• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Citrix Workspace vs Citrix Workspace LTSR with 21.7.0.44+

Started by MTREICHLER, July 29, 2021, 01:52:07 PM

Previous topic - Next topic

MTREICHLER

With Citrix Workspace 21.7.0.44 release on 7/29 seems some changes how Workspace is targeted changed.

With Workspace version prior to 21.7.0.44 (non LTSR)  4 conditions for patch to be installable.

--------------------
1. RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" RegType32="true"

2. RegSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayName" Comparison="Contains" Data="Workspace" RegType32="true

3. RegSzToVersion Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" Comparison="LessThan" Data="21.6.0.47" RegType32="true"

4.  WindowsVersion Comparison="GreaterThan" MajorVersion="6" MinorVersion="1" ProductType="1"
--------------------

With 21.7.044 there seems to be some additional conditions that also target off "HKLM\SOFTWARE\Citrix\ICA Client\AutoUpdate\Commandline Policy"  & "HKLM\SOFTWARE\Policies\Citrix\ICA Client\AutoUpdate" LTSROnly=true conditions.


Overall some thoughts on regular Workspace vs LTSR Workspace.

If LTSROnly=true that indicates either a GPO is set or command line was used to limit auto upgrades to LTSR versions.  If PatchMyPC upgrades LTSR Workspaces to regular Workspace installs that is ignoring the configured setting installer or admins are configuring. 

Our environment for example majority of our Workspace installs are LTSR as we need the cerification and stability of LTSR over cutting edge feature of Workspace.  In the past I've modified the Workspace installable rules to avoid patching our LTSR installs. 

Wanted to start a discussion and suggest that targeting of Workspace & Workspace LTSR with different approach.  What may make sense is if any LTSROnly=false or values do not exist then Workspace patch permitted.  If LTSROnly=true then only LTSR installs are permitted.  Customers like us would need to have both Workspace & Workspace LTSR patches approved, but it keeps the Workspace on Workspace and LTSR on LTSR. 

Thanks,

Andrew Jimenez (Patch My PC)

Hello,

I believe our Non-LTSR updates (starting with 21.7.0.44) Are already doing what you are suggesting:

<lar:And>
<bar:RegValueExists Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Key="HKEY_LOCAL_MACHINE" Value="DisplayVersion" RegType32="true" />
<bar:RegSz Comparison="Contains" Data="Workspace" Value="DisplayName" Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" RegType32="true" />
<bar:RegSzToVersion Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" Comparison="LessThan" Data="21.7.0.44" Key="HKEY_LOCAL_MACHINE" RegType32="true" />
<bar:WindowsVersion Comparison="GreaterThan" MajorVersion="6" MinorVersion="1" ProductType="1" />
<lar:Not>
<lar:Or>
<lar:And>
<bar:RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Citrix\ICA Client\AutoUpdate\Commandline Policy" Value="LTSROnly" RegType32="true" />
<bar:RegSz Comparison="EqualTo" Data="true" Value="LTSROnly" Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Citrix\ICA Client\AutoUpdate\Commandline Policy" RegType32="true" />
</lar:And>
<lar:And>
<bar:RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Policies\Citrix\ICA Client\AutoUpdate" Value="LTSROnly" RegType32="true" />
<bar:RegSz Comparison="EqualTo" Data="true" Value="LTSROnly" Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Policies\Citrix\ICA Client\AutoUpdate" RegType32="true" />
</lar:And>
</lar:Or>
</lar:Not>
</lar:And>


Currently, for NON-LTSR to be applicable the following conditions must be met:
Registry key "CitrixOnlinePluginPackWeb\DisplayVersion" exists and is less than 21.7.0.44
Registry key "CitrixOnlinePluginPackWeb\DisplayName" exists and contains "Workspace"
Windows Version > 6.1
NOT
(OR
   (Registry key Commandline Policy\LTSROnly exists AND = true)
   (Registry key AutoUpdate\LTSROnly exists and  =true)
)

I went ahead and made truth table for the second part to make sure the logic was sound.
X = ! ( ( a && b ) || ( c && d ) )

Cmdln exists (a)Cmdln eq True (b)AutoUpdate exists (c)AutoUpdate eq true (d)Applicable (X)
00001
00101
00110
10001
10101
10110
11000
11100
11110

Looking at this, the only times the NON-LTSR update would be applicable are:

  • no registry keys are set
  • AutoUpdate\LTSROnly exists and is set to false
  • CommandLine Policy\LTSROnly exists and is set to false
  • CommandLine Policy\LTSROnly and AutoUpdate\LTSROnly both exists and both are set to false

Otherwise, the LTSR version is applicable (either the install flag was set or the GPO is set).

From what I understand from your explanation, I believe this is the behavior you are looking to have for this application. Please let me know if I am misunderstanding.

MTREICHLER

Thanks for the reply.

When I export the 21.7.0.44 installable rule there isn't NOT condition to proceed the OR statements. 


<lar:And>
<bar:RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" RegType32="true"/>
<bar:RegSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayName" Comparison="Contains" Data="Workspace" RegType32="true"/>
<bar:RegSzToVersion Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" Comparison="LessThan" Data="21.7.0.44" RegType32="true"/>
<bar:WindowsVersion Comparison="GreaterThan" MajorVersion="6" MinorVersion="1" ProductType="1"/>
<lar:Or>
<lar:And>
<bar:RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Citrix\ICA Client\AutoUpdate\Commandline Policy" Value="LTSROnly" RegType32="true"/>
<bar:RegSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Citrix\ICA Client\AutoUpdate\Commandline Policy" Value="LTSROnly" Comparison="EqualTo" Data="true" RegType32="true"/>
</lar:And>
<lar:And>
<bar:RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Policies\Citrix\ICA Client\AutoUpdate" Value="LTSROnly" RegType32="true"/>
<bar:RegSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Policies\Citrix\ICA Client\AutoUpdate" Value="LTSROnly" Comparison="EqualTo" Data="true" RegType32="true"/>
</lar:And>
</lar:Or>
</lar:And>

Andrew Jimenez (Patch My PC)

Interesting. What is the full title of that update?

MTREICHLER

"Citrix Workspace 21.7.0.44"

I also created rule with proper NOT conditions and imported.   NOT conditions were stripped out.

We are importing our patches into WSUS with WSUS Package Publisher, not going though SCCM.   Maybe the installable ruleset on native WSUS SCUP API is more limited than SCCM.  I know the NOT condition does work on registry conditions as that is how I was avoiding patching my LTSR by keying off LTSROnly NOT true.

Your logic is correct on LTSR probably just related to missing NOT condition.

Andrew Jimenez (Patch My PC)

The SCUP schema is the same as is used in ConfigMgr. The creator of WSUS Package Publisher actually works for us :) I'll have him check this out.

MTREICHLER

Great,  Here is how I was customizing the rules in past to avoid LTSR patching, which is only accounting for command line situation.



<lar:And>
<bar:RegValueExists Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" RegType32="true"/>
<bar:RegSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayName" Comparison="Contains" Data="Workspace" RegType32="true"/>
<bar:RegSzToVersion Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb" Value="DisplayVersion" Comparison="LessThan" Data="21.6.0.47" RegType32="true"/>
<bar:WindowsVersion Comparison="GreaterThan" MajorVersion="6" MinorVersion="1" ProductType="1"/>
<lar:Not>
<bar:RegExpandSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Citrix\ICA Client\AutoUpdate\Commandline Policy" Value="LTSROnly" Comparison="EqualTo" Data="true" RegType32="true"/>
</lar:Not>
</lar:And>

David Courtel (Patch My PC)

Hey MTREICHLER, this is weird. IÔÇÖve just tested and, even though WPP doesnÔÇÖt show the "Not" group, there are indeed imported from the catalog. Actually, if you export the update and open the XML file you will see the "Not" group in the "IsInstalled" element.

MTREICHLER

Quote from: David Courtel - Admin on July 30, 2021, 01:54:20 AM
Hey MTREICHLER, this is weird. IÔÇÖve just tested and, even though WPP doesnÔÇÖt show the "Not" group, there are indeed imported from the catalog. Actually, if you export the update and open the XML file you will see the "Not" group in the "IsInstalled" element.


You are correct.  If I export the update I see the proper "Not" conditions, both installed and installable rules.

Sounds like everything should work fine and I don't have to create custom rule to avoid LTSR patching.  I'll test it out with LTSR install and mark thread.  Guessing maybe something with WPP rule editor maybe off.  I couldn't create that rule via GUI so maybe doesn't read rule properly.