Citrix Provisioning Services 7.x Documentation Script Update Version 6.00
Version 6.00 19-Jan-2021
This started out as a simple update to address a security issue, but…this turned out harder than it looked.
The Citrix Provisioning Services (PVS) PowerShell cmdlets that work from a non-domain-joined computer to multiple Active Directory domains. BUT, there is a glaring security hole. The old string-based MCL cmdlet and the new object-oriented cmdlet ONLY work with a PLAINTEXT password!!! That means, if you want to run the PVS documentation script from a batch/cmd file or as a scheduled task, you are required to save the password in plaintext. If you run the script from the CLI, you are required to enter the password in plaintext. Neither cmdlet works with a PSCredential object. This is very strange behavior from a “security” company.
My first thought was I would use the Set-PvsConnection command and check/trap for errors related to bad credentials or a bad connection to the PVS server. Nope. Nada. Zilch. Not gonna happen. The string-based SetupConnection and the object-oriented Set-PvsConnection cmdlets are poorly written, poorly implemented, poorly documented (the help text is blatantly incorrect), and very dumb. Neither cmdlet returns any useful information, neither returns a status, and neither tells you what happened if something went wrong. You can’t use any ErrorAction. You can’t redirect any of either cmdlet’s vomit to the console if something bad happens. If you want a very long delay and remove all the console vomit, you can use Start-Job and a ScriptBlock. I decided I didn’t like to 30 to 90-second delay with no way to show what is happening or what happened.
What all that means is you are now forced to enter credentials IF you use the -AdminAddress parameter to connect to a REMOTE PVS server. If you run the script on a PVS server, which is my personal preference, you are never prompted for credentials as the current Windows credentials are used for the connection to LocalHost.
Yes, I have reported all these issues to Citrix, but since Citrix is consumed by forcing everyone and every product to the Cloud, I will be long retired by the time Citrix fixes any of these issues or the gaping security hole of requiring a plaintext password.
Note: If you want to continue using the insecure plaintext password, use version 5.22 of this script. I backported most of the below fixes to that version.
- Added new function OutputNotice
- Change some Warnings to Notices using OutputNotice
- Added new function SetFileNames as replacement for SetFileNames1and2
- Added the PVS Version to functions ShowScriptInfo and ProcessScriptEnd
- Added to the Computer Hardware section, the server’s Power Plan
- Allow multiple output formats. You can now select any combination of HTML, MSWord, PDF, or Text
- Changed all Write-Verbose statements from Get-Date to Get-Date -Format G as requested by Guy Leech
- Changed getting the path for the PVS module from the environment variable for “ProgramFiles” to the console installation path (Thanks to Guy Leech)
- Changed some Write-Error to Write-Warning and changed some Write-Warning to Write-Host
- Changed the default output to HTML
- Cleanup HTML, MSWord, PDF, and text output
- Fixed remaining $Null comparisons where $null was on the right instead of the left of the comparison
- Reformatted Appendix A to make it fit the content better
- If you select PDF for Output and Microsoft Word is not installed, update the error message to state that PDF uses Word’s SaveAs PDF function
- Reformatted most Write-Error message to show better in the console
- Removed all invalid links from comments
- Removed all comments referencing versions before 6.00
- Removed existing Script ParameterSets and left only one for “WordPDF”
- Remove the Password parameter to keep from having the password entered as plaintext
- Use Get-Credential and code from Frank Lindenblatt to get the password from the $credential object
- The Set-PvsConnection uses only a plaintext password
- If you get prompted for credentials, you can blame Citrix for their poorly written and dumb Set-PvsConnection cmdlet.
- It returns no information or status. To stop using a plain text password (the main impetus behind this update), I switched to using Get-Credential.
- Because of the almost useless Set-PvsConnection cmdlet, I don’t know if you entered valid credentials or not or why the connection attempt to the PVS server failed.
- Removed the requirement for elevation when remoting to the PVS server
- Reordered the parameters in an order recommended by Guy Leech
- Updated the following functions to the latest versions:
- Updated the help text
- Updated the ReadMe file
You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/
- Added new function OutputNotice