as we have had two cases from different customers logged so closely together, given that I stopped believing in coincidences many years ago. This is the main reason for me blogging about this issue – I hope that by the power of search engine indexing that if others suffer this issue then they will be brought here and their problem solved.

Guy Leech

10th Feb 2010

What’s the risk in your Desktop Strategy?

September 24, 2009

As we progress with our desktop strategies it is becoming clear that there are common themes that are competing with each other for priority. This depends on what is most important to your strategy will ultimately decide on what type of desktop delivery stack you will ultimately choose. There is no wrong or right answer, regardless of what the one-hit wonder desktop virtualization vendors may say. Their opinion will always lead you to their vision of desktop virtualization regardless of what is truly important for your organization. The answers that will lead you on your right path will be a trade-off and prioritization of;

  • Lower TCO: Lower hardware & management costs and a standardized desktop
  • Higher Productivity: High availability, high performance, low maintenance
  • Security: Greater control of data, configuration and malware
  • User Acceptance: Use case driven for flexibility, productivity and unique desktop experience
  • Risk: Trade off the risk of an unproven delivery mechanism against perceived benefits

When organizations are considering user acceptance they will ultimately consider it as the trade-off against lower TCO and security. Because the new desktop virtualization vendors are also marketing their products with the user in mind, they are offering some degree of user personalization with the promise of lower TCO and a more secure computing environment. However, following this seemingly alluring path is also frought with risk. The term “one-hit wonder” refers to the fact that these vendors are providing technology whereby they provide the whole desktop virtualization delivery mechanism. They may only do one thing well but you have to take the whole stack with little option to swap components out. This makes these vendors a single point of failure in your whole desktop virtualization stack. Also, new and unproven technology usually requires significantly more support. Enterprises with thousands of users require a lot of support regardless of the maturity of technology. Start-up vendors are unlikely to have a support organization that won’t strain under this type of pressure. This risk will surely restrict the roll out to only where that benefit is seen as being absolutely essential.  This will not lower TCO, as this will only really be realized with a homogoneous desktop delivery mechanism, not a heterogenous one where each use case has a completely different desktop delivery stack.

The key is to create a desktop delivery mechanism that suits all of your use cases and achieves the Lower TCO, gains the higher productivity and ensures security. Risk can be handled by creating a desktop delivery mechanism based on mature technology, proven enterprise level vendors and best of breed solutions that have been designed to work with multiple desktop delivery technologies. But to achieve this and satisfy all of the use cases will require a way to ensure user acceptance by task worker, knowledge worker and mobile worker alike.

The answer is strickingly simple, thankfully.

Choose the desktop delivery mechanism that suits your priorities and avoid trade-off for user acceptance by using a best of breed User Environment Management solution that can work with both your existing desktop delivery mechanism and your planned desktop strategy regardless of whether it is homogenous or heterogenous, physical or virtual.

AppSense User Environment Management products that provide the ability for users to create their own unique and productive desktop experience with personalizations, user data and user-installed applications are a perfect example of how user acceptance can be achieved over any desktop delivery mechanism. More to the point, they key to avoiding the trade-off is by providing a solution that helps IT manage the user personality. This is why granular policy management is so important. With AppSense, IT make the decisions as to the users entitlement to personalize and roam without fear of loss of data, applications and personalizations. AppSense also seamlessly automates the usually painstaking aspects of migrating a users unique desktop experience through a windows upgrade. A single best of breed User Environment Managemet solution, a single user personality, any desktop delivery mechanism. IT in control of it all. It couldn’t be simpler.

How To Guide: Streaming Microsoft Office with Citrix XenApp 5 – Best Practice Guide & Licensing Overview

August 27, 2009

Citrix Technology Professional (CTP) Alexander Ervik Johnsen has written a very useful piece on how to Profile and Stream Microsoft Office 2007 using Citrix XenApp 5.0

This is a great guide and covers how to stream Office to a desktop, or, into a Citrix XenDesktop session.  His article and guide can be found on his website here.

Further to the actual process of profiling and streaming the Office application, I also want to ensure everyone is aware of the Microsoft Per Device Licensing Model for Server Hosted Applications.

Many Microsoft applications, including Microsoft Office™, Project™ and Visio™, are licensed on a per-device basis. This means a desktop application license is required for each and every device that is able to potentially access the application or server where the application is installed, regardless of whether a user executes and runs the application of not.  This makes licensing Microsoft applications in virtual environments a tricky, potentially very costly, and misunderstood subject. 

One misconception is that by ‘publishing’ or ’streaming’ applications to a limited “user” group, that group is compliant with the Microsoft license agreement – in other words, Microsoft licenses their applications per user.  This is in fact in breach of the Microsoft licensing model, and can lead to legal action.

I have written a blog, which also includes official Microsoft approved whitepapers on how to control and enforce application access and license compliance on a per device basis  in such virtual environments,  that blog can be found here

In addition to helping ensure compliance, effective license control and management can also reduce Microsoft License requirements and associated costs – more information on this can be found here.

If anyone has any questions or comments, as always, please do let me know.


NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

August 26, 2009

This is the third installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 Service Pack 2 introduces a new protocol for transferring data between the endpoint device and the server database which holds all the user personalization settings.

The change means that the Personalization Server now benefits as it has to do a lot less processing in order to insert or extract the required data from the database, and can therefore support a lot more users and even faster response times.

Part of this change is to store the user’s personalization data in a compressed format in the database, which means the required database footprint is a lot smaller (in some cases by a factor of 10).

Internal performance tests yielded the following results:

  • 87.5% increase in performance scalability between version 8.0 and 8.0 SP2.
  • 45.0% increase in performance scalability between version 8.0 SP1 and 8.0 SP2.

Note: On upgrade to Service Pack 2, User Personalization data is in the old protocol format. This data is upgraded to the new format, in the database, on demand as applications are used and such, will incur a small performance hit on first launch. However, once all endpoints are upgraded to Service Pack 2 and all data in the database has been upgraded, the performance of User Personalization will be much higher than previous releases and scalability will be dramatically improved.

As always, if you have any questions or require any further information, please do get in touch.

As this is an ever growing blog topic, the previous posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions