hatem Shahudh

I'm very happy you guys were able to get this fixed. My experience was different because I used SQL Express since I was only working in Lab Environment. It sounds like in Prod you will need the solution you pointed out: Using specific OU with blocked GPOs ---> using SQL "sa" user) --> it works!!! ✅ Thank you again and I hope people benefit from this! v/r Hatem Shahudh

You might have enable PowerShell Execution on the Server that you are testing on right now temporarily and try: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine Or try this command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine Also run this to see what you have Get-ExecutionPolicy -List

You can see logs under C:\Program Files (86)\CloudVolumes\Manager\log

I had this happened to me once when I retried the install on the same VM that failed before. I'd do a gpupdate /force reboot and then retry again or better yet try a new server VM fresh, but make sure it doesn't go in ay OU, but the disabled GPO OU. I think the reason why it isn't working is because it's trying to run PowerShell to generate that self-signed ssl key as you can see in the screenshot. v/r Hatem Shahudh

Yes, for sure it was GPO. As mentioned the resolution is very simple: Create an OU that blocks GPO's Move the VM to that OU temporarily while conducting the installation. Reboot the VM and start the AppVolumes Installation. Once done then you can move the VM to whatever OU you need it to be. Let me know if you have any further issues and Good luck!

App-volumes self-signed certification failed upon installing App Volumes manager on Windows 2019-2022 Serve: Error message: "Error generating self signed certificate" "See log/generate_cert.log for details" Running as MYUSER.MYDOMAIN on APPVOLSERVER #### Create log folders #### Generating nginx server ssl certificate C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing safe_level with the 2nd argument of ERB.new is deprecated. Do not use it, and specify other arguments as keyword arguments. C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing trim_mode with the 3rd argument of ERB.new is deprecated. Use keyword argument like ERB.new(str, trim_mode: ...) instead. C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:50: warning: Socket.gethostbyname is deprecated; use Addrinfo.getaddrinfo instead. C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:50: warning: Socket.gethostbyname is deprecated; use Addrinfo.getaddrinfo instead. I, [2024-08-14T16:33:51.668368 #1796] INFO -- : Process ID "1796" running "C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/bin/rake cert:generate_server_cert" ended after 14 seconds I, [2024-08-14T16:33:51.309260 #1796] INFO -- : Generating certificate for HostName: APPVOLSERVER.MYDOMAIN.LOCAL I, [2024-08-14T16:33:51.309403 #1796] INFO -- : Issued to: /C=US/ST=California/L=Palo Alto/O=VMware/OU=AppVolumes/CN=APPVOLSERVER.MYDOMAIN.LOCAL E, [2024-08-14T16:33:51.583145 #1796] ERROR -- : Failed to execute command. exit_code: 2, Error: The system cannot find the file specified. Key file is created in CertificateGenerator: <certpath: C:/Program Files (x86)/CloudVolumes/Manager/nginx/conf cert_file: C:/Program Files (x86)/CloudVolumes/Manager/nginx/conf/appvol_self_vmware.com.key> I, [2024-08-14T16:33:51.585288 #1796] INFO -- : Generating certificate for HostName: APPVOLSERVER.MYDOMAIN.LOCAL I, [2024-08-14T16:33:51.585349 #1796] INFO -- : Issued to: /C=US/ST=California/L=Palo Alto/O=VMware/OU=AppVolumes/CN=APPVOLSERVER.MYDOMAIN.LOCAL Certificate is created in CertificateGenerator: <certpath: C:/Program Files (x86)/CloudVolumes/Manager/nginx/conf cert_file: C:/Program Files (x86)/CloudVolumes/Manager/nginx/conf/appvol_self_vmware.com.crt> #### Generating powershell ssl certificate C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing safe_level with the 2nd argument of ERB.new is deprecated. Do not use it, and specify other arguments as keyword arguments. C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing trim_mode with the 3rd argument of ERB.new is deprecated. Use keyword argument like ERB.new(str, trim_mode: ...) instead. C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:50: warning: Socket.gethostbyname is deprecated; use Addrinfo.getaddrinfo instead. C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:50: warning: Socket.gethostbyname is deprecated; use Addrinfo.getaddrinfo instead. I, [2024-08-14T16:34:01.649921 #8408] INFO -- : Process ID "8408" running "C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/bin/rake cert:generate_powershell_cert" ended after 6 seconds I, [2024-08-14T16:34:01.406670 #8408] INFO -- : Generating certificate for HostName: APPVOLSERVER.MYDOMAIN.LOCAL I, [2024-08-14T16:34:01.406960 #8408] INFO -- : Issued to: /C=US/ST=California/L=Palo Alto/O=VMware/OU=AppVolumes/CN=APPVOLSERVER.MYDOMAIN.LOCAL E, [2024-08-14T16:34:01.550833 #8408] ERROR -- : Failed to execute command. exit_code: 2, Error: The system cannot find the file specified. , Key file is created in CertificateGenerator: <certpath: C:/Program Files (x86)/CloudVolumes/Manager/config cert_file: C:/Program Files (x86)/CloudVolumes/Manager/config/CVPowershell.key> I, [2024-08-14T16:34:01.554119 #8408] INFO -- : Generating certificate for HostName: APPVOLSERVER.MYDOMAIN.LOCAL I, [2024-08-14T16:34:01.554228 #8408] INFO -- : Issued to: /C=US/ST=California/L=Palo Alto/O=VMware/OU=AppVolumes/CN=APPVOLSERVER.MYDOMAIN.LOCAL Certificate is created in CertificateGenerator: <certpath: C:/Program Files (x86)/CloudVolumes/Manager/config cert_file: C:/Program Files (x86)/CloudVolumes/Manager/config/CVPowershell.pfx> Running as MYUSER.MYDOMAIN on APPVOLSERVER #### Create log folders #### Generating nginx server ssl certificate C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing safe_level with the 2nd argument of ERB.new is deprecated. Do not use it, and specify other arguments as keyword arguments. C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing trim_mode with the 3rd argument of ERB.new is deprecated. Use keyword argument like ERB.new(str, trim_mode: ...) instead. C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:50: warning: Socket.gethostbyname is deprecated; use Addrinfo.getaddrinfo instead. rake aborted! Errno::EACCES: Permission denied @ rb_sysopen - C:/Program Files (x86)/CloudVolumes/Manager/nginx/conf/appvol_self_vmware.com.key (Errno::EACCES) C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:73:in `initialize' C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:73:in `open' C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:73:in `save_certificate' C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:38:in `generate' C:/Program Files (x86)/CloudVolumes/Manager/lib/tasks/cert.rake:31:in `block (2 levels) in <top (required)>' C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/rake-13.1.0/exe/rake:27:in `<top (required)>' Tasks: TOP => cert:generate_server_cert (See full trace by running task with --trace) I, [2024-08-14T16:52:08.857855 #7612] INFO -- : Process ID "7612" running "C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/bin/rake cert:generate_server_cert" ended after 13 seconds I, [2024-08-14T16:52:08.747221 #7612] INFO -- : Generating certificate for HostName: APPVOLSERVER.MYDOMAIN.LOCAL I, [2024-08-14T16:52:08.747373 #7612] INFO -- : Issued to: /C=US/ST=California/L=Palo Alto/O=VMware/OU=AppVolumes/CN=APPVOLSERVER.MYDOMAIN.LOCAL #### Generating powershell ssl certificate C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing safe_level with the 2nd argument of ERB.new is deprecated. Do not use it, and specify other arguments as keyword arguments. C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/aspector-0.13.1/lib/aspector/base.rb:244: warning: Passing trim_mode with the 3rd argument of ERB.new is deprecated. Use keyword argument like ERB.new(str, trim_mode: ...) instead. C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:50: warning: Socket.gethostbyname is deprecated; use Addrinfo.getaddrinfo instead. rake aborted! Errno::EACCES: Permission denied @ rb_sysopen - C:/Program Files (x86)/CloudVolumes/Manager/config/CVPowershell.key (Errno::EACCES) C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:73:in `initialize' C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:73:in `open' C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:73:in `save_certificate' C:/Program Files (x86)/CloudVolumes/Manager/lib/certificate_generator.rb:38:in `generate' C:/Program Files (x86)/CloudVolumes/Manager/lib/tasks/cert.rake:54:in `block (2 levels) in <top (required)>' C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/gems/rake-13.1.0/exe/rake:27:in `<top (required)>' Tasks: TOP => cert:generate_powershell_cert (See full trace by running task with --trace) I, [2024-08-14T16:52:18.464642 #1244] INFO -- : Process ID "1244" running "C:/Program Files (x86)/CloudVolumes/Manager/vendor/bundle/ruby/3.2.0/bin/rake cert:generate_powershell_cert" ended after 6 seconds I, [2024-08-14T16:52:18.230486 #1244] INFO -- : Generating certificate for HostName: APPVOLSERVER.MYDOMAIN.LOCAL I, [2024-08-14T16:52:18.230599 #1244] INFO -- : Issued to: /C=US/ST=California/L=Palo Alto/O=VMware/OU=AppVolumes/CN=APPVOLSERVER.MYDOMAIN.LOCAL Possible Cause: STIG GPO's or other Security GPO's(Group Policy Objects). Resolution: Fix action for this is to actually create(organizational Unit) in Active Directory that blocks Group Policy Object (GPO's) and then move that server where you are trying to install App Volumes manager on to that OU. This step will allow you to do the installation without any issues and then you can move it back to its appropriate OU.

I think this should be a top article for those who have the following errors: 1. Failed to resolve proxying route for request. 2. The connection to the remote computer ended. 3. The connection to the remote computer failed. “it is possible that remote connections are not enabled on the remote computer or that the computer on network is too busy. 4. VDPCONNECT_REJECTED: the connection to the remote computer has been refused Fix action was as recommended below: proxyDestinationUrl=https://cs1.domain.com:443 or Connection Broker IP:443 with sha256=thumbprint tunnelExternalUrl=https://uag1.domain.com:443 or UAGIP:443 blastExternalUrl=https://uag1.domain.com:8443 OR UAG IP:8443 pcoipExternalUrl=1.1.1.3:4172 UAG IP locked.properties file needs to have checkOrigin=flase portalHost.1=UAG DNS or IP without https:// HTTP(S) Secure Tunnel needs to be unchecked with Horizon Admin Connection Broker Settings PCOIP Secure Gateway needs to be unchecked with Horizon Admin Connection Broker Settings Do not use Blast Secure Gateway Option needs to be selected under Blast Secure Gateway. Reboot Connection Broker Client Drive Redirection for DoD I think it's very hard to allow Client Drive Redirection due to the STIG settings even though it's enabled by default as well USB redirection. mplementation Guide Overview Version Date Finding Count (15) Downloads 1 2021-07-30 CAT I (High): 0 CAT II (Med): 15 CAT III (Low): 0 Excel JSON XML STIG Description This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. Available Profiles Findings (MAC III - Administrative Sensitive) Finding ID Severity Title Description V-246874 Medium The Horizon Agent must block USB mass storage. The Horizon Agent has the capability to granularly control what, if any, USB devices are allowed to be passed from the local client to the agent on the virtual desktop. By default, Horizon blocks... V-246872 Medium The Horizon Agent must audit clipboard actions for PCoIP. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246873 Medium The Horizon Agent desktops must not allow client drive redirection. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246870 Medium The Horizon Agent must not allow drag and drop for PCoIP. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246871 Medium The Horizon Agent must audit clipboard actions for Blast. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246869 Medium The Horizon Agent must not allow drag and drop for Blast. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246868 Medium The Horizon Agent must not allow file transfers through HTML Access. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246861 Medium The Horizon Agent must only run allowed scripts on user connect. The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of... V-246860 Medium The Horizon Agent must require TLS connections. The Horizon Agent has the capability to be backward compatible with legacy clients, circa View 5.2, which do not support newer TLS connections. By default, the agent can fall back to this non-TLS... V-246863 Medium The Horizon Agent must only run allowed scripts on user reconnect. The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of... V-246862 Medium The Horizon Agent must only run allowed scripts on user disconnect. The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of... V-246865 Medium The Horizon Agent must set an idle timeout. Idle sessions are at increased risk of being hijacked. If a user has stepped away from their desk and is no long in positive control of their session, that session is in danger of being assumed by... V-246864 Medium The Horizon Agent must check the entire chain when validating certificates. Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy... V-246867 Medium The Horizon Agent must block server to client clipboard actions for PCoIP. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246866 Medium The Horizon Agent must block server to client clipboard actions for Blast. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... I found the best way to over come that is to actually create a higher level GPO on a higher OU and enabled all the features using GPS's recommended by Horizon.