https://worldofeuc.com logo
Join Slack
Powered by
<@ULLRRKZ8E> / <@UL5TCKFEF>: Rehashing a CrowdStri...
# citrix-app-layering
n
@Paul Brown / @Brandon Mitchell: Rehashing a CrowdStrike thread from a while back (https://www.linen.dev/s/worldofeuc/t/16925258/is-anyone-using-crowdstrike-with-app-layering-if-so-any-tric), are you guys still installing CS in an app layer that is domain joined? We have been using the Platform layer, and I'd like to go the app layer route, but if it means joining the layer to the domain, not sure it's worth the effort. Still bonkers to me that this is even a requirement.
p
I'm installing in an App layer, but it is not domain joined.
n
So you just allow the provisioned VDA to contact the domain at boot and pull down policies?
p
Yup. I know that exposes them to random delay on the CS side, and pointed out the flaw to our cyber team, who took it up with CS. But that's the workflow.
b
I'm also installing it to an App Layer, non-domain joined. I got from our SE a list of IPs that the CSA is talking to pull down the policy. I have an install script looking to see when the installer is no longer talking to those IPs and sleeps 5 minutes before sealing. I'll share the script when I'm back in the office tomorrow.
n
AWesome, thank you! I think our security team will shoot down any idea of bringing up a VDA without immediately policy/protection.
b
That, and without the policy there are no exclusions. Without exclusions for FSLogix we had random VDA reboots.
Copy code
# PowerShell Wrapper for MDT, Standalone and Chocolatey Installation - (C)2015 xenappblog.com 

# Example 1: Start-Process "XenDesktopServerSetup.exe" -ArgumentList $unattendedArgs -Wait -Passthru

# Example 2 Powershell: Start-Process powershell.exe -ExecutionPolicy bypass -file $Destination

# Example 3 EXE (Always use ' '):
# $UnattendedArgs='/qn'
# (Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode

# Example 4 MSI (Always use " "):
# $UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp"
# (Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$Vendor = "CrowdStrike"
$Product = "Windows Sensor"
$PackageName = "WindowsSensor"
$Version = "7.17.18721"
$InstallerType = "exe"
$LogPS = "${env:SystemRoot}" + "\Temp\$Vendor $Product $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "\Temp\$PackageName.log"
$Destination = "${env:ChocoRepository}" + "\$Vendor\$Product\$Version\$packageName.$installerType"
$UnattendedArgs = '/install /quiet /norestart CID=<redacted> VDI=1'
$env:SEE_MASK_NOZONECHECKS = 1

$lfodown01 = @(
    "13.56.121.58",
    "50.18.198.237",
    "52.8.141.1",
    "54.67.4.108",
    "54.67.5.136",
    "54.67.17.131",
    "54.67.24.156",
    "54.67.41.192",
    "54.67.51.32",
    "54.67.72.218",
    "54.67.78.134",
    "54.67.108.17",
    "54.67.114.188",
    "54.67.122.238",
    "54.183.120.141",
    "54.183.135.80",
    "54.183.215.154",
    "54.193.86.245",
    "54.215.170.42",
    "54.219.179.25",
    "54.241.161.242",
    "54.241.181.78",
    "54.241.182.78",
    "54.241.183.151",
    "54.241.183.229",
    "54.241.183.232"
)

Start-Transcript $LogPS

Set-Location $Version

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
(Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose
Do {
    $NetTCPConnections = Get-NetTCPConnection
    } until ($null -ne ($lfodown01 | ? { $NetTCPConnections -match $_ }) -eq $true)

Do {
    $NetTCPConnections = Get-NetTCPConnection
    } until ($null -ne ($lfodown01 | ? { $NetTCPConnections -match $_ }) -eq $false)

Remove-ItemProperty -Path "HKLM:\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default" -Name "AG" -Force
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\CSAgent\Sim" -Name "AG" -Force

Start-Sleep -Seconds 300

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript
here you go, I'm not a fan of the sleep but CrowdStrike couldn't tell me how to tell when it was done applying the policy
you'll also need the BypassLayerCheck...
Copy code
if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Services\UniService") -ne $true) {  New-Item "HKLM:\SYSTEM\CurrentControlSet\Services\UniService" -force -ea SilentlyContinue };
        New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Services\UniService' -Name 'BypassLayerCheck' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
        } -Verbose
n
Thank you. Brandon!
We found CS to be at fault for our .NET errors in our image, which was causing havoc in AHV. Getting them to add exclusions on their end... madness. I hate them with a passion, and hope that they all wake up and step on legos every morning.
b
Tell us how you really feel 😄 We fought with the random reboots for months. I supplied the exclusions and they swear they were entered per the documentation until I got access to the web portal and looked. They added exclusions verbose to what the documentation said, I had to go exclusion by exclusion and do a test pattern until we had something that would properly exclude the FSLogix VHDX.
g
chappelle show hate you
🤣 1
n
^How I feel about CS
b
ClownStrike
p
Our setup is a little different. We have a defined rule in Crowdstrike that basically allows us to do whatever we want with the product on machines named CITRXAL*** (Applayer default machine names). Our "Citrix" CS policy has exclusions that build on that. Our finalize script does a bunch of things depending on use, and that has some basic policy settings. If it is resealing a full image it nukes CS specific reg keys, else it just seals up the CS layer. The install process ensures the CS service is never started in the layer, and we have the same bypasslayer check in this specific layer. I'm definitely not going to absorb Brandon's script above into this process somehow though... 😀
d
@Paul Brown curious when you say "finalize script" you mean one you are running on the published image, or the one you run inside the packaging machine? Is this for MCS, PVS, both?
... also, in case it might help, I have a relationship with the PM over at CS, if you want me to forward any of your very "enthusiastic" sentiments. 🙂
p
We have one script that runs a workflow and depending on the answers reseals an already published image, or finalizes a layer for applayer. It's a modified version of the old AppLayeringImagePrep script from @JGSpiers We are all MCS.
b
we're using the same sealing script, also modified... In our case we want CS to start to cache policies in the layer.
d
ok interesting, we may want to learn a bit more what you are doing in the script. Also, in case you weren't aware, we have a hook you can enable during publish for MCS now which might save you some time/effort (see step 5): https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer#install-the-platform-tools-on-the-packaging-machine ... if you configure this you may not require to do any secondary sealing after publish -- you can just put that script into a layer and run it with the admin-controlled shutdown.
b
here is the base script folks are using, it's a little dated but mostly relevant. https://jgspiers.com/citrix-app-layering-preparation-script/
2 Views
Open in Slack
PreviousNext
Powered by