AppStream Elastic Fleet on Windows - startup script fails!

1

Hi, I am setting up an AppStream Elastic Fleet on Windows and I can get into a running instance and see that the virtual hard drive file and startup script are downloaded to the machine, but the startup script fails. There seems to be a permissions issue, as when I run the script in an ImageBuilder instance it runs okay. I can see that the initial part of the script (which is basically the AWS sample script) runs as it writes the dispart commands to a text file as expected. However as the startup script needs to mount the virtual hard drive the application can not run. By the way, I can get into the running instance using the function keys drop-down to send the instance ctrl+alt+del and get the into the task manager. This seems like a security issue - it would be good to disable this key sequence or by some other means disable the task manager.

asked 2 years ago861 views
1 Answer
1
Accepted Answer

Hey Ian, thanks for the question. The setup script is called within the SYSTEM context so there should not be a permission issue. One possible configuration that could look like a permission issue is if you do not change the execution policy for the startup script. The execution policy is set on the App block in the 'Setup executable arguments' parameter. An example App block would be the following:

Setup script executable C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Setup executable arguments -ExecutionPolicy Bypass -file C:\AppStream\AppBlocks\APPBLOCKName\mountScript.ps1

Once the App block can successfully mount the VHD, your Application settings will be able to open the application within the VHD.

For the security issue, keep in mind that everything a user does within an Elastic fleets session is operating in the context of the PhotonUser. This user account does not have right to do anything intrusive, therefore when you open task manager, PowerShell, or anything else, you will not be able to perform intrusive actions on the machine. If a use case requires things like task manager to be disabled, you could try adding the commands to disable it within the startup script since SYSTEM will have the rights to change the setting/reg key.

profile pictureAWS
answered 2 years ago
  • Thanks for that - the parameter -ExecutionPolicy solved my problems - it would be worth adding this to the documentation as an example execution policy. Also, I followed your suggestion for disabling Task Manager - I added:

    param ($DebugMode = 'N')

    if ($DebugMode -ne 'Y') { New-ItemProperty -Name DisableTaskMgr -PropertyType DWord -Value 1 -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system }

    to the startup script which mounts the VHD. This way I can still allow task manager to run when I am debugging the application using a startup script parameter in the AppBlock definition.

    I did find another issue with the S3 bucket policy. When I followed the instructions related to the security warning in the policy editor - ie to add a condition to check aws:SourceAccount matches the current account - then the S3 objects are not accessible. However, without this condition it all works okay.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions