How to get a fully automated VMware App Volumes 4.x application package.

A couple of years ago, I was running a project where I needed to AppStack 150+ applications with VMware App Volumes. At that time VMware had not an automated way of creating the AppStacks, so I was starting to analyze the process and created a PowerShell script for it. In the recent versions, VMware created some automation though, but I still received so now and then on the socials a request to share my script, that they watched my YouTube video from the VMware Code Connect session 2022 (https://youtu.be/NbERAIkky-s).
I would like to give some credit to community member Chris Twiest (he started with a basic script based on App Volumes 2.x) and my former employer ITQ for stimulating and giving the time to create this.

Before you begin running the script, there are some prerequisites!!!
You can pull the PowerShell script from my GitHub Repository: https://github.com/vEUCaddict/automated-appstack-capture

Prerequisites

VMware PowerCLI

To run VMware PowerShell commands inside the script you need to have at least the VMware.VimAutomation.Core module installed. If not, Run PowerShell as administrator and run: Install-Module -Name VMware.PowerCLI -Force

Packaging/Capturing AD service account

Create an Active Directory Domain service account for packaging/capturing purposes. This account needs permissions in the App Volumes Manager Admin Console, vCenter Server Console and be a local administrator on the App Volumes Capture/Provisioning VM.

NTFS/Share permissions on Software Repository

Give your own administrator account full control permissions to the Software Repository location.
The Packaging/Capturing service account must have read permissions on the Software Repository location.
For example: \\fileserver.dummy.local\Software$\AppStacks

App Volumes Manager

Make the packaging/capturing service account member of the App Volumes Administrators Role.
Go to Configuration > Admin Roles > Assign Role.

vCenter Server

Create a custom vCenter Server Role named “App Volumes Packager Role” with the necessary permissions.
Go To Menu > Administration > Access Control > Roles > +:

Explanation

Console interaction (Interaction):
Ability to open a VMware Remote Console via vCenter Server Console and PowerCLI.

Power off (Interaction):
Ability to power off the App Volumes Capture/Provisioning VM via vCenter Server Console and PowerCLI.

Power on (Interaction):
Ability to power on the App Volumes Capture/Provisioning VM via vCenter Server Console and PowerCLI.

Revert to snapshot (Snapshot management):
Ability to revert the used App Volumes Capture/Provisioning VM to clean state via vCenter Server Console and PowerCLI.

Hardening

The Packaging/Capturing service account only needs to have permissions on the App Volumes Capture/Provisioning VMs. Take care that the vCenter administrator creates a new folder in the vCenter > Menu > VMs and Templates section and set the permissions for the custom role on that folder:

App Volumes Capture/Provisioning VM

Keep in mind that the App Volumes Capture/Provisioning VM needs to be identical as possible to the VDI/RDS Golden/Base/Master image. The exceptions:

1. Disable Anti-virus and/or Anti-malware software
2. Disable Firewall software
3. Disable Microsoft and/or Windows updates

A prerequisite from App Volumes is, that the Capture/Provisioning VM domain-joined is. Place the AD computer account in a specific OU with block group policy inheritance.

Tweaking in the Capture/Provisioning VM is not necessary and we can make adjustments based on Active Directory Group Policies.

The following settings we need to set to enable the automation of the application package creation:

• Maximum machine account password age;
• Windows Remote Management service (WinRM) Startup Mode;
• Windows Firewall rules for WinRM (just to be sure);
• Allow delegating fresh credentials;
• Allow remote server management through WinRM;
• Allow unencrypted traffic;
• Disallow WinRM from storing RunAs credentials;
• Windows AutoLogon registry keys;
• Add packaging/capturing users to the built-in local administrators group.

Group Policy Management Editor

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

The App Volumes Capture/Provisioning VM is reverted back a lot of times and normally after 30 days the machine account expires and then the machine says at logon that the machine has lost its trust relationship with the domain. When adjusting this setting (it can be a lower number of days) then you don’t have that problem anymore.

Computer Configuration > Policies > Windows Settings > Security Settings > System Services

By default the Windows Remote Management service is set to manual and only changes if you run the command prompt: winrm quickconfig. Via a GPO setting, we say to run automatically.

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules

This step is optional because the Windows Firewall must be disabled on an App Volumes Capture/Provisioning VM.
It is a default Windows Firewall service you can allow.

Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation

Add servers where you run the PowerShell script from, in most cases, this will be a management server or jump host.

Computer Configuration > Policies >Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service

Let the App Volumes Capture/Provisioning VM know which machine is allowed to access the VM via Windows Remote Management services. (PS-Remoting)

Computer Configuration > Preferences > Windows Settings > Registry > AutoLogon (create)

Necessary for auto logon with the packaging/capturing service account.

Computer Configuration > Preferences > Windows Settings > Registry > UAC (create)

Necessary to make the SendKeys (auto click, space) function possible on Windows 10.

Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups

Don’t use a group to add to the local administrators, because Windows Remote Management (PS-Remoting) doesn’t accept groups…

Pull the PowerShell script from my GitHub Repository

After all, prerequisites are set, you are ready to pull the PowerShell script from my GitHub repository.
The location of the script is: https://github.com/vEUCaddict/automated-appstack-capture
In GitHub Repository, there are two PowerShell scripts. One is the anonymized template called “FullyAutomated-AppStack-Creation-%APP%-%VERSION%.ps1” and the other one is called “FullyAutomated-AppStack-Creation-PuTTY-0.78.ps1” and is an example from the software “PuTTY” which I used for automating the VMware AppStack creation.
My advice is to compare the two and notice where the differences are. Use for example the compare plugin from Notepad++.

Edit the PowerShell script (Part 1)

Now you are familiar with the script, edit the PowerShell script to change the “Static Variables” in this section based on your
customer/company/homelab environment.

Copy the PowerShell script

Copy the PowerShell script to use it as your own template for all the applications.

Copy and Edit the PowerShell script (Part 2)

Copy and Edit the PowerShell script for the first application. Edit the “Dynamic Variables” in this section to meet your application names, versions, silent installation parameters, and post-configuration steps.

NOTE: You don’t have to edit anything below the Dynamic Variables section unless you know what you are doing or VMware changes some of the API’s!!!

Running the PowerShell script

If the static and dynamic variables are changed to meet your needs, then you can run the script.

1. Open a PowerShell window (not preferred as administrator)
2. Browse with (cd) to in most cases the drive mapping of your PowerShell script location.
3. Execute: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
4. Execute: .\FullyAutomated-AppStack-Creation-%APP%-%VERSION%.ps1