Posts

Here’s a new tool that I’ve pushed to the PowerShell Gallery - ConvertTo-RedirectionsXml for generating a Redirections.Xml for use with Profile Container. This makes the task of generating a new Redirections.xml as simple as running two PowerShell commands:

A container approach to profiles in your virtual desktop environment means you’re going to deal with additional storage requirements that you likely haven’t had previously. Profile containers have gone mainstream with the Microsoft acquisition of FSLogix, making Profile Container and Office 365 Container available to practically everyone.

With a hosting renewal pending I thought it past time to migrate to a new platform for stealthpuppy.com. While I’ve found WordPress to be OK with plenty of support for extensibility through plug-ins, I’m not keen on paying for a blogging platform that I don’t actively make an income from, nor do I want to deal with the hassle of a multi-tier platform using MySQL, PHP and WordPress itself.

Confession time - I’ve had a GitHub account since 2014 and haven’t signed a single commit. I’ve read various tweets and articles about signing your commits, but never committed (git it? … see what I did there…) to setting up a signature until recently.

The promise of a modern management approach to deployment and management of Windows 10 is that you no longer create and manage a custom SOE image. User experience is still important though and a large part of that experience in an enterprise environment, is the default Start menu.

Microsoft Intune provides management of Window 10 Update Rings to enable Windows as a Service, via the Software Updates feature. This enrols a Windows PC into Windows Update for Business to manage feature and quality updates the device receives and how quickly it updates to a new release. As you scale the number of devices managed by Microsoft Intune, the need to manage the software update or deployment rings is key to adopting Windows 10 successfully. Being able to do so dynamically and empowering end-users by involving them in the process sounds like an idea that’s just crazy enough to work. This article details an approach to achieve dynamic software update rings.

I recently presented a session titled ‘Modern Management Methodology Imaginarium’ at the xenappblog.com Virtual Expo September 2018 event. In this session, I discussed my thoughts and approach to modern management, primarily for Windows 10. The session provided a bit of background, some definitions for what makes up the modern desktop and a high-level approach to implementing it.

In a modern management scenario, enabling end-points to perform automatic maintenance tasks will reduce TCO by avoiding scenarios that might result in support calls. Storage Sense in Windows 10 is a great way to manage free disk space on PCs by clearing caches, temporary files, old downloads, Windows Update cleanup, previous Windows Versions, and more, but it it’s not fully enabled by default. Storage Sense can potentially remove gigabytes of data, freeing up valuable space on smaller drives.

Citrix Workspace app is here to replace Citrix Receiver with a new UI and capabilities (primarily for Citrix Cloud customers). Here’s how to deploy it across various supported platforms in a modern management capacity with Microsoft Intune.

Thunderbolt 3 (and USB-C) are here to provide a single cable for everything, although your experience with this technology will differ depending on your choice of operating system. Here’s a quick look at the end-user experience of TB on macOS and Windows.

Thunderbolt 3 and USB-C have arrived to make our life easier and more confusing all at the same time. The promise of a single cable that does everything is appealing but for the average consumer, knowing what to purchase is challenging. This article is a view into my research into Thunderbolt, USB-C and 4K monitors and what I’ve ultimately purchased.

In the previous article we saw how to customise the Adobe Reader DC installation and deploy it via Microsoft Intune. Now that it’s installed on Windows 10 end-points let’s look at how updates work.

Adobe Reader is of course one of the most common applications on Windows desktops and if you’re moving to a Modern Management approach you’re likely looking at how to deploy Adobe Reader DC to Windows 10 via Microsoft Intune.

Note: for a more up to date version of the content in this article, VcRedist now has documentation available here: https://docs.stealthpuppy.com/docs/vcredist

I’ve previously written about deploying Citrix Receiver to Windows 10 via Intune with PowerShell. In that article, I included a script that will detect an installed version of Receiver and update to the latest version if it is out of date. To start with, I’ve hard-coded the current Receiver for Windows version into the script; however, that’s not necessarily the best approach, because it will require updating whenever a new version is released.

If you’re deploying Windows 10 with Modern Management (Azure AD joined, MDM managed), you’ll likely have wondered about data protection - if users aren’t intentionally saving documents to their OneDrive folder, that data is likely, not synchronised and therefore not protected against data loss.

If you’ve deployed Windows 10 Modern Management you’ll know that some applications present a challenge for deployment, because Windows 10 MDM supports the Win32 applications via a single MSI file only. Applications such as Citrix Receiver, that are a single EXE (that wraps multiple MSI files), can, therefore, be challenging. You can create a custom wrapper to deploy Receiver, but this requires a packaging tool and some specific knowledge on how to package applications.

Ivanti Application Control (previously AppSense Application Manager) is an application whitelisting and privilege management solution; however, I think you’re likely aware of that since you’re reading this article. Application Control has a number of customisable message boxes that are displayed to the end-user for Windows application whitelisting or privilege elevation scenarios. In this article, I’ll discuss improving the end-user experience with some visual flair and text.

We’ve been busy planning our next CUGC meet-up for 2017, which will be on the 24th of October at the Telstra Conference Center at 242 Exhibition St. To attend the meet-up, ensure you’ve signed up at the MyCUGC.org site: Melbourne Citrix User Group Local Meeting

Great news! Microsoft has enabled a number of available conditions and custom controls in Azure AD for use in Conditional Access making these policies even more useful. This includes a simple method to control access to Citrix NetScaler by country of origin.

Microsoft released a beta version of the Intune Company Portal for macOS just last month; however, it’s since been pulled from the Download Center. This app had been made available along with the announcement of Conditional Access supporting macOS in preview.

Understanding what Windows Defender Advanced Threat Protection (ATP) actually is had eluded me for a while - it’s not included in something like EMS, it’s not available with a Visual Studio Enterprise subscription and you’ll need to request an evaluation from Microsoft (and hope it’s approved) to test it out. Windows Defender ATP is licensed as a component of the Windows 10 Enterprise E5 or the Secure Productive Enterprise (soon to be Microsoft 365) E5 subscriptions.

Deploying a jump box into a cloud environment such as Azure or AWS, is a common way of providing access into said environment through a single entry point. Often access to the jump box will be restricted by source IP, but that approach isn’t completely secure for many reasons - admins don’t update the rules, source IP doesn’t identify the user etc.

Intune has simplified the process for deploying Office 365 ProPlus to Windows 10 PCs with a wizard driven process that will get you deploying the Office suite in less that 5 minutes. I’m not exaggerating either - the process is so simple, it will take you longer to make a cup of coffee.

A couple of months back, I sent an email to the Microsoft MVP mailing list to see if anyone knew of a JSON feed of Windows 10 updates from Microsoft. I’d found a way to grab the latest Firefox version via PowerShell and was hoping to do something similar for Windows 10. Keith Garner responded with something even better - a working script that pulls from a JSON resource on the Windows 10 and Windows Server 2016 Update History page, to return the most recent cumulative update.

Enabling Azure AD and Office 365 features including multi-factor authentication and Conditional Access will impact your users because they’ll need utilise App Passwords (one time passwords used for authentication with legacy applications). Unfortunately this will only serve to confuse users and result in calls to your service desk. Modern authentication is, of course, the way to improve user experience but it’s not enabled by default.

I recently posted an article on a script I’ve written for downloading and installing the Microsoft Visual C++ Redistributables. Thanks to Cornelius Schuchardt, the script now supports creating applications for each redistributable in Configuration Manager (ConfigMgr).

In updating my MDT deployment shares recently, I got tired of having to do something about the Visual C++ Redistributable installers and finally decided to do something about it, so I’ve written a script that will download the installers and optionally install them - Install-VisualCRedistributables.ps1.

Every so often a few of your favourite technologies intersect to create something magical and your passion for IT is renewed. That happened for me this week when configured Citrix NetScaler to authenticate to Azure Active Directory via SAML and enforce access to XenApp via Azure Multi-factor Authentication and Azure AD Conditional Access policies. The possibilities for securing remote access and the improved user experience that this configuration provides is so damn cool, everyone should know about it.

I was recently testing out the setup of single sign-on (SSO) and user provisioning with Azure Active Directory and Salesforce via the Azure Resource Manager portal and came across a couple of minor hiccups that I wanted to share. With Salesforce being as popular as it is, it’s a great target for enabling SSO in any organisation and improving the user experience.

I am excited about the opportunities that managing Windows 10 devices with Azure AD Join and MDM (i.e. modern management) provides for both users and admins. In this article, I’ll cover deploying and managing modern applications (Universal apps) on a modern platform with a modern device management solution - Microsoft Intune standalone for managing Universal apps.

While the Universal app platform on Windows 10 isn’t going to replace legacy Win32 apps for some time, the potential of this platform to improve the way IT approaches application lifecycle management is high. Apps can be deployed, updated and removed without packaging or having to worry about application conflicts. It’s encouraging to see a number of useful enterprise applications available - the future is mobile apps, even on the desktop, so every enterprise should be looking at the Windows Store for Business.

In a previous article, I wrote about the differences between managing Windows 10 PCs with the Intune Client vs. the Windows 10 MDM channel. Two key monitoring pieces that you lose with going to MDM instead of the Intune Client is the ability to report on Windows updates and Endpoint Protection (Windows Defender) status.

It’s been a long time coming and the time is nearly here for the inaugural meeting of the Melbourne Citrix User Group. On the 6th of December 2016, we’ll be really proud to kick off an independent Citrix User Group at the Golden Gate Hotel, South Melbourne.

To understand sizing Machine Creation Services on Hyper-V, we should first look at how XenDesktop creates virtual machines across the various deployment choices. XenDesktop 7.9 and 7.11 have introduced new features to MCS that will require additional consideration for storage requirements over previous versions.

How much storage capacity do you need for Citrix Machine Creation Services? If you’re designing a XenApp or XenDesktop environment, one question you’re going to ask is “how much storage do we need?”. Let’s dig into the fundamentals of Machine Creation Services and have a look at how much capacity you’ll need to provision.

Automating the installation of the Citrix ShareFile Drive Mapper requires deploying a code signing certificate to target machines before setup will complete. If you’ve installed the Drive Mapper client, you will have seen the following dialog box during setup:

I recently wrote a couple of articles on setting up and Root Certification Authority and a Subordinate Certification Authority as a basic cheat sheet for setting up and Enterprise PKI. One configuration item that is less well understood and often the cause of major headaches with certificate authorities, is the Certificate Revocation List (CRL). An Offline CRL can bring down your PKI and other services that rely on it.

In the last article, I documented the steps for deploying an offline Root Certificate Authority on Windows Server 2012 R2. This article will continue the process and show how to install and configure a Subordinate Certificate Authority that will be used to issue certificates to users and devices.

Setting up an Enterprise Root Certificate Authority isn’t a task that you’ll complete on a regular basis and something I think I’ve done twice, maybe 3 times, ever. Each time I forget what I did previously and you can guarantee I’m using a different version of Windows Server each time. Please note as you read these article and the next, that whilst I have an interest in PKI, I don’t consider myself an expert. Deploying a PKI is not a simple task, so read up carefully if you’ve not done this before.

Microsoft Intune has multiple methods for managing Windows 10 - you can choose to deploy a client or use the mobile device management capabilities built into the operating system. However, guidance from Microsoft on the comparing the capabilities of each, especially from a policy perspective, is currently unclear.

Chicken Little seems to be working overtime when it comes to the Windows Store in Windows 10. I’ve read and heard many different thoughts and approaches to the Store in Windows 10, but I believe that the Store and Universal apps should be embraced. It would; however, be nice to have more control over user interaction with the Store and in-box Univeral apps.

I had the pleasure recently to present a session at Citrix Synergy 2016 in Las Vegas with Helge Klein (of uberAgent and UPM fame) on enterprise desktop performance in a session titled: SYN239: UX and the enterprise desktop: like oil and water?. We’ve previously presented on performance related topics with folder redirection, and this year we wanted to take a wider look at performance on an enterprise desktop and how user experience is affected.

Citrix recently made the ShareFile Drive Mapper tool available for mapping a drive letter into your ShareFile data available on Windows clients. This is an interesting approach to providing access to ShareFile data which changes the data access approach from sync to on-demand.

Windows has supported TLS for server authentication with RDP going back to Windows Server 2003 SP1. When connecting to a Windows PC, unless certificates have been configured, the remote PC presents a self-signed certificate, which results in a warning prompt from the Remote Desktop client. An environment with an enterprise certificate authority can enable certificate autoenrollment to enable trusted certificates on the RDP listener, thus removing the prompt. To get OS X clients to accept the certificate takes a little extra configuration not required on Windows clients.

Enabling the App-V client and UE-V client in Windows 10 Enterprise Build 14316 via PowerShell and viewing the behaviour of filter drivers for each client.

I’ve recently added a new PC to my home lab - the Intel NUC6i5SYB, to replace a Lenovo laptop that I’ve been using to host VMs on Hyper-V. In this article, I’ll cover an overview of the NUC, how I’ve configured this device and some details on performance.

I use several physical PCs and virtual machines. I use OS X and Windows. I (sometimes) write PowerShell scripts to perform various tasks.

With an App Store now on the Apple TV, is the latest Apple TV 4 the ultimate media centre? I think it comes pretty darn close and here’s why.

Now that we’ve covered the main questions in the survey - which hypervisors are in use, the VDI solutions are run on those hypervisors, how master images are built, the automation solutions used to build images and the solutions used to deliver images to SBC and VDI environments, we’ll take a short look at how often master images are updated.

In the previous article, we covered which automation solutions are in use to create (and manage) master images. In this article we’ll cover what tools or technologies are used to deliver an image to an end-point (that being a virtual machine or a physical device).

Thamim Karim has worked across the globe assisting customers with their user experience and application deployment strategies offering both consultancy and training services. He also has made many speaker appearances at conferences including TechEd, App-V User Groups and Microsoft Ignite.

Previously we’ve looked at which hypervisors are in use and the virtual desktop solutions deployed on those hypervisors, so now we’ll take a look at how organisations are building their master images.

Digging further into the details of the data we’ve gathered from our OS Automation survey, let’s take a look at the virtual desktop platforms in use by those who responded. I’ll largely present this as is and leave any further analysis for later articles.

Some older applications (and perhaps even some newer applications) will prompt for elevation on Windows via User Account Control (UAC) - this might be a valid request for elevation, but in the case of many older applications it’s because they expect to run with administrative rights.

We had an amazing response to our OS automation deployment survey with well over 700 respondents. In this series of articles to be posted here and on xenappblog.com, we’ll cover and analyse the results.

Here’s is a list of articles and resources for delivering the currently supported versions of Microsoft Office with App-V 5.

Kevin Kaminski, a long time App-V MVP based in Calgary, Canada. He’s a long time presenter at events such as BriForum and MMS. As well as consulting on application delivery, he provides training services for App-V and application packaging._

Here’s a review of my experiences with the Microsoft Surface 3 and some thoughts on the hardware and running Windows 10 on the device.

Operating system support for App-V is ultimately determined by the Microsoft Product Support Lifecycle. You can search the Product Support Lifecycle page for “Application Virtualization” to return the product lifecycle for all versions of App-V. This FAQ covers the most recent version of App-V: 5.1.

We’re into the closing days of the OS Deployment Automation Survey over at xenappblog.com and we need you to help make this a success. So far we’ve had a great response with over 600 people taking part, but with a week still left there’s still plenty of time to get involved.

This is a multi-part article detailing our testing results and presentations for the 2015 series on Folder Redirection:

This is a multi-part article detailing our testing results and presentations for the 2015 series on Folder Redirection:

This is a multi-part article detailing our testing results and presentations for the 2015 series on Folder Redirection:

Microsoft Application Virtualization (App-V) can be downloaded in a number of locations; however you will first require access to these locations which are typically via a paid subscription or because you have paid for licenses.

This article is part of the Microsoft Application Virtualization 5 FAQ series. Last update: September 1st, 2015

This article is part of the Microsoft Application Virtualization 5 FAQ series.

Citrix have made available the recording of our session at Synergy 2015 in Orlando - I’ve Got 99 Problems and Folder Redirection is Every One of Them. This is a standard 45-minute, level 400 session. Shawn and I will be repeating this as a 75-minute session at BriForum Denver with additional content and testing scenarios.

Helge, Shawn and myself had a great session this week at Citrix Synergy with our session SYN502: I’ve got 99 problems, and folder redirection is every one of them.

Citrix Synergy 2015 is just next week, so for me that means several things - attending CTP meetings (from about 8:00 am to 9:00 pm each day) on the Sunday and Monday, presenting a Geek Speak Live session on Tuesday, helping to man the Atlantis booth on the solutions expo floor, taking part in Geek Speak on Wednesday evening, meet old and new friends and generally have some fun.

I received a Citrix X1 Prototype mouse a few days ago, so I’ve put together here a short video that shows paring the mouse and using it in a remote Windows 8 desktop.

I’ve previously covered the use of AppSense DataNow as an alternative to folder redirection and Offline Files. In that article I provided an approach to using DataNow to sync a copy of the user’s home drive locally instead of redirecting user folders to the network. I’ve previously used a beta version of DataNow and with the release of DataNow 3.5, I want to take an updated look at this solution.

A conversation about desktop virtualisation will invariably turn to the topic of persistent vs. non-persistent. Anyone new to VDI or Server Based Computing (SBC), may need persistent and non-persistent defined in context. This is a discussion that I have on a semi-regular basis, so for easy reference, I’d thought I would put down a discussion on this topic into an article.

There’s a particular behaviour in Outlook for Mac, that for several years I have thought was a bug. If you reply to an email, you often only get some of the text from the original email, rather than the entire email being copied into the reply. Like this:

Last week, thanks to xenappblog.com, Helge Klein and I presented a webinar titled: How Folder Redirection Impacts User Experience and Breaks Applications. This was a great webinar for us to present thanks to Eric. This is the first time Helge and I have presented this topic together - previously Helge and Shawn Bass presented at BriForum London and Shawn and I presented it as BriForum Boston.

The independent R&D project ‘Virtual Reality Check’ (VRC) was started in early 2009 by Ruben Spruijt (@rspruijt) of PQR and Jeroen van de Kamp (@thejeroen) of Login Consultants, and focuses on research in the desktop and application virtualization market. Several white papers with Login VSI test results were published about the performance and best practices of different hypervisors, Microsoft Office versions, application virtualization solutions, Windows Operating Systems in server hosted desktop solutions and the impact of antivirus in VDI environments.

This is the forth in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass.

This is the second in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass.

I wrote previously about automating the creation of an MCS-based machine catalog in XenDesktop with PowerShell, so in this article I’ll cover updating that machine catalog via PowerShell.

Separate to this article would be the process of creating the updated image - that could be done manually (by updating the existing master image), or by automating a new master image deployment with MDT, or any other method that you can think of.

Just as with creating the machine catalog, the PowerShell output from Studio when updating a catalog is a place to start - the code provided isn’t reusable without some effort to make it work.

Linking the Code to the UI

I’ll walk briefly through the wizards to show, in part, how the code relates to each step when updating a machine catalog via the Studio UI.

In this case, I’ve already created the machine catalog and updated my master image and created a snapshot. The hypervisor isn’t important because Citrix Studio abstracts this from the process when performing the update (I do need to be using the same infrastructure as the target catalog).

To find the snapshot to use, I’ve obtained the path to the master image and a specified snapshot via the Get-ChildItem command (on the path XDHyp:\HostingUnits<Storage Resource>). This is essentially a path/directory that I can parse - I’ve explicitly specified the master image and the snapshot to use. I need the path to the snapshot so that I can use that in the publish step for the image update.

Get-ChildItem "XDHyp:\HostingUnits\"

I can choose from a couple of rollout strategies for the image update - I can choose to update on next shutdown of the desktop, or update immediately (with a specified delay).

Start-BrokerRebootCycle is used to control the the reboot cycle, but this is called at the end of the script to ensure the update process is completed first.

Start-BrokerRebootCycle -InputObject @(<Machine Catalog Name>) -RebootDuration 120 -WarningDuration 15 -WarningMessage <message> -WarningTitle <message>

Publish-ProvMasterVmImage is used to publish the image. The process can then be monitored by getting updates for the process via Get-ProvTask. I’ve opted to show a progress bar while the update is on-going before initiating the desktop reboot.

There’s plenty that the wizard does to hide the complexity of setting up a catalog from the administrator. If you attempt the same via PowerShell, what goes on under the hood is laid bare.

The Code

Below is the full code listing with comments inline that should provide some detail on the process the code follows. At this point the code provides some error checking for the most important steps. There are still some additional steps and error checking that could be integrated:

• The code will get a specified snapshot from the target VM. I’ve done this to ensure I’m using the correct version of the image
• Publish the image update to the catalog
• Monitor the update process until completion
• Start the desktop reboot cycle

At this stage, I haven’t added too much error checking, but an important step to add will be to check that the image update process was successful and rollback if it wasn’t.

#---------------------------------------------------------------------------
## Author: Aaron Parker
## Desc:   Using PowerShell to update a XenDesktop 7.x machine catalog 
## Date:   Oct 27, 2014
## Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------

## Set variables for the target infrastructure
## ----------
$adminAddress = 'xd71.home.stealthpuppy.com' #The XD Controller we're going to execute against
$xdControllers = 'xd71.home.stealthpuppy.com'

## Hypervisor and storage resources
## These need to be configured in Studio prior to running this script
## This script is hypervisor and management agnostic - just point to the right infrastructure
$storageResource = "HV2-EVOPro" #Storage
$hostResource = "Lab vCenter" #Hypervisor management

## Master image properties
$machineCatalogName = "Windows 8 vSphere"
$masterImage ="Windows8*"
$snapshot = "VDA 7.6"

$messageDetail = "Your computer has been updated and will be automatically restarted in 15 minutes."
$messageTitle = "Help desk message"
## ----------

## Load the Citrix PowerShell modules
Write-Verbose "Loading Citrix XenDesktop modules."
Add-PSSnapin Citrix*

## Get information from the hosting environment via the XD Controller
## Get the storage resource
Write-Verbose "Gathering storage and hypervisor connections from the XenDesktop infrastructure."
$hostingUnit = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits" | Where-Object { $_.PSChildName -like $storageResource } | Select-Object PSChildName, PsPath
## Get the hypervisor management resources
$hostConnection = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\Connections" | Where-Object { $_.PSChildName -like $hostResource }

## Get the broker connection to the hypervisor management
## http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/get-brokerhypervisorconnection-xd75.html
$brokerHypConnection = Get-BrokerHypervisorConnection -AdminAddress $adminAddress -HypHypervisorConnectionUid $hostConnection.HypervisorConnectionUid

## Set a provisioning scheme for the update process
## http://support.citrix.com/proddocs/topic/citrix-machinecreation-admin-v2-xd75/set-provschememetadata-xd75.html
$ProvScheme = Set-ProvSchemeMetadata -AdminAddress $adminAddress -Name 'ImageManagementPrep_DoImagePreparation' -ProvisioningSchemeName $machineCatalogName -Value 'True'

## Get the master VM image from the same storage resource we're going to deploy to. Could pull this from another storage resource available to the host
Write-Verbose "Getting the snapshot details for the catalog: $machineCatalogName"
$VM = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits\$storageResource" | Where-Object { $_.ObjectType -eq "VM" -and $_.PSChildName -like $masterImage }
## Get the snapshot details. This code will grab a specific snapshot, although you could grab the last in the list assuming it's the latest.
$VMSnapshots = Get-ChildItem -AdminAddress $adminAddress $VM.FullPath -Recurse -Include *.snapshot
$TargetSnapshot = $VMSnapshots | Where-Object { $_.FullName -eq "$snapshot.snapshot" }

## Publish the image update to the machine catalog
## http://support.citrix.com/proddocs/topic/citrix-machinecreation-admin-v2-xd75/publish-provmastervmimage-xd75.html
$PubTask = Publish-ProvMasterVmImage -AdminAddress $adminAddress -MasterImageVM $TargetSnapshot.FullPath -ProvisioningSchemeName $machineCatalogName -RunAsynchronously
$provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $PubTask

## Track progress of the image update
Write-Verbose "Tracking progress of the machine creation task."
$totalPercent = 0
While ( $provTask.Active -eq $True ) {
    Try { $totalPercent = If ( $provTask.TaskProgress ) { $provTask.TaskProgress } Else {0} } Catch { }

    Write-Progress -Activity "Provisioning image update" -Status "$totalPercent% Complete:" -percentcomplete $totalPercent
    Sleep 15
    $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $PubTask
}

## Start the desktop reboot cycle to get the update to the actual desktops
## http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/start-brokerrebootcycle-xd75.html
Start-BrokerRebootCycle -AdminAddress $adminAddress -InputObject @($machineCatalogName) -RebootDuration 60 -WarningDuration 15 -WarningMessage $messageDetail -WarningTitle $messageTitle

Comments or feedback on bugs, better ways to do things or additional steps is welcome. the code is provided as-is, so ensure you test before using in a production environment.

Adding Microsoft App-V publishing information to a XenDesktop or XenApp 7.x site is very easy via the Citrix Studio UI, but what if you want to automate this process? Of course, you’ll need to reach for PowerShell.

What may not be widely known is that you can add additional App-V publishing configuration to a XenDesktop site beyond what you see in the UI. This allows you to set publishing information per delivery group. Useful for complex XenDesktop sites such as multi-tenant environments.

Creating the App-V publishing information with PowerShell is a multi step process. You’ll need to create the publishing information with New-CtxAppVServer and then apply the configuration with New-BrokerMachineConfiguration.

Applying this in practice however may ultimately require testing the App-V management and publishing servers and ensuring that the configuration does not already exist before adding it.

So to do that, I’ve written a function that will take the App-V Management and Publishing servers as parameters, ensure that they test OK and check that the configuration does not already exist before importing the configuration into the site.

This function is fairly basic and while it does do some error checking, it could probably go a little further to ensure the configuration is applied successfully.

Function Set-CtxAppvConfig {
    <#
        .SYNOPSIS
            Sets new App-V publishing information in a XenDesktop site.
 
        .DESCRIPTION
            This function can be used to set or add App-V publishing information in a XenDesktop or XenApp 7.x site.
 
        .PARAMETER AdminAddress
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .PARAMETER AppvMgmtSvr
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .PARAMETER AppvPubSvr
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .PARAMETER Description
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .EXAMPLE
            Set-CtxAppvConfig -AdminAddress 'xd71.home.stealthpuppy.com' -AppvMgmtSvr 'http://appv1:8080' -AppvPubSvr 'http://appv1:80' -Description 'Created by PowerShell'
 
        .NOTES
 
        .LINK
    #>
    param(
        [Parameter(Mandatory = $false, Position = 0, HelpMessage = "XenDesktop Controller address.")]
        [string]$AdminAddress = 'localhost',

        [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Microsoft App-V Management Server address.")]
        [string]$AppvMgmtSvr = $(throw = "Please specify an App-V Management Server address."),

        [Parameter(Mandatory = $true, Position = 2, HelpMessage = "Microsoft App-V Publishing Server address.")]
        [string]$AppvPubSvr = $(throw = "Please specify an App-V Publishing Server address."),

        [Parameter(Mandatory = $true, Position = 2, HelpMessage = "App-V publishing configuration description.")]
        [string]$Description = $(throw = "Specify a description to apply to the App-V publishing information. Specify 'Created by Studio' to set the App-V publishing inforamtion viewed in Citrix Studio.")
    )

    Function Add-AppvConfig {
        # Add the AppV Server settings to the new specified settings
        Write-Verbose "Setting App-V Management Server to specified URI."
        #http://support.citrix.com/proddocs/topic/citrix-appv-admin-v1-xd71/new-ctxappvserver-xd71.html
        $newAppvConfig = New-CtxAppVServer -ManagementServer $AppvMgmtSvr -PublishingServer $AppvPubSvr

        # Applying configuration to the site
        Write-Verbose "Saving configuration to the site."
        #http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokermachineconfiguration-xd75.html
        $machineConfig = New-BrokerMachineConfiguration -AdminAddress $AdminAddress -ConfigurationSlotUid 3 -LeafName 1 -Description "Created by Studio" -Policy $newAppvConfig -Verbose
    }

    # Obtain FQDN from Management server URL
    $urlGroups = [regex]::Match($AppvMgmtSvr, '^(?&lt;protocol&gt;(http|https))://(?&lt;fqdn&gt;([^:]*))((:(?&lt;port&gt;\d+))?)').Groups

    # Test specified Management Server.
    Write-Verbose "Testing Management Server."
    If (Test-CtxAppVServer -AppVManagementServer $urlGroups["fqdn"].Value -ErrorAction SilentlyContinue -ErrorVariable $manError) {
        Write-Verbose "Management Server tested OK."

        # Test specified Publishing Server
        Write-Verbose "Testing Publishing Server."
        If (Test-CtxAppVServer -AppVPublishingServer $AppvPubSvr -ErrorAction SilentlyContinue -ErrorVariable $pubError) {
            Write-Verbose "Publishing Server tested OK."
            # Get any existing AppV configuration from the broker
            #http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd71/get-brokermachineconfiguration-xd71.html
            If ($Config) { Remove-Variable Config }
            $Config = Get-BrokerMachineConfiguration -AdminAddress $AdminAddress -Name AppV* -ErrorAction SilentlyContinue

            $cfgMatch = $False
            If ($Config) {
                ForEach ($cfg in $Config) {

                    # Grab the AppV configuration details
                    #http://support.citrix.com/proddocs/topic/citrix-appv-admin-v1-xd71/get-ctxappvserver-xd71.html
                    $appvConfig = Get-CtxAppVServer -ByteArray $cfg.Policy

                    # If the existing Management Server matches the specified Management Server
                    If (($appvConfig.ManagementServer -eq $AppvMgmtSvr) -and ($appvConfig.PublishingServer -eq $AppvPubSvr)) {
                        Write-Verbose "Specified config matches existing config."
                        $cfgMatch = $True
                    }
                }

                If (!($cfgMatch)) {
                    # Add config
                    Add-AppvConfig
                }
                Else {
                    Write-Verbose "App-V configuration already exists."
                }
            }
            Else {
                # Add config
                Add-AppvConfig
            }
        }
        Else {
            Write-Error "[Aborting] App-V Publishing Server test failed with: $pubError"
        }
    }
    Else {
        Write-Error "[Aborting] App-V Management Server test failed with: $manError"
    }
}

Please ensure that you test thoroughly before using in a production environment. Comments or feedback on bugs, better ways to do things or additional steps is welcome.

Note - a very big thanks to David Wagner at Citrix (and team) for assisting with working out how to write the App-V publishing information that you see in the Studio UI. This is done by applying the description “Created with Studio” to the publishing configuration (presumably only the first configuration that you apply with that description).

A recent security update for the Remote Desktop Connection client in Windows 7 and Windows Server 2008 R2 has affected both the Microsoft App-V 4.6 and 5.0 client.

Is VMware Horizon View 6 RDS a viable replacement or competitor to Citrix XenApp? A competitor, most certainly. View RDS as a replacement for XenApp deserves further investigation and I recommend no assumptions be made as to the suitability of View RDS, especially if you are a current Citrix customer, or a VMware partner.

App-V Server 5.0 Setup with missing prerequisites

I’ve got a very simple setup in my home lab with a couple of machine running either Hyper-V or ESXi. I typically don’t have monitoring solutions running and manage each host directly, rather than part of a cluster or with SCVMM or vCenter. For Hyper-V, I try to manage it remotely via PowerShell as much as I can and so it’s handy to be able to see memory utilisation on the remote host to understand how much capacity I’ve got before powering on a VM. I’ve written a PowerShell function to return various memory stats:

• Total RAM available in the host - using Get-VMHost.
• Total memory in use by running VMs - by returning the running VMs and finding the current amount of RAM assigned to each VM with Get-VM. This works with dynamic memory.
• Available memory to run additional VMs - using Get-Counter to gather the ‘\Memory\Available Bytes’ performance counter
• How much memory is used by the system - this is calculated by adding what’s in use by VMs, to the available memory and subtracting the results from the physical RAM in the host. This is a rough calculation, but an interesting metric to view.

The function returns an array that includes each stat. Here’s an example of what the function returns. All values are in gigabytes and multiple hosts can be specified to gather details from.

PS C:\> Get-HvMem -ComputerName hv1


Name         : hv1
HostRAMGB    : 11.904224395752
VMInUseGB    : 7.12890625
SystemUsedGB : 1.46017837524414
AvailableGB  : 3.31513977050781

Here’s the code listing for the Get-HvMem function:

Function Get-HvMem {
    <#
        .SYNOPSIS
            Return Hyper-V host RAM details.
 
        .DESCRIPTION
            This function returns the total available RAM, RAM in use by VMs and the available RAM on a Hyper-V host.
 
        .PARAMETER ComputerName
            Specifies one or more Hyper-V hosts to retrieve stats from.
 
        .EXAMPLE
            Get-HvRAM -ComputerName hyperv1

        .NOTES
 
        .LINK
            /hyperv-memory-powershell
 
    #>
    param(
        [Parameter(Mandatory=$true, Position=0,HelpMessage="Hyper-V host.")]
        [string[]]$ComputerName = $(throw = "Please specify a remote Hyper-V host to gather memory details from.")
    )

    # Create an array to return
    $allStats = @()

    ForEach ( $computer in $ComputerName ) {

        # Create an array to contain this computer's metrics
        $a = @()

        # Get details for Hyper-V host
        $vmHost = Get-VMHost -ComputerName $computer

        If ($vmHost) {

            # Get total RAM consumed by running VMs.
            $total = 0
            Get-VM -ComputerName $computer | Where-Object { $_.State -eq "Running" } | Select-Object Name, MemoryAssigned | ForEach-Object { $total = $total + $_.MemoryAssigned }

            #Get available RAM via performance counters
            $Bytes = Get-Counter -ComputerName $computer -Counter "\Memory\Available Bytes"

            # Convert values to GB
            $availGB = ($Bytes[0].CounterSamples.CookedValue / 1GB)
            $hostGB = ($vmhost.MemoryCapacity / 1GB)
            $vmInUse = ($total / 1GB)

            # Construct an array of properties to return
            $item = New-Object PSObject

            # Add host name
            $item | Add-Member -type NoteProperty -Name 'Name' -Value $vmHost.Name

            # Host RAM in GB
            $item | Add-Member -type NoteProperty -Name 'HostRAMGB' -Value $hostGB

            # In use RAM in GB
            $item | Add-Member -type NoteProperty -Name 'VMInUseGB' -Value $vmInUse

            # System used in GB
            $item | Add-Member -type NoteProperty -Name 'SystemUsedGB' -Value ($hostGB - ($vmInUse + $availGB))

            # Available RAM in GB
            $item | Add-Member -type NoteProperty -Name 'AvailableGB' -Value $availGB
            $a += $item
        }

        # Add the current machine details to the array to return
        $allStats += $a
    }
    Return $allStats
}

Comments or feedback on bugs, better ways to do things or additional steps is welcome.

My last article was on creating a XenDesktop machine catalog with PowerShell - in this article I’m going to create a Delivery Group which provides access to the virtual machines that a part of that catalog.

Like the last article, I’ve taken the PowerShell generated by Citrix Studio, banged my head against the wall a few times, and improved it to create the code presented in this article.

Linking the Code to the UI

To help explain the code, I’ll first run through the Create Delivery Group wizard and show how the code relates to options in the wizard and the Delivery Group properties.

Add-BrokerMachinesToDesktopGroup assigns virtual machines from a specified Machine Catalog to the new Delivery Group.

Selecting the Machine Catalog and the number of desktops - Add-BrokerMachinesToDesktopGroup -Catalog “Windows 8 x86” -Count 5

Specify the delivery type for this Delivery Group when using New-BrokerDesktopGroup.

Selecting the delivery type - New-BrokerDesktopGroup -DeliveryType ‘DesktopsOnly’

New-BrokerEntitlementPolicyRule is used to assign user or group accounts to the Delivery Group.

Assigning users to the Desktop Group - New-BrokerEntitlementPolicyRule -Name “Windows 8 x86_1” -IncludedUsers “HOME\Domain Users” -DesktopGroupUid 11

Add-BrokerMachineConfiguration adds StoreFront and UPM configurations to a Delivery Group. The function just adds a machine configuration - the configuration is setup separately. To avoid selecting a StoreFront server for the Delivery Group, don’t use this function.

Selecting a StoreFront server - Add-BrokerMachineConfiguration -DesktopGroup “Windows 8 x86” -InputObject @(1005)

When calling New-BrokerDesktopGroup, the Delivery Group name, display or published name and description is specified.

Group name, Display name and description - New-BrokerDesktopGroup -Name “Windows 8 x86” -PublishedName “Windows 8 x86” -Description “Windows 8 x86 with Office 2013, Pooled desktops”

The wizard does not expose all settings for the Delivery Group, so additional settings require opening the properties of the new group. These can be set during creation of the group when using PowerShell.

The same call to New-BrokerDesktopGroup is used to specify user settings including colour depth and time zone preferences.

Controlling various user settings - New-BrokerDesktopGroup -ColorDepth TwentyFourBit -TimeZone “AUS Eastern Standard Time” -SecureIcaRequired $False

New-BrokerDesktopGroup and New-BrokerPowerTimeScheme are both used to manage virtual machine power management settings. Setting or modifying the peak and off peak hours isn’t friendly either.

Virtual machine power management settings - New-BrokerPowerTimeScheme -DisplayName ‘Weekdays’ -DaysOfWeek ‘Weekdays’ -DesktopGroupUid 11; New-BrokerDesktopGroup -OffPeakDisconnectAction Suspend -OffPeakDisconnectTimeout 15

New-BrokerAccessPolicyRule modifies the access policies. This is called twice - once for connections through NetScaler Gateway and once for direct connections.

Modifying access policies - New-BrokerAccessPolicyRule -Name “Windows 8 x86_AG” -AllowedConnections ‘ViaAG’ -AllowedProtocols @(‘HDX’,’RDP’) -DesktopGroupUid 11 -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedSmartAccessTags @() -IncludedUserFilterEnabled $True

Creating the Delivery Group is relatively straight-forward; however there are some additional steps, such as creating a StoreFront server and working out how to manage peak and off peak times, that require a bit more investigation.

The Code

Below is the full code listing with comments inline that should provide some detail on the process the code follows. At this point the code provides some error checking for the most important steps. There are still some additional steps and error checking that could be integrated into the code.

#---------------------------------------------------------------------------
# Author: Aaron Parker
# Desc:   Using PowerShell to create a XenDesktop 7.x Delivery Group
# Date:   Aug 23, 2014
# Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------
# 

# Set variables for the target infrastructure
# ----------
$adminAddress = 'xd71.home.stealthpuppy.com' #The XD Controller we're going to execute against
$xdControllers = 'xd71.home.stealthpuppy.com'

# Desktop Group properties
$desktopGroupName = "Windows 8 desktops"
$desktopGroupPublishedName = "Windows 8 desktops"
$desktopGroupDesc = "Windows 8 x86 with Office 2013, Pooled desktops"
$colorDepth = 'TwentyFourBit'
$deliveryType = 'DesktopsOnly'
$desktopKind = 'Shared'
$sessionSupport = "SingleSession" #Also: MultiSession
$functionalLevel = 'L7'
$timeZone = 'AUS Eastern Standard Time'
$offPeakBuffer = 10
$peakBuffer = 10
$assignedGroup = "HOME\Domain Users"

#Machine Catalog
$machineCatalogName = "Windows 8 x86"
# ----------

# Change to SilentlyContinue to avoid verbose output
$VerbosePreference = "Continue"

# Create the Desktop Group
# http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokerdesktopgroup-xd75.html
If (!(Get-BrokerDesktopGroup -Name $desktopGroupName -ErrorAction SilentlyContinue)) {
    Write-Verbose "Creating new Desktop Group: $desktopGroupName"
    $desktopGroup = New-BrokerDesktopGroup -ErrorAction SilentlyContinue -AdminAddress $adminAddress -Name $desktopGroupName -DesktopKind $desktopKind -DeliveryType $deliveryType -Description $desktopGroupPublishedName -PublishedName $desktopGroupPublishedName  -MinimumFunctionalLevel $functionalLevel -ColorDepth $colorDepth -SessionSupport $sessionSupport -ShutdownDesktopsAfterUse $True -TimeZone $timeZone -InMaintenanceMode $False -IsRemotePC $False -OffPeakBufferSizePercent $offPeakBuffer -PeakBufferSizePercent $peakBuffer -SecureIcaRequired $False -TurnOnAddedMachine $False -OffPeakDisconnectAction Suspend -OffPeakDisconnectTimeout 15 -Scope @() 
}

# At this point, we have a Desktop Group, but no users or desktops assigned to it, no power management etc.
# Open the properties of the new Desktop Group to see what's missing.

# If creation of the desktop group was successful, continue modifying its properties
If ($desktopGroup) {

    # Add a machine configuration to the new desktop group; This line adds an existing StoreFront server to the desktop group
    # Where does Input Object 1005 come from?
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/add-brokermachineconfiguration-xd75.html
    # Write-Verbose "Adding machine configuration to the Desktop Group: $desktopGroupName"
    # Add-BrokerMachineConfiguration -AdminAddress $adminAddress -DesktopGroup $desktopGroup -InputObject @(1005)

    # Add machines to the new desktop group. Uses the number of machines available in the target machine catalog
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/add-brokermachinestodesktopgroup-xd75.html
    Write-Verbose "Getting details for the Machine Catalog: $machineCatalogName"
    $machineCatalog = Get-BrokerCatalog -AdminAddress $adminAddress -Name $machineCatalogName
    Write-Verbose "Adding $machineCatalog.UnassignedCount machines to the Desktop Group: $desktopGroupName"
    $machinesCount = Add-BrokerMachinesToDesktopGroup -AdminAddress $adminAddress -Catalog $machineCatalog -Count $machineCatalog.UnassignedCount -DesktopGroup $desktopGroup

    # Create a new broker user/group object if it doesn't already exist
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokeruser-xd75.html
    Write-Verbose "Creating user/group object in the broker for $assignedGroup"
    If (!(Get-BrokerUser -AdminAddress $adminAddress -Name $assignedGroup -ErrorAction SilentlyContinue)) {
        $brokerUsers = New-BrokerUser -AdminAddress $adminAddress -Name $assignedGroup
    } Else {
        $brokerUsers = Get-BrokerUser -AdminAddress $adminAddress -Name $assignedGroup
    }

    # Create an entitlement policy for the new desktop group. Assigned users to the desktop group
    # First check that we have an entitlement name available. Increment until we do.
    $Num = 1
    Do {
        # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/test-brokerentitlementpolicyrulenameavailable-xd75.html
        $Test = Test-BrokerEntitlementPolicyRuleNameAvailable -AdminAddress $adminAddress -Name @($desktopGroupName + "_" + $Num.ToString()) -ErrorAction SilentlyContinue
        If ($Test.Available -eq $False) { $Num = $Num + 1 }
    } While ($Test.Available -eq $False)
    #http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokerentitlementpolicyrule-xd75.html
    Write-Verbose "Assigning $brokerUsers.Name to Desktop Catalog: $machineCatalogName"
    $EntPolicyRule = New-BrokerEntitlementPolicyRule -AdminAddress $adminAddress  -Name ($desktopGroupName + "_" + $Num.ToString()) -IncludedUsers $brokerUsers -DesktopGroupUid $desktopGroup.Uid -Enabled $True -IncludedUserFilterEnabled $False

    # Check whether access rules exist and then create rules for direct access and via Access Gateway
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokeraccesspolicyrule-xd75.html
    $accessPolicyRule = $desktopGroupName + "_Direct"
    If (Test-BrokerAccessPolicyRuleNameAvailable -AdminAddress $adminAddress -Name @($accessPolicyRule) -ErrorAction SilentlyContinue) {
        Write-Verbose "Allowing direct access rule to the Desktop Catalog: $machineCatalogName"
        New-BrokerAccessPolicyRule -AdminAddress $adminAddress -Name $accessPolicyRule  -IncludedUsers @($brokerUsers.Name) -AllowedConnections 'NotViaAG' -AllowedProtocols @('HDX','RDP') -AllowRestart $True -DesktopGroupUid $desktopGroup.Uid -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedUserFilterEnabled $True
    } Else {
        Write-Error "Failed to add direct access rule $accessPolicyRule. It already exists."
    }
    $accessPolicyRule = $desktopGroupName + "_AG"
    If (Test-BrokerAccessPolicyRuleNameAvailable -AdminAddress $adminAddress -Name @($accessPolicyRule) -ErrorAction SilentlyContinue) {
        Write-Verbose "Allowing access via Access Gateway rule to the Desktop Catalog: $machineCatalogName"
        New-BrokerAccessPolicyRule -AdminAddress $adminAddress -Name $accessPolicyRule -IncludedUsers @($brokerUsers.Name) -AllowedConnections 'ViaAG' -AllowedProtocols @('HDX','RDP') -AllowRestart $True -DesktopGroupUid $desktopGroup.Uid -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedSmartAccessTags @() -IncludedUserFilterEnabled $True
    } Else {
        Write-Error "Failed to add Access Gateway rule $accessPolicyRule. It already exists."
    }

    # Create weekday and weekend access rules
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokerpowertimescheme-xd75.html
    $powerTimeScheme = "Windows 8 Pooled Desktop_Weekdays"
    If (Test-BrokerPowerTimeSchemeNameAvailable -AdminAddress $adminAddress -Name @($powerTimeScheme) -ErrorAction SilentlyContinue) {
        Write-Verbose "Adding new power scheme $powerTimeScheme"
        New-BrokerPowerTimeScheme -AdminAddress $adminAddress -DisplayName 'Weekdays' -Name $powerTimeScheme -DaysOfWeek 'Weekdays' -DesktopGroupUid $desktopGroup.Uid -PeakHours @($False,$False,$False,$False,$False,$False,$False,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$False,$False,$False,$False,$False) -PoolSize @(0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0)
    } Else {
        Write-Error "Failed to add power scheme rule $powerTimeScheme. It already exists."
    }
    $powerTimeScheme = "Windows 8 Pooled Desktop_Weekend"
    If (Test-BrokerPowerTimeSchemeNameAvailable -AdminAddress $adminAddress -Name @($powerTimeScheme) -ErrorAction SilentlyContinue) {
        Write-Verbose "Adding new power scheme $powerTimeScheme"
        New-BrokerPowerTimeScheme -AdminAddress $adminAddress -DisplayName 'Weekend' -Name $powerTimeScheme -DaysOfWeek 'Weekend' -DesktopGroupUid $desktopGroup.Uid -PeakHours @($False,$False,$False,$False,$False,$False,$False,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$False,$False,$False,$False,$False) -PoolSize @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
    } Else {
        Write-Error "Failed to add power scheme rule $powerTimeScheme. It already exists."
    }

} #End If DesktopGroup

Comments or feedback on bugs, better ways to do things or additional steps is welcome.

Driving XenDesktop with PowerShell is a challenge to say the least. While documentation for the XenDesktop PowerShell modules is OK and Citrix Studio outputs PowerShell code after you’ve completed a task in the console, there’s still plenty of work to get that code into something usable.

As part of an ongoing series of articles themed around automating virtual desktop deployment, I’ve written some PowerShell code to automate the creation of an non-persistent, MCS-based Machine Catalog based on a specific Windows image, that we’ve already automated with a solution such as MDT.

Don’t expect to copy and paste the PowerShell output in Citrix Studio and have a complete script. The code is missing a number of lines that link tasks together. I found this article on the Citrix Blogs quite useful - Using PowerShell to Create a Catalog of Machine Creations Services Machines; however I’ve taken my script a few steps further.

Linking the Code to the UI

While the Create Machine Catalog wizard doesn’t expose everything that goes on behind the scenes when a machine catalog is created, I think it’s still worth showing how specific functions relate to choices that the administrator makes in the wizard.

The screenshots below show just a snippet of the functions required to automate the catalog creation using PowerShell. These walkthrough the same environment that the full code listing at the end of this article is creating. See the image captions for example code that applies to each step.

New-BrokerCataog is used to create the machine catalog and set a number of properties. You’ll see New-BrokerCatalog across a number of these screen shots. First up is setting the broker type - in this instance, I’m deploying a Windows 8 image, so need to choose ‘Windows Desktop OS’:

Selecting the Machine Catalog type - New-BrokerCatalog -SessionSupport SingleSession

Because were using MCS, I’m going to specify that I’m using virtual machines and choose the storage on which to deploy those VMs and use the ProvisioningType parameter on New-BrokerCatalog to specify MCS. This is done in PowerShell via a number of commands - see around line 45 where we specify the hypervisor management and storage resource to use.

Selecting the provisioning type - New-BrokerCatalog -ProvisioningType MCS

Also on the New-BrokerCatalog, we can specify that this is a set of randomly assigned desktops.

Selecting Random or Static desktops - New-BrokerCatalog -AllocationType Random

To find the image to use, I’ve obtained the path to the master image and its snapshot via the Get-ChildItem command (on the path XDHyp:\HostingUnits<Storage Resource>) and passed that to New-ProvScheme.

Selecting the master image and snapshot to use - New-ProvScheme -ProvisioningSchemeName “Windows 8” -HostingUnitName “HV1-LocalStorage” -MasterImageVM “XDHyp:\HostingUnits\HV1-LocalStorage\WIN81.vm\MasterImage.snapshot”

Also with New-ProvScheme we can set the number of virtual CPUs and the amount of RAM to assign to each virtual desktop. To specify the number of desktops to create, we’re actually first specifying the number of AD machine accounts to create via New-AcctADAccount and then creating the same number of desktops to assign to those accounts.

Selecting the virtual machine configurations - New-ProvScheme -VMCpuCount 2 -VMMemoryMB 2048

New-AcctIdentityPool is used to create an identity pool that stores the machine accounts by specifying the naming convention and where the accounts will be stored.

Setting machine account names and location - New-AcctIdentityPool -Domain ‘home.stealthpuppy.com’ -NamingScheme ‘W8-MCS-###’-NamingSchemeType Numeric -OU ‘OU=MCS Pooled,OU=Workstations,DC=home,DC=stealthpuppy,DC=com’

Again we can see where New-BrokerCataog is used to specify the catalog name and description.

Setting the machine catalog name and description - New-BrokerCatalog -Name “Windows 8 x86” -Description “Windows 8.1 x86 SP1 with Office 2013”

There’s plenty that the wizard does to hide the complexity of setting up a catalog from the administrator. If you attempt the same via PowerShell, what goes on under the hood is laid bare.

The Code

Below is the full code listing with comments inline that should provide some detail on the process the code follows. At this point the code provides some error checking for the most important steps. There are still some additional steps and error checking that could be integrated:

• This code should find the last snapshot of the target master image; it would be simple enough to specify a particular snapshot if required
• Checking whether provisioning schemes are already available or exist before attempting to create a new provisioning scheme
• Additional checking that some tasks have completed successfully before continuing

#---------------------------------------------------------------------------
# Author: Aaron Parker
# Desc:   Using PowerShell to create a XenDesktop 7.x machine catalog 
# Date:   Aug 19, 2014
# Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------

# Set variables for the target infrastructure
# ----------
$adminAddress = 'xd71.home.stealthpuppy.com' #The XD Controller we're going to execute against
$xdControllers = 'xd71.home.stealthpuppy.com'

# Hypervisor and storage resources
# These need to be configured in Studio prior to running this script
# This script is hypervisor and management agnostic - just point to the right infrastructure
$storageResource = "HV1-LocalStorage" #Storage
$hostResource = "Lab SCVMM" #Hypervisor management

# Machine catalog properties
$machineCatalogName = "Windows 8 x86"
$machineCatalogDesc = "Windows 8.1 x86 SP1 with Office 2013"
$domain = "home.stealthpuppy.com"
$orgUnit = "OU=MCS Pooled,OU=Workstations,DC=home,DC=stealthpuppy,DC=com"
$namingScheme = "W8-MCS-###" #AD machine account naming conventions
$namingSchemeType = "Numeric" #Also: Alphabetic
$allocType = "Random" #Also: Static
$persistChanges = "Discard" #Also: OnLocal, OnPvD
$provType = "MCS" #Also: Manual, PVS
$sessionSupport = "SingleSession" #Also: MultiSession
$masterImage ="WIN81*"
$vCPUs = 2
$VRAM = 2048
# ----------

# Change to SilentlyContinue to avoid verbose output
$VerbosePreference = "Continue"

# Load the Citrix PowerShell modules
Write-Verbose "Loading Citrix XenDesktop modules."
Add-PSSnapin Citrix*

# Get information from the hosting environment via the XD Controller
# Get the storage resource
Write-Verbose "Gathering storage and hypervisor connections from the XenDesktop infrastructure."
$hostingUnit = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits" | Where-Object { $_.PSChildName -like $storageResource } | Select-Object PSChildName, PsPath
# Get the hypervisor management resources
$hostConnection = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\Connections" | Where-Object { $_.PSChildName -like $hostResource }
$brokerHypConnection = Get-BrokerHypervisorConnection -AdminAddress $adminAddress -HypHypervisorConnectionUid $hostConnection.HypervisorConnectionUid
$brokerServiceGroup = Get-ConfigServiceGroup -AdminAddress $adminAddress -ServiceType 'Broker' -MaxRecordCount 2147483647

# Create a Machine Catalog. In this case a catalog with randomly assigned desktops
Write-Verbose "Creating machine catalog. Name: $machineCatalogName; Description: $machineCatalogDesc; Allocation: $allocType"
$brokerCatalog = New-BrokerCatalog -AdminAddress $adminAddress -AllocationType $allocType -Description $machineCatalogDesc -Name $machineCatalogName -PersistUserChanges $persistChanges -ProvisioningType $provType -SessionSupport $sessionSupport
# The identity pool is used to store AD machine accounts
Write-Verbose "Creating a new identity pool for machine accounts."
$identPool = New-AcctIdentityPool -AdminAddress $adminAddress -Domain $domain -IdentityPoolName $machineCatalogName -NamingScheme $namingScheme -NamingSchemeType $namingSchemeType -OU $orgUnit

# Creates/Updates metadata key-value pairs for the catalog (no idea why).
Write-Verbose "Retrieving the newly created machine catalog."
$catalogUid = Get-BrokerCatalog | Where-Object { $_.Name -eq $machineCatalogName } | Select-Object Uid
$guid = [guid]::NewGuid()
Write-Verbose "Updating metadata key-value pairs for the catalog."
Set-BrokerCatalogMetadata -AdminAddress $adminAddress -CatalogId $catalogUid.Uid -Name 'Citrix_DesktopStudio_IdentityPoolUid' -Value $guid

# Check to see whether a provisioning scheme is already available
Write-Verbose "Checking whether the provisioning scheme name is unused."
If (Test-ProvSchemeNameAvailable -AdminAddress $adminAddress -ProvisioningSchemeName @($machineCatalogName))
{
  Write-Verbose "Success."

  # Get the master VM image from the same storage resource we're going to deploy to. Could pull this from another storage resource available to the host
  Write-Verbose "Getting the master image details for the new catalog: $masterImage"
  $VM = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits\$storageResource" | Where-Object { $_.ObjectType -eq "VM" -and $_.PSChildName -like $masterImage }
  # Get the snapshot details. This code will assume a single snapshot exists - could add additional checking to grab last snapshot or check for no snapshots.
  $VMDetails = Get-ChildItem -AdminAddress $adminAddress $VM.FullPath
  
  # Create a new provisioning scheme - the configuration of VMs to deploy. This will copy the master image to the target datastore.
  Write-Verbose "Creating new provisioning scheme using $VMDetails.FullPath"
  # Provision VMs based on the selected snapshot.
  $provTaskId = New-ProvScheme -AdminAddress $adminAddress -ProvisioningSchemeName $machineCatalogName -HostingUnitName $storageResource -MasterImageVM $VMDetails.FullPath -CleanOnBoot -IdentityPoolName $identPool.IdentityPoolName -VMCpuCount $vCPUs -VMMemoryMB $vRAM -RunAsynchronously
  $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $provTaskId

  # Track the progress of copying the master image
  Write-Verbose "Tracking progress of provisioning scheme creation task."
  $totalPercent = 0
  While ( $provTask.Active -eq $True ) {
    Try { $totalPercent = If ( $provTask.TaskProgress ) { $provTask.TaskProgress } Else {0} } Catch { }

    Write-Progress -Activity "Creating Provisioning Scheme (copying and composing master image):" -Status "$totalPercent% Complete:" -percentcomplete $totalPercent
    Sleep 15
    $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskID $provTaskId
  }

  # If provisioning task fails, there's no point in continuing further.
  If ( $provTask.WorkflowStatus -eq "Completed" )
  { 
      # Apply the provisioning scheme to the machine catalog
      Write-Verbose "Binding provisioning scheme to the new machine catalog"
      $provScheme = Get-ProvScheme | Where-Object { $_.ProvisioningSchemeName -eq $machineCatalogName }
      Set-BrokerCatalog -AdminAddress $adminAddress -Name $provScheme.ProvisioningSchemeName -ProvisioningSchemeId $provScheme.ProvisioningSchemeUid

      # Associate a specific set of controllers to the provisioning scheme. This steps appears to be optional.
      Write-Verbose "Associating controllers $xdControllers to the provisioning scheme."
      Add-ProvSchemeControllerAddress -AdminAddress $adminAddress -ControllerAddress @($xdControllers) -ProvisioningSchemeName $provScheme.ProvisioningSchemeName

      # Provisiong the actual machines and map them to AD accounts, track the progress while this is happening
      Write-Verbose "Creating the machine accounts in AD."
      $adAccounts = New-AcctADAccount -AdminAddress $adminAddress -Count 5 -IdentityPoolUid $identPool.IdentityPoolUid
      Write-Verbose "Creating the virtual machines."
      $provTaskId = New-ProvVM -AdminAddress $adminAddress -ADAccountName @($adAccounts.SuccessfulAccounts) -ProvisioningSchemeName $provScheme.ProvisioningSchemeName -RunAsynchronously
      $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $provTaskId

      Write-Verbose "Tracking progress of the machine creation task."
      $totalPercent = 0
      While ( $provTask.Active -eq $True ) {
        Try { $totalPercent = If ( $provTask.TaskProgress ) { $provTask.TaskProgress } Else {0} } Catch { }

        Write-Progress -Activity "Creating Virtual Machines:" -Status "$totalPercent% Complete:" -percentcomplete $totalPercent
        Sleep 15
        $ProvTask = Get-ProvTask -AdminAddress $adminAddress -TaskID $provTaskId
      }

      # Assign the newly created virtual machines to the machine catalog
      $provVMs = Get-ProvVM -AdminAddress $adminAddress -ProvisioningSchemeUid $provScheme.ProvisioningSchemeUid
      Write-Verbose "Assigning the virtual machines to the new machine catalog."
      ForEach ( $provVM in $provVMs ) {
        Write-Verbose "Locking VM $provVM.ADAccountName"
        Lock-ProvVM -AdminAddress $adminAddress -ProvisioningSchemeName $provScheme.ProvisioningSchemeName -Tag 'Brokered' -VMID @($provVM.VMId)
        Write-Verbose "Adding VM $provVM.ADAccountName"
        New-BrokerMachine -AdminAddress $adminAddress -CatalogUid $catalogUid.Uid -MachineName $provVM.ADAccountName
      }
      Write-Verbose "Machine catalog creation complete."

   } Else {
    # If provisioning task fails, provide error
    # Check that the hypervisor management and storage resources do no have errors. Run 'Test Connection', 'Test Resources' in Citrix Studio
    Write-Error "Provisioning task failed with error: [$provTask.TaskState] $provTask.TerminatingError"
   }
}

Comments or feedback on bugs, better ways to do things or additional steps is welcome.

I’ve previously posted about retrieving the UUID from a virtual machine hosted on vSphere. UUIDs are useful if you want to uniquely identify a target machine for OS deployment task sequences and the like (e.g. MDT). Here’s how to obtain the UUID from a virtual machine hosted on Hyper-V.

Just like with vSphere, the UUID isn’t a property of the virtual machine that can be queried directly. We need to go via WMI to query the target virtual machine. Note that in this function, I’m using version 2 of the Root\Virtualization WMI namespace (root\virtualization\v2. This means the function as written, will only work on Windows 8 and Windows Server 2012 (and above). If you want to use this function on earlier versions of Hyper-V, remove the “\v2” from the namespace.

As an example, here’s how to retrieve the UUIDs from a set of VMs on a target Hyper-V host named hv1:

C:\> Get-HypervVMUUID -ComputerName hv1 -VM win71, file3, pvs1

Name		BIOSGUID
----		----
WIN71		E6E1A176-0713-4BB0-99E9-4570A1A3A94A 
FILE3		9E9D788A-15E2-4760-A049-9F6EB88677A9 
PVS1		74EFF5BC-A24E-48C3-85BE-12D758FE7AB6

Here’s the full function code listing. Please let me know if you find any bugs:

#---------------------------------------------------------------------------
# Author: Aaron Parker
# Desc:   Function that uses retrieves the UUID from a specified VM and
#         formats it into the right format for use with MDT/SCCM etc
# Date:   Aug 18, 2014
# Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------
Function Get-HypervVMUUID {
   <#
        .SYNOPSIS
            Retrieve the UUID from a virtual machine or set of virtual machines.
 
        .DESCRIPTION
            This function will retrieve the UUID from from a virtual machine or set of virtual machines from a Hyper-V host.
 
        .PARAMETER ComputerName
            Specifies the host from which to query the virtual machine or set of virtual machines.
 
        .PARAMETER VM
            Specifies the virtual machine or set of virtual machines (a comma delimited list) from which to obtain the UUID/s.
 
         .EXAMPLE
            PS C:\&gt; Get-HypervVMUUID -ComputerName hv1 -VM win71, win72
 
            This command retrieves the UUIDs from the virtual machines win71 and win72 from the host hv1.
 
        .EXAMPLE
            PS C:\&gt; Get-HypervVMUUID -VM win71, win72
 
            This command retrieves the UUIDs from the virtual machines win71 and win72 from the local host.
 
        .EXAMPLE
            PS C:\&gt; Get-HypervVMUUID
 
            This command retrieves the UUIDs from the all of the virtual machines on the local host.
 
        .NOTES
            /retrieving-a-vms-uuid-from-hyperv/ for support information.
 
        .LINK
            /retrieving-a-vms-uuid-from-hyperv/
    #>
    [cmdletbinding(SupportsShouldProcess=$True)]
    param(
        [Parameter(Mandatory=$false,HelpMessage="Specifies one or more Hyper-V hosts from which virtual machine UUIDs are to be retrieved. NetBIOS names, IP addresses, and fully-qualified domain names are allowable. The default is the local computer — use ""localhost"" or a dot (""."") to specify the local computer explicitly.")]
        [string]$ComputerName,

        [Parameter(Mandatory=$false, Position=0,HelpMessage="Specifies the virtual machine from which to retrieve the UUID.")]
        [string[]]$VM
    )

    # If ComputerName parameter is not specified, set value to the local host
    If (!$ComputerName) { $ComputerName = "." }

    # If VM parameter is specified, return those VMs, else return all VMs
    If ($VM) {
        $UUIDs = Get-VM -ComputerName $ComputerName -VM $VM -ErrorAction SilentlyContinue | Select-Object Name,@{Name="BIOSGUID";Expression={(Get-WmiObject -ComputerName $_.ComputerName -Namespace "root\virtualization\v2" -Class Msvm_VirtualSystemSettingData -Property BIOSGUID -Filter ("InstanceID = 'Microsoft:{0}'" -f $_.VMId.Guid)).BIOSGUID}}
    } Else {
        $UUIDs = Get-VM -ComputerName $ComputerName -ErrorAction SilentlyContinue | Select-Object Name,@{Name="BIOSGUID";Expression={(Get-WmiObject -ComputerName $_.ComputerName -Namespace "root\virtualization\v2" -Class Msvm_VirtualSystemSettingData -Property BIOSGUID -Filter ("InstanceID = 'Microsoft:{0}'" -f $_.VMId.Guid)).BIOSGUID}}
    }

    # Remove curly brackets from the UUIDs and return the array
    ForEach ( $UID in $UUIDs ) { $UID.BIOSGUID = $UID.BIOSGUID -replace "}"; $UID.BIOSGUID = $UID.BIOSGUID -replace "{" }
    Return $UUIDs
}

Running VMs under ESXi will incur a memory overhead for each virtual machine.  You can read about this overhead here: Understanding Memory Overhead. Essentially memory overhead is:

One of the great things I enjoyed about working at Kelway was the access to a pretty solid lab environment. While I do have access to a lab environment at Atlantis (3 in fact), now that I work primarily from home, I really prefer a lab environment that can provide me more flexibility. Only a local environment can do that.

There’s typically not too much that you can do to reduce the size of your master image. You might use application virtualization or layering solutions to reduce the number of master images, but once you work out what needs to go into the core image, that’s going to dictate the size of the image.

In my lab environment, I often want to start a list of virtual machines, but without taxing the system in the process by starting them all at the same time.  I could do that manually, but that’s no fun.

Here’s a short function I wrote to sequentially start a list of virtual machines - the script will start a VM and wait for that VM to boot before starting the next VM. You can optionally also wait additional time before starting the next VM to give the first one some time to finish starting it’s services etc.

This version currently supports Hyper-V only. The script does not currently return anything, but has a number of parameters:

• ComputerName - the name of the Hyper-V host. Specify “.” for the local machine (without quotes)
• VM - specify a comma separated list of VMs
• Wait - the number of seconds to wait between starting a VM after the previous VM. Specify the number of VMs as a number (integer) only. This will default to 180 seconds
• ShowProgress - Specify whether to show progress while starting the VMs. This is cosmetic only, but does give some indication as to how far through the boot process the script is.
• Other standard parameters such as Verbose are supported.

Function Start-SequentialVMs {
    <#
        .SYNOPSIS
            Starts a list of VMs.
 
        .DESCRIPTION
            This function starts a list of VMs sequentially. It will wait until a VM is booted, optionally pause for a number of seconds, before starting the next VM.
 
        .PARAMETER ComputerName
            Specifies the Hyper-V host to start the VM on.
 
        .PARAMETER VM
            Specifies a list of VMs to start.
 
        .PARAMETER Wait
            Specifies a number of seconds to wait after the previous VM has booted successfully. Defaults to 180 seconds.

        .PARAMETER ShowProgress
            Specified whether to show progress as VMs are started.
 
        .EXAMPLE
            Start-SequentialVMs -ComputerName hyperv1 -VMList "sql1", "pvs1", "xd71" -Wait 20

        .NOTES
 
        .LINK 
    #>
    param(
        [Parameter(Mandatory=$true, Position=0,HelpMessage="Hyper-V host.")]
        [string]$ComputerName = $(throw = "Please specify a remote Hyper-V host to start VMs on."),

        [Parameter(Mandatory=$true, Position=1,HelpMessage="List of VMs to start.")]
        [string[]]$VMList = $(throw = "Please specifiy a list of VMs to start"),

        [Parameter(Mandatory=$false)]
        [int]$Wait = 180,

        [Parameter(Mandatory=$false)]
        [bool]$ShowProgress
    )

    # Connect to Hyper-V host before attempting to start VMs. Stop script if unable to connect
    Write-Verbose "Connecting to VM host."
    Get-VMHost -ComputerName $ComputerName -Verbose $False -ErrorAction Stop

    # Start progress at 0
    $Percent = 0

    # Step through list of provided VMs
    ForEach ( $vm in $VMList ) {

        # Convert current location in list of VMs to a percentage
        $Percent = ($VMList.IndexOf($vm)/$VMList.Count) * 100

        # Show progress if specified on the command line
        If ($ShowProgress -eq $True) { Write-Progress -Activity "Starting VMs." -Status "Starting VM $vm." -PercentComplete $Percent }

        # Get status for current VM
        Remove-Variable currentVM -ErrorAction SilentlyContinue
        Write-Verbose "Getting status for VM $vm..."
        $currentVM = Get-VM -ComputerName $ComputerName -Name $vm -ErrorAction SilentlyContinue

        # If the VM exists, then power it on if it is in an Off state
        If ($currentVM.Length -gt 0) {
            If ($currentVM.State -eq "Off" ) {
                Start-VM -ComputerName $ComputerName -Name $vm -Verbose
                
                # Wait for VM to boot and report a heartbeat
                Write-Verbose "Waiting for VM heartbeat."
                Do {
                    Start-Sleep -milliseconds 100
                } Until ((Get-VMIntegrationService $currentVM | ?{$_.name -eq "Heartbeat"}).PrimaryStatusDescription -eq "OK")

                # Wait the specified number of seconds before booting the next VM, unless this is the last VM in the list
                If ($Wait -gt 0 -and $VMList.IndexOf($vm) -lt ($VMList.Count-1)) {
                    Write-Verbose "Waiting for $Wait seconds before starting next VM."
                    Start-Sleep -Seconds $Wait
                }
            } Else {
                Write-Verbose "VM $vm already running."
            }
        } Else {
            Write-Error -Message "Unable to find VM $vm on host $ComputerName." -Category ObjectNotFound
        }
     }
     Write-Verbose "Started VMs."

     # Show progress if specified on the command line
     If ($ShowProgress -eq $True) { Write-Progress -Activity "Starting VMs." -Status "Started all VMs." -PercentComplete 100 }
     Start-Sleep -Seconds 1
}

Save the script as Start-SequentialVMs.ps1 and run it or add the function to your PowerShell profile so that the function is available when starting PowerShell. Use Get-Help to see the full syntax and examples from within a PowerShell window.

Booting a virtual machine under Windows Server 2012 R2 Hyper-V may result in the following:

Update: August 8, 2015 - Microsoft have discontinued the Microsoft Download Manager as of March 2015, so the below workload will no longer work. If fact there are no workaround now, you’ll need to rely on your browser’s download manager. See this article for more info: Using Subscriber Downloads

Multiple Methods

The Deployment Guys have a great article from 2009 that I recommend reading for a overview of customisation methods: Configuring Default User Settings – Full Update for Windows 7 and Windows Server 2008 R2. This article is still applicable today and the process hasn’t changed that much between Windows versions. Here are most of the ways that you could edit the default user profile:

• Copy a configured profile over the default profile - this is the most common way of changing the default user experience but this approach is unsupported by Microsoft and therefore I recommend against using it.
• Using Sysprep and the CopyProfile value - this approach requires creating a reference image and using Sysprep to generalise the image. Many enterprise desktop deployments will use reference images so this isn’t too hard; however Microsoft has not documented every setting that is copied to the default user profile, so it’s a bit of pot luck.
• Place a default profile in NETLOGON - a default profile copied to the NETLOGON share of a domain controller (and replicated) will be copied down to the local machine at first logon. The downside of this approach is that there can be only one default profile and it will be copied to all machines, regardless as to whether the profile should apply to that machine or not.
• Commands or scripts run from the RunOnce Registry key to edit the user profile.
• Logon scripts to edit the user profile.
• Group Policy Preferences - GPP has become more prevalent in the past few years, so should now be available across the board.
• Editing the default profile directly, typically during an automated deployment, but you could run the same script on any existing PC.

So there are multiple methods (of driving yourself to madness), I’d recommend experimenting with each approach and you’ll most likely implement a combination of approaches to best suit your environment.

Group Policy As A Last Resort

Group Policy is great, until it isn’t. Group Policy is pervasive and every Windows admin is familiar with it, but there a two things to consider when using it to manage the default user experience:

1. Group Policy is is a policy - that is, if you’re using policies to manage default user settings, the user cannot then change to their own preference.
2. Group Policy Preferences must be processed to determine whether they have been applied. Whilst GPPs can implement a preference rather than a policy, Windows must determine whether the preference has been applied by reading a flag. Whilst checking those flags isn’t a big problem, implementing GPPs should be considered in the context of whatever else is running at logon, how many preferences are implemented plus what happens to the environment over time (how many additional policies, applications, scripts etc. will be added to the environment over the life of that desktop).

I have seen many organisations over-relying on Group Policy and missing the most important component user environment management - change control and ownership. Group Policy becomes a black hole, complete with settings that no one can remember why they were implemented and settings that are no longer relevant. Group Policy Preferences are great for replacing logon scripts, but use Group Policy and GPP sparingly so as not to adversely affect the user experience.

A Better Way - Edit the Default Profile Directly

My preferred method for modifying the default user experience is to edit the default user profile directly using a script that is run during Windows deployment. This type of script can also be run on existing machines or used in combination with CopyProfile. A benefit of this approach is that you can modify the default profile with or without a reference image.

Editing the Default Profile

To edit the default profile, we’ll use the command line tool REG to mount and make changes to the default user registry hive. Additionally we can make folder and file changes to the default profile and a couple of other command line tools to perform tasks such as pin and unpin shortcuts or change the Windows 7 Libraries. As far as this article is concerned, the default profile is in its default location, usually C:\Users\Default. In a script, you could refer to this location as %SystemDrive%\Users\Default.

Finding Settings

To find the profile locations to modify there’s a couple of methods that I rely on:

• Google (or your favourite search engine)
• Process Monitor and Process Explorer

In most cases, someone (or even Microsoft) will have documented a registry value or profile location that is used to store a setting. More obscure or new settings will require detecting the location with Process Monitor. For example, to determine where a setting is stored in the Registry, create a filter in Process Monitor using the process name or process ID, additionally filtering on the operation such as RegSetValue, as shown below:

A trace with Process Monitor when making a preference change should result in something like this:

Regshot is also useful for comparing a before and after change to the profile for determining registry value locations.

Additionally Process Explorer can be useful for tracking down a process that might be responsible for writing a setting by viewing the command line used to launch the process. Finding settings can sometimes be a time consuming process, but once found and documented, you’ve got a detailed understanding of the default profile.

Editing the Registry

To make direct registry edits to the default user profile, the REG command line utility is used to load the default profile registry hive, change a registry value and then unload the hive, saving it back to the default profile. The following lines show a rough example of how this is done:

REG LOAD HKU\DefaultUser %SystemDrive%\Users\Default\NTUSER.DAT
REG ADD HKU\DefaultUser\Software\KeyName /v ValueName /d Data /t REG_SZ /f
REG UNLOAD HKU\DefaultUser

Note that this will need to be run with administrative privileges and in an elevated context, so that you have write access to the default profile.

Pinning and Unpinning Shortcuts

A common requirement is to modify the the pinned shortcuts on the Taskbar or Start menu. This can be automated using a script, which needs to run a first logon (either as the user, or in the profile copied over the default profile via Sysprep/CopyProfile). Unfortunately I can’t find the original source for this script; however it works quite well and allows you to pin shortcuts to and unpin shortcuts from the Taskbar and Start menu via a command line. The script is available here:

[download id="62″ format="1″]

Note that Windows 8 and above, do not expose a programatic method to pin and unpin shortcuts to the Start screen. If you’re looking to customise the Start screen, refer to this existing article: Customizing the Windows 8.1 Start Screen? Don’t follow Microsoft’s guidance.

Modifying the Windows Libraries

By default, the Libraries introduced in Windows 7, include the public folder locations. Removing these or adding locations requires editing the Libraries; however they’re stored in XML files and are created at first logon. To modify the libraries, you can use a command line tool ShLib.exe. Like pinning and unpinning shortcuts, this tool also needs to be run at first logon (and won’t work via CopyProfile). This article, Administratively Create and Modify Windows 7 Libraries, covers the use of ShLib.exe quite well.

Implementing a Script to Modify the Default Profile

Once you’ve created your script to make changes to the default registry, modify the default profile folder locations, pin and unpin shortcuts and make changes to the Libraries, you’ll need to implement the changes on the target PCs via script. Using an automation solution such as the Microsoft Deployment Toolkit (or an ESD like System Center Configuration Manager) the script can be run during a deployment task sequence. In the case of MDT, the script will be run after Windows unattended setup has completed in the local Administrator context. This way the script will have full elevation and write access to the default profile. An ESD solution will typically run the script via the local SYSTEM account. If you need to make changes to existing PCs, you’ll need a method to do so, such as an advertisement in Configuration Manager. If you take this approach, you can combine a script that makes direct changes to the default profile with the CopyProfile approach. That allows you to modify the profile for deployments from an unmodified OS as well as a custom image, keeping consistency across deployment types.

Example Scripts

Included here, along with some notation, are some example scripts for modifying the Windows 7 and Windows 8.1 default profiles. These example scripts include creation of a script at runtime that will run during first logon of any new profile. This is implemented as a batch file to keep things as simple as possible. Users will see a Command Prompt window as the script runs (but only once). The command lines includes in the script could be implemented with a UEM solution such as AppSense Environment Manager or even Group Policy to improve the user experience.

Windows 7

Here’s a sample script that will modify the default profile on a Windows 7 PC (x86 and x64). At a high level, the script will perform the following steps:

• Load and modifies the registry of the default profile
• Copies ExecuteVerbAction.VBS and ShLib.exe to folder under %ProgramFiles%
• Creates a batch script that will run on first logon to edit the Libraries and pin/unpin shortcuts. Once the script runs for the user, it will delete itself.

@ECHO OFF
REM Load the default profile hive
SET HKEY=HKU\Default
REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT

REM Sound and end-application
REG ADD "%HKEY%\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f

REM Command Prompt settings
REG ADD "%HKEY%\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Command Processor" /v CompletionChar /t REG_DWORD /d 9 /f
REG ADD "%HKEY%\Software\Microsoft\Command Processor" /v PathCompletionChar /t REG_DWORD /d 9 /f
REG ADD "%HKEY%\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections" /v SaveConnections /d "no" /t REG_SZ /f

REM Language bar - only apply if using single regional settings
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f

REM Windows Explorer and Start Menu
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ServerAdminUI /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_AdminToolsRoot /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_PowerButtonAction /t REG_DWORD /d 2 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowDownloads /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyGames /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuAdminTools /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuFavorites /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarSizeMove /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "%HKEY%\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f

REM Set IE as default browser, prevent prompting user
REG ADD "%HKEY%\Software\Clients\StartmenuInternet" /ve /d "IEXPLORE.EXE" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice" /v Progid /d "IE.AssocFile.URL" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice" /v Progid /d "IE.AssocFile.SVG" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice" /v Progid /d "IE.AssocFile.PARTIAL" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice" /v Progid /d "IE.AssocFile.WEBSITE" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v Progid /d "IE.HTTPS" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v Progid /d "IE.FTP" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice" /v Progid /d "IE.HTTP" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\message/rfc822\UserChoice" /v Progid /d "IE.message/rfc822" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\text/html\UserChoice" /v Progid /d "IE.text/html" /f

REM Additional Internet Explorer options
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\TabbedBrowsing" /v PopupsUseNewWindow /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d YES /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 2 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.local" /v * /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\New Windows\Allow" /v *.domain.local /t REG_BINARY /d 0000 /f

REM Windows Media Player
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f

REM Help and Support
REG ADD "%HKEY%\Software\Microsoft\Assistance\Client\1.0\Settings" /v OnlineAssist /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\Assistance\Client\1.0\Settings" /v IsConnected /d 1 /t REG_DWORD /f

REM Remove localisation - Themes, Feeds, Favourites
REG DELETE "%HKEY%\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v mctadmin /f

REM Snipping Tool
REG ADD "%HKEY%\Software\Microsoft\Windows\TabletPC\Snipping Tool" /v ShowCaptureStroke /d 0 /t REG_DWORD /f

REM Unload the default profile hive
REG UNLOAD %HKEY%

REM Setup Taskbar unpin items on first login
IF NOT EXIST "%ProgramFiles%\Scripts" MD "%ProgramFiles%\Scripts"
COPY /Y ExecuteVerbAction.VBS "%ProgramFiles%\Scripts\ExecuteVerbAction.VBS"
COPY /Y ShLib.exe "%ProgramFiles%\Scripts\ShLib.exe"

MD "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
ECHO @ECHO OFF > "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO cscript.exe "%ProgramFiles%\Scripts\ExecuteVerbAction.vbs" "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk" UnpinFromTaskbar >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Documents.library-ms" %PUBLIC%\Documents >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Music.library-ms" %PUBLIC%\Music >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Pictures.library-ms" %PUBLIC%\Pictures >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Videos.library-ms" %PUBLIC%\Videos >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO DEL /Q "%%APPDATA%%\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd" >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"

If you use this in a production environment, please test and confirm each setting to ensure you understand what the script will implement.

Windows 8.1

Here’s a sample script that will modify the default profile on a Windows 8.1 PC (x86 and x64). At a high level, the script will perform the following steps:

• Load and modifies the registry of the default profile
• Import a pre-configured Start screen
• Copies ExecuteVerbAction.VBS and ShLib.exe to folder under %ProgramFiles%
• Creates a batch script that will run on first logon to edit the Libraries and pin/unpin shortcuts. Once the script runs for the user, it will delete itself

@ECHO OFF
REM Load the default profile hive
SET HKEY=HKU\Default
REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT

REM Sound and end-application
REG ADD "%HKEY%\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f

REM Command Prompt settings
REG ADD "%HKEY%\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections" /v SaveConnections /d "no" /t REG_SZ /f

REM Language bar - only apply if using single regional settings
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f

REM Windows Explorer
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarSizeMove /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "%HKEY%\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f

REM Windows 8 navigation settings
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v OpenAtLogon /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v DesktopFirst /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v MakeAllAppsDefault /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v MonitorOverride /t REG_DWORD /d 0 /f

REM Set IE as default browser, prevent prompting user
REM	REG ADD "%HKEY%\Software\Clients\StartmenuInternet" /ve /d "IEXPLORE.EXE" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice" /v Progid /d "IE.AssocFile.URL" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice" /v Progid /d "IE.AssocFile.SVG" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice" /v Progid /d "IE.AssocFile.PARTIAL" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice" /v Progid /d "IE.AssocFile.WEBSITE" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v Progid /d "IE.HTTPS" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v Progid /d "IE.FTP" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice" /v Progid /d "IE.HTTP" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\message\rfc822\UserChoice" /v Progid /d "IE.message/rfc822" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\text\html\UserChoice" /v Progid /d "IE.text/html" /f

REM Additional Internet Explorer options
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\TabbedBrowsing" /v PopupsUseNewWindow /t REG_DWORD /d 0 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d YES /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 2 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.local" /v * /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\New Windows\Allow" /v *.domain.local /t REG_BINARY /d 0000 /f

REM Windows Media Player
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f

REM Unload the default profile hive
REG UNLOAD %HKEY%

REM Configure the default Start Screen
IF NOT EXIST %SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows MD %SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows
POWERSHELL -NonInteractive -Command Import-StartLayout -LayoutPath .\CustomStartScreenLayout.bin -MountPath %SystemDrive%\

REM Setup Taskbar unpin items on first login
IF NOT EXIST "%ProgramFiles%\Scripts" MD "%ProgramFiles%\Scripts"
COPY /Y ExecuteVerbAction.VBS "%ProgramFiles%\Scripts\ExecuteVerbAction.VBS"
COPY /Y ShLib.exe "%ProgramFiles%\Scripts\ShLib.exe"

MD "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
ECHO @ECHO OFF > "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
REM	ECHO cscript.exe "%ProgramFiles%\Scripts\ExecuteVerbAction.vbs" "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk" UnpinFromTaskbar >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Documents.library-ms" %PUBLIC%\Documents >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Music.library-ms" %PUBLIC%\Music >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Pictures.library-ms" %PUBLIC%\Pictures >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Videos.library-ms" %PUBLIC%\Videos >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO DEL /Q "%%APPDATA%%\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd" >> "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"

If you use this in a production environment, please test and confirm each setting to ensure you understand what the script will implement.

Summing Up

There are numerous ways to edit the default profile, some more complicated and involved than others. It’s my view that the best way to modify the default profile is targeting the required settings, which does mean more work. However, this approach results in a better understanding of the user environment and with any luck a better user experience.

Each new major release of Windows results in less modifications, so your job will be easier. There are a few scripts and tools you’ll need to have in place and I’m confident the approach outlined here will result in happy users (or at least users who aren’t complaining).

In the next article on the same subject, I’ll cover customising the default profile for Remote Desktop Services Session Hosts.

I have too many devices but not one of them runs Android. A good part of my job is testing, presenting and demoing, so it’s handy being able to show the user experiences across different devices. One of everything is perhaps going a bit too far, so I’d prefer to run Android as a VM.

Microsoft announced some interesting new features in Windows Server 2012 R2 at TechEd 2013 and one of those that piqued my interest is Work Folders. I’m not the biggest fan of Redirected Folders and Offline files, but it’s essentially the only enterprise solution Microsoft provides today for taking your data offline. Microsoft needs to provide a completely new method of syncing file data - one that is designed for todays use cases and computing environment.

Citrix provides a nice wizard for installing the XenDesktop 7 VDA and some pretty good documentation on using a command line installation, but the wizard does not expose all of the available options and working out what the wizard is doing in relation to the command line takes a bit of translation. Here’s how to automate a typical VDA deployment.

The Microsoft Deployment Toolkit provides a Lite Touch deployment model - typically a device requires an engineer to manually start the deployment task sequence. Using PowerShell to drive MDT offers the chance to provide a little more automation around OS deployments.

Here’s an overview of my talk from Citrix Synergy 2013 - Hands off my gold image!  If you were unable to attend Synergy or missed my session, this is a short version of the talk, but hopefully it will give you an idea of what was covered.

Here’s a deployment demo that I showed during my Geek Speak Live session at Citrix Synergy 2013 at Anaheim last week as well as during BriForum London 2013 when I had the opportunity to co-present a session with fellow CTP, Jim Moyle.

Here’s another demo that I showed during my Geek Speak Live session at Citrix Synergy 2013 at Anaheim yesterday.

Thanks to everyone who attended my Geek Speak Live session at Citrix Synergy 2013 in Anaheim yesterday. I’ll post details about the session and the slide deck next week for those who couldn’t attend.

At Citrix Synergy in Anaheim next month, I’ll have the opportunity to present a Geek Speak Live session - Hands Off My Gold Image! If you aren’t automating the creation of your gold images, there’s lots to learn in this session. Even if you are automating your gold images, perhaps there’s something new that I can still share with you. In this session, which will be demo heavy, I’ll show you some ways that you can deliver build automation with toolsets provided by Microsoft and Citrix.

With thanks to Nicke’s latest post, the App-V Recipes and Tips list has hit 400 links!

While working on a PowerShell script to drive OS deployment through MDT, I’ve needed to obtain the UUID from a target virtual machine. Unfortunately this isn’t just a property of the VM that you get through Get-VM. Instead you’ll need jump through a few hoops to retrieve the right UUID.

It’s a simple task to virtualize Firefox, as it lends itself well to application virtualization; however getting it right takes a little preparation. Before embarking on sequencing Firefox, please refer to this companion article - Prepare Mozilla Firefox for Enterprise Deployment and Virtualization - which covers configuring a Firefox installation for virtualizing. It’s important that Firefox is configured correctly for virtualization by disabling specific features.

The App-V 5 Sequencer, just like version 4.6 SP1, includes support for Sequencer Templates. These are an ideal approach for ensuring the use of the same set of Sequencer settings and exclusions across all packages.

I’ve previously written articles on virtualizing Mozilla Firefox, but with Firefox releases more regular these days and the release of App-V 5, it makes sense to split details on configuring Firefox for an enterprise deployment and virtualizing Firefox into separate articles.

Connection Groups (or Dynamic Suite Composition v2) in App-V 5.0 are great for enabling separate App-V packages to talk to each other. Connection Groups are easy enough to deploy with the App-V Management Server or Configuration Manager 2012; however that isn’t the case for stand-alone scenarios or 3rd party ESDs.

One of the great promises of application virtualization is dynamic delivery of software to end-points; however delivering plugins or add-ons to installed (i.e. not virtualized) software has thus far been a stumbling block.

Two recent releases presents an opportunity to revisit the state of virtualizing Apple iTunes. iTunes 11 looks great, but is it just lipstick on a pig? Under the hood, it doesn’t appear to differ that much from previous versions, but lets see whether a combination of Apple’s latest and greatest along with App-V 5 offers a better virtualisation experience.

User settings that might impact the default Office experience or may require special consideration in your environment, are worth investing in planning time because you’ll often have only one chance to get deployment right.

If you’ve been following along so far you’ll have read my follow up coverage of  my (and co-host, Jonathan Eyton-Williams) Geek Speak talk at Citrix Synergy in Barcelona, with  Hands off my gold image – Automating Citrix XenApp/PVS Image Creation and Hands off my gold image – Microsoft Deployment Toolkit details. In this article I’ll cover the task sequence that deploys Windows Server, installs XenApp and captures the image into PVS.

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

You’ll then have tackled with the product matrix that comes as a PDF instead of something more reasonable like, say, a spread sheet. There’s probably a good reason for this document to be a PDF, but it’s not the best format for reading this type of information.

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

After the corresponding Geek Speak talk at Citrix Synergy in Barcelona, I posted an article on automating a XenApp deployment and capture into Provisioning Services via the Microsoft Deployment Toolkit (MDT): Hands off my gold image – Automating Citrix XenApp/PVS Image Creation.

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

Citrix Provisioning Services is a great solution for the rapid deployment of Windows workloads from a master image. However, rapid deployment is not a replacement for a consistent, repeatable method of creating that master image.

Adobe Reader XI is now available and along with this release comes some interesting tools for deployment:

Note: this article covers a product that is in beta at the time of writing; therefore the specifics of the approach outlined in this article may be subject to change. This is not a recommendation to use this approach in production; rather it’s an exercise in understanding what’s possible with a new data synchronisation product.

Rory asks via Twitter - can we pre-cache App-V packages on laptop clients so that all applications are available offline, using AppSense Environment Manager?:

It’s a simple task to virtualize Firefox, as it lends itself well to application virtualization; however getting it right takes a little more effort. I’ve previously shown you how to sequence Firefox 8, Firefox 7 and Firefox 5. Before embarking on sequencing Firefox, please refer to this companion article - Prepare Mozilla Firefox for Enterprise Deployment and Virtualization - which covers configuring a Firefox installation for virtualizing. It’s important that Firefox is configured correctly for virtualization by disabling specific features..

There’s one thing that I can’t get enough of when automating Windows deployments, it’s ambiguous and confusing error messages. More please, I’m a sucker for punishment.

Deploying Citrix Receiver (full or Enterprise) via an unattended command-line, may result in the installer running indefinitely and not completing until you interact with the target machine.

I shared a lightning round session at BriForum London 2012 with Dan Brinkmann. I rolled two lightning rounds (including Should Office Be in the Base Image?) into one with The Definitive Guide to delivering Office with App-V.

At Citrix Synergy 2012, I had the distinct pleasure of moderating a Geek Speak panel:  ”User Environment Management smackdown 2012” with Shawn Bass, Helge Klein, Harry Labana from AppSense, Bob Janssen from RES Software and Mike Larkin from Citrix on the state of User Environment Management.

I’ve been fortunate enough to have performed technical editor duties on a couple of App-V books by Augusto Alvarez - Getting Started with Microsoft Application Virtualization 4.6 and Microsoft Application Virtualization Advanced Guide.

The App-V 5.0 Sequencer includes a couple of PowerShell modules and for converting packages is the only interface to use. Here’s how to automate the migration of packages from the old 4.x format to the new App-V 5.0 format.

Last Friday turned out to be a pretty awesome day - my wife and I found out we’ll be having a girl in July and I’ve been selected to receive the Citrix Technology Professional award for 2012.

I’ve been configuring a Windows Server 2008 R2 Hyper-V deployment in the lab via MDT to a couple of ProLiant DL380 G5’s. I’ve been keeping the deployment as simple as possible, so there’s no SCVMM integrated at this point and as such I’ve need to configure the Hyper-V networking once the OS is deployed to the machine. Naturally, I don’t want to do that manually.

Mark Plettenberg, the lead developer of Login VSI. This new module looks very interesting because it will allow us to objectively measure and analyse the performance of remoting protocols such as Teradici PCoIP, Microsoft RDP, Citrix ICA/HDX and Quest EOP.

Having had to travel to Australia and the US recently, I’ve not had that much time to work on an upcoming white paper, but I have been posting some of the early versions of the chapters. So here’s another in that series while I work on getting the paper finished.

Update (28/03/2012): This list of white papers are now available on the Microsoft Download Centre: Microsoft Application Virtualization (App-V) Documentation Resources Download Page

I’m not sure why I didn’t think of this earlier – I get emails from readers fairly regularly and many of them make great topics for blog posts. So here’s the first in a series of posts where I’ll cover interesting questions I get via email and where I think other readers will benefit from a public response.

I recently posted a script for removing unnecessary files and pruning files based on their age, which can be used at logoff to keep profile sizes manageable - Reducing Profile Size with a Profile Clean Up Script.

Andrew Morgan (@andyjmorgan) has kindly translated my very basic VBscript to PowerShell. This can be used as a standalone script or the function (remove-itembyage) could be integrated into your own scripts and has the added benefit of in-built help and the ability to run silently.

Just like the original script, this could be executed at logoff, before the profile is saved back to the network, to perform two actions:

1. Delete all files of a specific file type in a specified folder, including sub-folders
2. Delete all files older than X days in a specified folder, including sub-folders

For example, you could use the script to delete all .log or temporary files below %APPDATA% that aren’t required to be roamed, or delete all Cookies older than 90 days to keep the Cookies folder to a manageable size.

Note: the script listing below has the -whatif parameter applied when calling the function, so no deletes will occur unless the parameter is removed.

function remove-itembyage {
    <#
        .SYNOPSIS
        remove items from folders recursively.

        .DESCRIPTION
        this function removes items older than a specified age from the target folder

        .PARAMETER Days
        Specifies the ammount of days since the file was last written to you wish to filter on.

        .PARAMETER Path
        Specifies the path to the folder you wish to search recursively.

        .PARAMETER Silent
        Instructs the function not to return any output.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 0 -path $recent

        This command searches the $recent directory, for any files, then deletes them.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 5 -path $recent

        This command searches the $recent directory, for files older than 5 days, then deletes them.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 10 -path $appdata -typefilter "txt,log"

        This command searches the $cookies directory, for files older than 10 days and end with txt or log extensions, then deletes them.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 10 -path $cookies -typefilter "txt,log" -silent

        This command searches the $cookies directory, for files older than 10 days and end with txt or log extensions, then deletes them without a report.

        .NOTES
        /user-virtualization/profile-clean-up-script-powershell-edition/ for support information.

        .LINK
        /user-virtualization/profile-clean-up-script-powershell-edition/
    #>

    [cmdletbinding(SupportsShouldProcess = $True)]
    param(
        [Parameter(Mandatory = $true, Position = 0, HelpMessage = "Number of days to filter by, E.G. ""14""")]
        [int]$days,
        [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Path to files you wish to delete")]
        [string]$path,
        [string]$typefilter,
        [switch]$silent)

    #check for silent switch
    if ($silent) {$ea = "Silentlycontinue"}
    Else {$ea = "Continue"}

    #check for typefilter, creates an array if specified.
    if (!($typefilter)) {$filter = "*"}
    Else {$filter = foreach ($item in $typefilter.split(",")) {$item.insert(0, "*.")}}

    if (test-path $path) {
        $now = get-date
        $datefilter = $now.adddays( - $days)
        foreach ($file in get-childitem "$path\*" -recurse -force -include $filter | where {$_.PSIsContainer -eq $false -and $_.lastwritetime -le $datefilter -and $_.name -ne "desktop.ini"}) {
            if (!($silent)) {write-host "Deleting: $($file.fullname)"}
            remove-item -literalPath $file.fullname -force -ea $ea
        }#end for
    }#end if

    Else {
        if (!($silent)) {write-warning "the path specified does not exist! ($path)"}
    }#end else
}#end function

#Get KnownFolder Paths
$appdata = $env:appdata
$Cookies = (new-object -com shell.application).namespace(289).Self.Path
$History = (new-object -com shell.application).namespace(34).Self.Path
$recent = (new-object -com shell.application).namespace(8).Self.Path
$profile = $env:userprofile

#commands
remove-itembyage -days 0 -path $appdata -typefilter "txt,log" -silent -whatif
remove-itembyage -days 90 -path $cookies -silent -whatif
remove-itembyage -days 14 -path $recent -silent -whatif
remove-itembyage -days 21 -path $history -silent -whatif
remove-itembyage -days 14 -path "$appdata\Microsoft\office\Recent" -silent -whatif

I was quite relieved and grateful to receive the Microsoft MVP award again for 2012:

Windows profiles become larger over time - it’s an inescapable fact. This means that if you are using roaming profiles, logons (and logoff) will be longer and longer. It’s not just individual file sizes, but also the number of files stored in a profile that will make the synchronisation process slower.

One approach to reducing profile sizes is to exclude certain folders. A better solution is to ditch roaming profiles and use a third-party solution to manage roaming of the user environment.

However, there will still be folders that need to be roamed to maintain the experience that users expect when moving between devices (i.e. consistency). For those folders we can implement some maintenance to keep them at a manageable size - that is remove files that are not needed in a roaming profile (e.g. log files) or delete files older than a specific number of days.

Warning: there’s a reason that Windows doesn’t do this maintenance itself - only each application vendor will have an understanding of whether specific files are required or can be discarded (hence the roaming and local portions of AppData). However, as any experienced Windows admin knows - many vendors either don’t test for or don’t care about roaming scenarios, therefore I strongly recommend testing this approach before production deployment.

As a part of an upcoming version of this configuration, I’ve created a script that will execute at logoff, before the profile is saved back to the network, that will perform two actions:

1. Delete all files of a specific file type in a specified folder, including sub-folders
2. Delete all files older than X days in a specified folder, including sub-folders

So for example, you could use the script to delete all .log files below %APPDATA% or delete all Cookies older than 90 days.

The script is extremely simple on purpose and I recommend testing thoroughly before implementing - use at your own risk; however feedback is welcome.

' Profile clean up - remove unneeded or old files before logoff
' --------------------------------------------------------------
' Original scripts:
' http://www.wisesoft.co.uk/scripts/vbscript_recursive_file_delete_by_extension.aspx
' http://ss64.com/vb/syntax-profile.html
' http://csi-windows.com/toolkit/csigetspecialfolder

' Version 2.0; 27/12/2011

Option Explicit
On Error Resume Next 'Avoid file in use issues

Dim strExtensionsToDelete, strAppData, strUserProfile, objFSO, strCookies, strHistory, strRecent, objShellApp
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShellApp = CreateObject("Shell.Application")
Const CSIDL_COOKIES = "&H21"
Const CSIDL_HISTORY = "&H22"
Const CSIDL_RECENT = "&H08"
Const CSIDL_NETHOOD = "&H13"
Const CSIDL_APPDATA = "&H1A"
Const CSIDL_PROFILE = "&H28"

' Folder to delete files from (files will also be deleted from Subfolders)
strUserProfile = objShellApp.NameSpace(cint(CSIDL_PROFILE)).Self.Path
strAppData = objShellApp.NameSpace(cint(CSIDL_APPDATA)).Self.Path
strCookies = objShellApp.NameSpace(cint(CSIDL_COOKIES)).Self.Path
strHistory = objShellApp.NameSpace(cint(CSIDL_HISTORY)).Self.Path
strRecent = objShellApp.NameSpace(cint(CSIDL_RECENT)).Self.Path
strNetHood = objShellApp.NameSpace(cint(CSIDL_NETHOOD)).Self.Path

' Main
RecursiveDeleteByExtension strAppData, "tmp,log"
RecursiveDeleteOlder 90, strCookies
RecursiveDeleteOlder 14, strRecent
RecursiveDeleteOlder 21, strHistory
RecursiveDeleteOlder 21, strNetHood
RecursiveDeleteOlder 14, strAppData & "\Microsoft\Office\Recent"
'RecursiveDeleteOlder 5, strAppData & "\Sun\Java\Deployment\cache"
'RecursiveDeleteOlder 3, strAppData & "\Macromedia\Flash Player"
'RecursiveDeleteOlder 14, strUserProfile & "\Oracle Jar Cache"

Sub RecursiveDeleteByExtension(ByVal strPath,strExtensionsToDelete)
    ' Walk through strPath and sub-folders and delete files of type strExtensionsToDelete
    Dim objFolder, objSubFolder, objFile, strExt

    If objFSO.FolderExists(strPath) = True Then
        Set objFolder = objFSO.GetFolder(strPath)
        For Each objFile in objFolder.Files
            For each strExt in Split(UCase(strExtensionsToDelete),",")
                If Right(UCase(objFile.Path),Len(strExt)+1) = "." & strExt then
                    WScript.Echo "Deleting: " & objFile.Path
                    objFile.Delete(True)
                    Exit For
                End If
            Next
        Next
        For Each objSubFolder in objFolder.SubFolders
            RecursiveDeleteByExtension objSubFolder.Path,strExtensionsToDelete
        Next
    End If
End Sub

Sub RecursiveDeleteOlder(ByVal intDays,strPath)
    ' Delete files from strPath that are more than intDays old
    Dim objFolder, objFile, objSubFolder

    If objFSO.FolderExists(strPath) = True Then
        Set objFolder = objFSO.GetFolder(strPath)
        For each objFile in objFolder.files
            If DateDiff("d", objFile.DateLastModified,Now) > intDays Then
                If UCase(objFile.Name) <> "DESKTOP.INI" Then ' Ensure we don't delete desktop.ini
                    WScript.Echo "Deleting: " & objFile.Path
                    objFile.Delete(True)
                End If
            End If
        Next
        For Each objSubFolder in objFolder.SubFolders
            RecursiveDeleteOlder intDays,objSubFolder.Path
        Next
    End If
End Sub

Adobe released a new security advisory for Reader and Acrobat 9 and X this week to address details of an upcoming fix to these versions for a 0 day vulnerability. Exploits for this vulnerability exist for Reader and Acrobat 9 and are currently active:

Because Office is a core application of most desktop deployments, user interaction with Office and the user experience are important factors in the deployment of Office. From an administration perspective, providing a seamless user experience requires managing the user preferences of an application, independent of the application delivery method.

Several months ago, I used the The Archivist to create an archive and analysis of tweets with the #AppV hash tag. 1,740 tweets later (not all of which I’m sure are App-V related), we get an interesting picture of conversations around App-V. To view the archive visit this URL: http://bit.ly/appvarchive.

Mozilla has just released Firefox 8, so it’s time to look at virtualizing the new version. It’s a simple task to virtualize Firefox, as it lends itself well to application virtualization; however getting it right takes a little more effort. Here’s how to successfully sequence Mozilla Firefox 8.x.

Here’s how to successfully sequence Google Chrome 15; however the same approach should work for Chrome 13, 14 and 16 and maybe even some other versions.

In the official Microsoft TechNet forums, a question had been asked about sequencing Google Chrome and the poster states that when using the Chrome Enterprise Installer (a downloadable MSI for deployment inside an organisation), Chrome installs OK during the monitoring phase, but the folder is deleted at the end of monitoring and thus isn’t captured.

Surely one of the main goals of any good desktop delivery project is to remove the user’s reliance on any single device?

I’ve been doing some work recently virtualizing various versions of Office in App-V plus managing user preferences for those Office packages. Here’s something interesting that I’ve found – the size of the profile settings for a default installation of Office 2010 is massively different in size over previous versions of Office.

If you have issues installing the Office 2010 Deployment Kit for App-V (OffVirt.msi) to install the licensing component for a virtualized Office 2010 package, it may fail to install. A typical command line to install the licensing component look like this:

If you follow any of the following guidance from Microsoft for sequencing Office with App-V:

When attempting to install the Office 2010 Deployment Kit for App-V using a MAK activation key, via the following command-line (or similar):

It’s easy to virtualize Firefox with App-V; however getting it right takes a little more effort. Here’s how to successfully sequence Mozilla Firefox 7.x.

If you’re looking to reduce the size of your App-V packages, you can compress them when saving them in the Sequencer; however if that content in the package doesn’t actually compress that well, you may not save as much space as you might expect. Here a quick win to reduce the size of your packages.

Great news - the first annual European App-V User Group has been announced, for Friday November 18, 2011 9:00 AM to be held at Microsoft HQ, in the Netherlands:

Preface: I don’t speak legalese and this post is based on my own intepretation of the iTunes distribution agreement.

A number of knowledgebase articles have been updated recently that are interesting reading if you’re looking to understand how Microsoft Office works under App-V, and the limitations if you deploy Office in this method. If you’re already not aware, Office delivered by Click-to-Run is actually a modified version of App-V under the hood. There’s also an overview of Microsoft Office Click-to-Run for Office 2010 worth reading.

Here’s something that I’ve been looking to share with the community for some time - something to get you started when implementing AppSense Environment Manager 8.x.

If you enable Hyper-V on a laptop (or any other machine where hibernation is enabled automatically) you’ll find that you won’t be able to delete the hibernation file (hiberfil.sys).  Although hibernation is effectively disabled, the file remains in use once Windows has booted:

It’s easy to virtualize Firefox with App-V; however getting it right takes a little more effort. Here’s how to successfully sequence Mozilla Firefox 5.x.

Here’s a nut I’ve been trying to crack for some time – successfully virtualizing Apple iTunes with App-V. I think a combination of iTunes 10 and App-V 4.6 SP1 did the trick. Here’s how to do it.

Inspired by a post on the ThinApp blog on Adding Shell Extensions to ThinApp Packages, I’ve documented here how to add Shell Extensions to an App-V package using the Windows Installer file generated by the App-V Sequencer.

I’ve previously written about the Desktop App-V Recipes, Tips and Tricks list that fellow App-V MVP, Nicke Källén and I have been compiling over the past year. This list has recently reached well over 220 links and highlights the fantastic efforts of many different contributors.

The App-V 4.6 Sequencer introduces some major changes in the user interface and the sequencing workflow. These changes have been designed to assist the sequencing engineer with virtualising applications in App-V while aligning with best practices.

Exactly how do folder and Registry exclusions work in App-V? I had presumed that exclusions for both folder and Registry paths would carry over to package execution. This is something that I had made some assumptions about and it’s only recently that I looked into exclusions in detail to get a better understanding.

With (far) more than a little help from another App-V MVP, Nicke Källén, we’ve been compiling a list of completed App-V recipes plus links to various places around the Internets where you’ll find assistance in getting your applications virtualised in App-V..

Sequencing the the App-V Management Console is reasonably straight-forward; however it wasn’t quite as simple as you would expect.

This is a guest post from Jurjen van Leeuwen, an App-V MVP (new for 2011) and independent consultant based in Norway. You can read more from Jurjen at his web site.

This arrived in my inbox on the 1st of Jan, which was a great way to finish off a day of snowboarding:

This is a guest post from Nicke Källén, an App-V MVP from Sweden. He posts as Znack on the TechNet Forums, and you can read more articles from Nicke at his blog here.

For a Reader XI version of this document see: Adobe Reader XI Deployment

RemoteApp in Windows Server 2008 R2 Remote Desktop Services finally allows you to do what some 3rd party solutions have been doing for years – delivering published applications directly to the user’s Start Menu. The bad news is that this feature requires Windows 7 and Windows Server 2008 R2, but your migrations plans are well underway right?

I’ve embedded the videos here. You’ll need an HTML 5 capable browser to view them, otherwise go to the TechEd Online site links I’ve provided, to view Silverlight and download MP4 versions plus access to the slide decks.

If you have successfully virtualised an application, imported the package into the Management Server but you are having issues publishing the package, streaming the application or getting it to launch, the first place to start is the the App-V client log.

If you have decided on streaming your App-V packages to client machines (rather than deploying via Windows Installer or SCCM), you will most certainly need to control where clients stream packages from. This, of course, would be the source closest to the client computer.

Consider the following scenario - I have created a Microsoft Office package with App-V that includes the base Office applications (Word, Excel, PowerPoint and Outlook). In addition to these I have also included Project and Visio. So I have a single App-V package that includes all of the Office applications – the base set of applications plus a couple of additional applications that I want to provide to a subset of users.

Even in the absence of an App-V SDK, the 3rd party tools available for App-V are wide and varied. Here’s what I hope is a complete list. If I missed anything out, please let me know.

Common scenarios for troubleshooting the Management Server (or the Streaming Server) are connectivity issues between the client and server, opening the Management Console from a remote machine and upgrading the Management Server.

If you’ve deployed the native App-V infrastructure, you will have the following components in your environment:

If you’ve ever had any experience implementing Offline Files for Windows laptops, you’re no doubt aware that users are required to manually resolve synchronisation conflicts. Well that’s the impression I’ve always been under until recently – there’s no documentation on TechNet on how to automatically resolve conflicts and certainly no Group Policy controls available either.

There are several methods that you can use to deliver App-V packages in your environment – you could even combine the methods depending on your requirements. I will summarise the methods here and give you some links to existing Microsoft articles and white papers and some excellent blog posts that discuss these options in detail:

As you should hopefully know by now App-V is not a compatibility solution, which means that you can’t use App-V to run applications that aren’t compatible with a specific version of Windows, you’ll need to use other means to do that.

Before you even attempt your first sequence with App-V, I strongly recommend reading the Microsoft Application Virtualization 4.6 Sequencing Guide. This document lays the ground work for creating a successful sequencing environment and describes the best practices you should follow when sequencing. An older knowledgebase article exists, but it is still worth referencing: Best practices to use for sequencing in Microsoft SoftGrid.

Stand-alone mode in App-V is useful where you are deploying App-V applications via Group Policy or a 3rd party ESD (using the MSI file), or you have the App-V packages available on a file share and import them with the SFTMIME command.

TechNet has the documentation you need for creating a silent or unattended installation of the App-V client for deployment to existing workstations or during your base image build. Before embarking on customising the install, I usually recommend first understanding how to perform a manual installation of the App-V Client.

I have a Dell Latitude XT2, which includes the Mobile Intel GM45 Chipset (and the Mobile Intel Graphics Media Accelerator 4500MHD). On occasion I’ve experienced display corruptions issues that make working with the laptop somewhat difficult.

VirtualizationAdmin.com has a new article by David Davis titled: 5 things Microsoft must do to stay in the virtualization game. I think the article has some fairly weak arguments and certainly a couple of claims that are just wrong. VirtualizationAdmin doesn’t provide a way to comment on articles, so I’ll break this down in an article of my own.

The document Hotfixes and Security Updates included in Windows 7 and Windows Server 2008 R2 Service Pack 1 Beta has the complete list of what’s fixed in SP1. RemoteFX might steal the show, however I’m specifically interested in what fixes there are for Terminal Server or Remote Desktop Session Host as it’s now called.

There are currently several versions of App-V 4.x available for deployment, although it is highly recommended that you deploy or migrate to 4.6 SP2. For the full list of available versions and hotfixes for all App-V components see the spread sheet at the end of this post.

If you’re configuring the Remote Desktop Virtualization Host (RDVH) and RemoteFX roles on a Hyper-V box, you may see the following message and will need to configure a license server:

Depending on how you license App-V, you may need to download the ISO from different sources:

Microsoft App-V is available in two flavours: for desktops (this includes laptops and virtual desktops – essentially anything that will run Windows XP, Windows Vista or Windows 7) and for Remote Desktop Services (RDS).

](http://www.microsoft.com/windows/enterprise/products/mdop/app-v.aspx)

<img class=”wlDisabledImage” style=”margin: 0px 0px 5px 10px; display: inline; border-width: 0px;” title=”AppV-FAQ-Logo” src=”/media/2010/06/AppVFAQLogo.png alt=”AppV-FAQ-Logo](http://en.wikipedia.org/wiki/Application_virtualization) as:

Starting tomorrow, I have a new blog post series - Microsoft App-V FAQs. There has been a SoftGrid FAQ blog on Microsoft TechNet in the past, but it’s now very  out of date. You can find official FAQs such as the App-V 4.6 on TechNet and an App-V 4.5 SP2 FAQ document, but these are a bit limited in scope.

When installing Microsoft Application Error Reporting, for example as a part of deploying the App-V Client, you may see an event with ID 11708 logged in the Application log. The error logged will be something along the lines of this:

Safari 5.x with Microsoft Application Virtualization; however the same basic steps should apply to any application virtualisation product.

Virtualising Paint.NET is a simple two step process:

The Office 2010 planning, deployment and configuration documentation is far better than what was available for Office 2007 at launch, however it’s worth updating my Office 2007 deployment notes for the changes in Office 2007.

I’ve been avoiding activating Windows installations in my home test environment with the product keys from my TechNet subscription because I’ve been afraid of running out of keys. Fortunately that fear has been mostly unfounded. I won’t go into what I really think about product activation but if you’re interested in how to manage your TechNet or MSDN keys, I have discussed how I’m doing that here.

Microsoft have made available what looks to be an excellent resource for walking through the complete sequencing process:

However, I generally recommend configuring as many settings as you can during install so that you don’t have to rely on external tools (e.g. Group Policy) that may not apply in a timely manner.

This is a guest post from Nicke Källén, an App-V MVP from Sweden. He posts as Znack on the TechNet Forums, where he’s consistently the  most active answerer in App-V topics. You can find his blog here.

Profile bloat – we’ve all seen it. Many applications, and even Windows itself, can store files in the most inappropriate places within the user profile. For example, here’s just part of what the Vodafone Mobile Connect application stores within the roaming portion of my profile:

This post details virtualising OpenOffice.org 3.x with Microsoft Application Virtualization; however the same basic steps should apply to any application virtualisation product.

If you are virtualising Mozilla Firefox, you should probably consider disabling the update functionality within the browser, to ensure consistency of the virtual package. There are several items that need to be configured or removed:

This post has been sitting in my drafts since June 2009 and for whatever reason I haven’t gotten around to posting it. So rather than delete it, I’m posting it as is - apologies in advance for quality of this post

You’re probably aware of the Browser Choice screen coming to Windows users in the EU, the update that forced on users because of a company that can’t do something a bunch of volunteers have done quite admirably. This update will actually unpin Internet Explorer from the taskbar even if you’ve already made IE your default browser.

A new knowledge-base article, released on the 22nd, is available from Microsoft for sequencing Office 2010 (32-bit and 64-bit) with App-V 4.6:

Microsoft Application Virtualisation 4.6 (RTM) has been made available, which you can download from the Microsoft Download Centre, including some new and updated support tools:

You may recall from my last post on RemoteApp, that we can get RemoteApp for Hyper-V works on other platforms too. While it was straight-forward publishing applications from a Windows 7 host, the client would report this error when connecting to Windows XP and Windows Vista hosts:

I’m unsure if this is a bug or by design, but if you are using SFTMIME to add packages to an App-V client, you may receive the following error:

I’ve been a fan of FeedDemon for several years now and was even a paying customer of the 2.x version, so this post is a little biased – you may be able to do something similar in other feed readers.

Microsoft posted about RemoteApp for Hyper-V yesterday, which was essentially highlighting the application publishing capabilities available in Windows XP mode and Windows Virtual PC; however this particular blog post calls out the use of RemoteApp to publish applications on Windows XP and Vista guests running under Hyper-V.

Note: for a more complete article on customising your Office 2010 deployment see this article: Customising Office 2010 before deployment

I’ve been mucking around with MDT 2010 lately, which has made it pretty simple to create an unattended install routine for my Dell Latitude XT2 (hopefully more on that soon) and to inject drivers into the build; however in doing so I’ve found a nasty bug in the IDT 92HDxxx HD Audio drivers from Dell (version 6.10.0.6217, A09).

As you’re most likely aware, Microsoft has recently made available Windows Vista and Windows Server 2008 Service Pack 2. If you would like to know the details of every single fix and feature in the service pack, download this spreadsheet: Hotfix and Security Update List: Windows Server 2008 SP2 and Windows Vista SP2.

When Windows just won’t stay in sleep mode there’s a simple fix. First you need to identify which component keeps bringing Windows out of sleep mode.

I thought I’d seen just about every dumb thing that a developer could do, but this latest one from MSI is a whopper..

Of course, Windows Virtual PC has been covered in detail already, but I got a chance to play with the product and there’s some neat UI experiences that I hadn’t seen covered yet. Here’s a quick overview of interacting with Windows Virtual PC.

I’m a little slow off the mark here (I’ve got my head buried in something unrelated), but I’ve just found out today that the App-V 4.5 Cumulative Update 1, although only available on Connect, is not actually a beta, it is the final code that you can start deploying.

My old favourite Daemon Tools just hasn’t been working in Windows 7, so I’ve been on the look out for another tool for mounting ISOs. I haven’t really liked other tools like CloneDrive or PowerISO, but I’ve come across Psimo File Mount (via My Digital Life, I think) which so far has been working a treat.

In addition to the new Start Menu customisation options available in build 7048, build 7057 introduces a very subtle change when using the Windows 7 Basic theme. The links on the right-hand side of the Start Menu gain a faux glass look, which gives the Start Menu a little more consistency across the Basic and Aero themes.

The Remote Desktop Connection client gets a facelift in build 7048 as well as Jump List integration, which is has been making life much simpler indeed:

I like the Command Prompt, it’s a little like those old worn out pair of shoes that you just don’t want to get rid of. I’m also a fan of the Consolas font, so when I can mix it with Command Prompt, those old shoes get a new lease on life.

For those looking to fit just about every link possible on their Start Menu, Windows 7 build 7048 and above are aiming to please. In addition to the options seen in earlier builds, 7048 adds Downloads, Homegroup and the ability to edit the number of recent items in Jump Lists:

A little more than just Internet Explorer 8 is removable in Windows 7 build 7048. This build allow you to remove Internet Explorer 8, Windows DVD Maker, Windows Media Center, Windows Media Player (no more N editions, I presume) and even Windows Search:

Two great tools for managing App-V applications have appeared in the last few weeks - SoftBar and the App-V 4.5 Client Diagnostic and Configuration tool (ACDC). Thanks to the efforts of Greg Brownstein and Ment van der Plas, we have some excellent choices for improving the way we can manage and troubleshoot virtual applications on the client. 

registry key from functioning as expected.

Ment van der Plas, of Login Consultants, has gone and created the most awesome App-V client tool - the App-V 4.5 Client Diagnostic and Configuration tool:

A press release from Immidio landed in by inbox today - Flex Profiles, formerly by Login Consultants, has been updated to version 6. It comes as a free Express version and from what I can tell, you can pay for support.

I’ve had some issues with Google Chrome (1.0.154.48) running on Windows 7 x64, but thanks to these two links, it’s now working great.

Here’s an interesting video on the Channel 9 site about the architecture of Microsoft Application Virtualization:

Ment van der Plas has a great article on virtual application deployment in SCCM 2007 R2

For the 10 people who use Windows Briefcase, this one is not for you. If you’re like me and can’t stand the rough edges in Windows that have yet to be cleaned up, the Windows Briefcase icon is a bit of an eye sore because it still uses a Windows XP style icon:

What’s the most annoying sound in Windows? For me it’s got to be the Start Navigation sound – that click that Windows plays whenever you navigate your way around Windows Explorer or Internet Explorer.

Installing VMware Server or Workstation on Windows 7 will leave the __vmware_user\__ account showing on the logon screen, which does not happen in earlier versions of Windows.

I was testing this myself yesterday without luck, but it looks like App-V does not currently run on Windows 7.

It’s been a busy December, so it’s been a bit quiet around here and by the time you read this I’ll be on the slopes somewhere around Arinsal, so here’s my final post for the year. Merry Christmas, Happy Hanukkah, Saturnalia or Yule or whatever it is you do or don’t celebrate at this time of year.

Attempting to install the App-V Sequencer may not be successful and result the message “The wizard was interrupted before Microsoft Application Virtualization Sequencer could be completely installed”. Of course the message in the dialog isn’t particularly helpful, so what’s going on?

If you are deploying any of the Adobe CS3 application (such as Photoshop, Illustrator or InDesign) suite in App-V 4.5, this knowledgebase article may come in handy: When launching applications from the Adobe CS3 suite using Application Virtualization 4.5 clients, you may encounter an error: 0xc0150002

A reader e-mailed me the other day about the KEEPCURRENTSETTINGS property of the App-V 4.5 client setup and how when used on the command line, other properties are ignored. I hadn’t seen this behaviour – or so I thought until I found that my client install script was not setting the right virtual driver letter or enabling streaming from file.

If you are managing a large number of applications with App-V you may experience a crash in the Microsoft Management Console when drilling down into the Application node.

If you are deploying the App-V ADM Template to manage your App-V 4.5 clients you may need to consider the timing of deploying of Group Policy settings versus deployment of the client. The App-V ADM Template whitepaper recommends deploying the template after you have deployed the client.

Ment van der Plas posted yesterday at the SoftGridBlog about what happens when the SCCM and the App-V client co-exist. Given that the SoftGridBlog doesn’t accept comments, here’s an extended reply to Ment’s post.

Well TechEd EMEA 2008 is done and I still have some notes to post from a few more noteworthy sessions, so until then here’s a few more observations about the conference:

This was a session to demo the new features in App-V 4.5, mainly aimed at those people already familiar with App-V. It was presented by Gene Ferioli, a senior program manager on the App-V team. Gene worked with the SCCM team on the App-V integration for SCCM 2007 R2.

</p>

After experiencing some initial troubles with Internet access from my hotel room, I might be able to start posting some pieces from Tech∙Ed here in Barcelona. Some of these might be out of chronological order, but first up here’s a general odds and ends from my first few days here:

Microsoft posted a knowledgebase article yesterday titled: With Microsoft Application Virtualization 4.5 you are unable to Sequence Adobe Reader 7.x or 8.x due to NETOP FEAD Installer error. Essentially the NETOP FEAD installer is not compatible with the 4.5 Sequencer (or perhaps that’s the other way around).

A number of useful App-V (resource kit) tools have been released which look very useful:

<img class=”alignleft size-medium wp-image-775” style=”border: 0px;” title=”softgridcube-java” src=”/media/2008/10/softgridcube-java.png” border=”0” alt=” before, but it’s not because I like Java… So before I get into a tirade about it, here’s yet another post on the subject..

Adobe have made Flash Player 10 available, but unfortunately there’s still no support for 64-bit browsers, but then Silverlight 2 doesn’t have 64-bit support either.

Even though I log onto my domain machine with a standard user account, I’ve been prompted by UAC to elevate when running Registry Editor. After putting up with it for a couple of months, I finally got around to doing something to fix it today.

At the next Vista Squad meeting tomorrow night (Wednesday 15th October), along with Ray Booysen, I’ll be presenting on User Account Control and developing & running as non-admin. There’s a few things we’ll cover, including:

Now this looks good: Microsoft Application Virtualization Management Pack for Systems Center Operations Manager 2007. If you’re deploying applications via any virtualisation/streaming solution, monitoring is essential.

Here’s a download that’s quite timely as I’m looking at application compatibility as a component of my Windows Vista deployment project: Windows Vista Application Compatibility Downloadable List for IT Professionals

<img style=”display: inline; margin-left: 0px; margin-right: 0px” title=”TechEd” src=”/media/2008/10/teched.png” border=”0” alt=”TechEd](http://emea.msteched.com/itpro/sessionpreferencesurvey.aspx) has been posted (you’ll have to be attending to see it). There’s plenty of excellent sessions to choose from and for me it’s going to be lots of App-V and Windows Vista content.

Well actually, there’s none at the moment, but a there is a knowledgebase article available on SP2 as a place holder for future information:

Security configuration roles for Application Virtualisation 4.5, which makes the Security Configuration Wizard in Windows Server 2003 and Windows Server 2008 App-V aware, have been released to the Downloads Centre.

This came out of the blue (or perhaps I haven’t been paying attention). Here’s the Microsoft Application Virtualization Best Practices Analyzer:

Because I’m a stickler for clean UI, I want to ensure users don’t see extra files or folders in their User folder on Windows Vista. I’m trying to avoid something similar to what you can see in the screenshot below, which looks a little out of place:

A podcast that gives you can overview of Microsoft Application Virtualisation 4.5 has been posted that is worth checking out if you’re new to App-V or want to find out what version 4.5 is all about: Windows Springboard Series: AppV™ Application Virtualization

This was a great question, at this evenings talk,  about deploying virtualised applications via ConfigMgr 2007 R2 - are virtualised applications delivered to clients in the same manner as installed applications?

The WMUG meeting was well attended tonight and my talk went better than expected considering that most of what I plan to say goes out the window as soon as I stand at the front of the room (I’m still new to this speaking malarkey).

I’m going to be presenting a session on Microsoft Application Virtualisation 4.5 at the Windows Management User Group this coming Thursday (11th of September) at Microsoft’s offices in Victoria here in London:

Unless you’re hell bent on deploying Firefox in your corporate environment (and managing it with Group Policy), here are some reasons why you should plan for Internet Explorer 8 now and deploy it when the final version is released:

I thought 25 character product keys where a pain in the proverbial, but this one takes the cake. I won’t tell you which application this authorisation code is for, but it’s a whopping 93 characters long..

Microsoft have made available an update for Windows Server 2008 that integrates the WSUS 3.0 console into Server Manager.

At some point in your migration from Windows XP to Windows Vista you’ll no doubt be looking to manage which Control Panel applets are available to users. Controlling access to applets is no different than earlier version of Windows, but given that there are approximately 48 default applets in Windows Vista compared to 29 in Windows XP, more consideration will need to be given to those which you make available.

Group Policy allows you to disable certain UI elements within Office applications, which you might want to do in the case of the Information Rights Management feature built into Office 2003 and 2007.

Adobe have made the Adobe Customisation Wizard 9 available for download for use with deploying Acrobat and Reader 9 applications.

“and I want you to f**king acknowledge it!”

I haven’t used Orca to edit MSI files since I found Camwood appEditor around November last year. Since then though, appEditor has become has become InstEd and it’s even better than its’ predecessor.

There are numerous ways to customise the default user profile in earlier versions of Windows, including:

An update to the documentation included in the Windows Automated Installation Kit are available:

Ok, two separate issues but here, but fixed the same way. First up is Windows Update reporting:

There are three tools that I use for creating and managing screen shots for documentation and posting here on my blog:

First Impressions

What’s the best new feature of Microsoft Application Virtualisation 4.5? There’s plenty to pick from, but I’m digging the new Vista style icons:

Want the Remote Desktop Connection 6.1 client for Windows XP but can’t update to Service Pack 3 or Windows Vista? No need to hack files from SP3, just grab the update from here:

Last week I wrote about avoiding Explorer’s Security Warning prompts, this time around I want to document a related fix that I’ve had to implement because Explorer’s expected behaviour was not just not working.

Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 made some changes to the way Windows handles specific file types opened or downloaded from certain locations, which results in Open File – Security Warning prompts like these:

I’ve updated my Sun Java Runtime Environment 1.6 Update X script, again. Updating this script seems to be a never ending task, usually because I find mistakes but this time around I’ve made a couple of changes including Windows x64 support. The script will now supports installing the 32-bit version of the JRE on x86 and x64 Windows and configures the environment accordingly.

Here’s something I found interesting about Intel’s vPro management tool - Network Access Protection interaction is supported in hardware - even before the operating system has loaded. This isn’t mean to replace the agent in the OS, but it great stuff from a management perspective. Here’s the details:

I have previously detailed some efforts on sequencing some of the Adobe CS3 applications (Photoshop, Illustrator and InDesign) and some challenges related to the FLEXnet licensing component that comes with each application. It’s only recently that we’ve been able to do some user acceptance testing and we’ve found that the applications have failed.

Got both Visio Viewer 2007 and Visio 2007 on the same machine but want to set Visio Viewer as the default for some users? Here’s what you’ll need to do.

I’ve stumbled across a nice usability improvement in Windows Vista that had escaped me until today - the display of free disk space. Of course this feature has been in Windows Explorer since Windows 95, but the improvement in Windows Vista and Windows Server 2008 is the reporting of disk space when a drive is mapped to a remote share with disk quotas enabled.

Yay, great news - Citrix has released an update to fix the handling of Adobe Flash versions for Presentation Server 4.0. This has currently been released as part of the latest hotfix rollup for Presentation Server 4.0.

As you’re probably aware, because all the major blogs have covered it already, Citrix has purchased sepagoProfile from sepago with an agreement for sepago to continue development over the next 18 months. The product will become Citrix User Profile Manager.

To get the best out of Windows requires the wipe and load approach when confronted with a slow performing OEM install. I’m working on a post to that effect and Ed Bott has some great articles on Windows Vista performance lately (not that I think I’m in Ed Bott’s league).

No, Ace Ventura hasn’t started writing knowledgebase articles, it’s the advice given about an issue with redirected folders in Windows Vista and Windows Server 2008. I haven’t seen this myself, but fortunately there’s a better workaround than waiting 12 minutes.

This:

Instead of waiting for Citrix to support Windows Vista icon sizes in their new beta client, I’ve updated it myself. I’ll bet the Mac OS X client gets a full size icon (Leopard supports 512 x 512 pixels). Why does Vista have to be a second class citizen?

I’ve seen some Visio resources popup around the place recently and though that these were worth sharing.

I’m currently seeing this in my own lab environment - SoftGrid application shortcuts are created even though the application has been disabled, deleted or the user account has been removed from the application group.

I’ve got two user group presentations coming up next month where I’ll be presenting on Microsoft SoftGrid and why I think application virtualisation is great stuff. Hopefully I’ll be able to fit in a bit about some other appvirt products in there too.

I’ve just purchased a new SATA-based external hard drive to use with demos and I thought I would share some details about the performance gain over my older ATA-based hard disk.

I actually don’t mind UAC at all, but this button is really annoying:

If you are redirecting the Desktop folder for users on Windows Vista laptops, a knowledgebase article just been published that might be useful to you. Here’s details of what this article addresses:

Sounds like a great blog post (and it gives my an excuse to avoid my eight other draft posts), so here’s my answer:

I hinted at creating dynamic Start Menus using Access-Based Enumeration (ABE) in Windows Server 2003 SP1 and above. I have read an article on this subject previously on the Internets, but the tubes must be clogged up as I can’t find it anymore. If anyone has a link please let me know, because I would like to link to it.

You remember Access Based Enumeration right? I’m often surprised by people who didn’t know this features exists, so here’s refresher.

A new knowledge base article was published a couple of days ago, that details the NTFS DACL changes in Windows Vista (and Windows Server 2008): Changes to the default NTFS Discretionary Access Control List (DACL) settings in Windows Vista

and I’m left scratching my head. His beef with the guides is that they haven’t yet been updated for RTM and still include some older terminology:

The wait is finally over - the Microsoft Remote Server Administration Tools are available. The RSAT also includes a the command line version of the tools as well. There is a knowledge base article, KB941314, but it’s not yet available.

Gordon Martin from Canada writes a great blog on his experiences deploying Windows Vista. It’s a good read and there’s a fair number of little gems in there. I’ve been meaning to post some links to his site for some time, but I’ve just been slack and haven’t gotten around to it. Who is Gordon? Here’s what he says:

If there’s ever a great example of the benefits of application virtualisation it can often be found in the little things.

If you’re in the process of rolling out SoftGrid Application Virtualisation, you’ve most likely considered placement of the User Data Directory. The User Data Directory (or user cache) holds application configuration that would normally be stored in the user profile.

for Windows Server 2003, Windows Vista and Windows Server 2008, which curiously doesn’t include every command line tool in Windows.

Network Access Protection is a great new feature of Windows Server 2008 that will help you understand the health of your client machines (Windows Vista and Windows XP Service Pack 3) and increase the trust in your network.

With Windows Vista and Windows Server 2008 requiring activation for all versions, the days of grabbing the corporate key for home use have gone. 

for release later this year and there’s a couple of changes to this version that have some bearing on deployment. I can’t imagine there is an enterprise out there that doesn’t have to deal with Java applications.

Microsoft have made available the Group Policy Preferences Client Side Extensions for download and deployment. You’ll need Windows Server 2008 or Windows Vista SP1 with the Remote Server Administration Tools (not yet available) to manage these. You do not need to upgrade to a Windows Server 2008 domain to use Group Policy Extensions which is fantastic.

Here’s a nice SoftGrid tip from one of the guys in the team here.

Here’s a great document from the Microsoft writing team on planning and deploying Group Policy for Windows Server 2008. Many of the details in this document do apply to Windows Server 2003 and Windows 2000 Server as well. This document is the place to start for anyone dealing with Group Policy, no matter what your experience is.

Network Access Protection is a great new feature of Windows Server 2008 that will help you understand the health of your client machines (Windows Vista and Windows XP Service Pack 3) and increase the trust in your network.

Like most IT Pros deploying and managing Windows Server, I’ve avoided the wizard interfaces, like Manage Your Server, in previous versions of Windows. However with Windows Server 2008, Microsoft have actually succeeded in creating a tool that I think people will find indispensable.

![updateadobereader]/media/2008/02/updateadobereader.png)

A workaround has been posted in the forums. Run the following command to exclude Internet Explorer from the multiple montior hooks that Presentation Server provides:

REG ADD "HKLM\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Multiple Monitor Hook" /v Exclude /d "iexplore.exe" /t REG_SZ /f

Network Access Protection is a great new feature of Windows Server 2008 that will help you understand the health of your client machines (Windows Vista and Windows XP Service Pack 3) and increase the trust in your network.

Here’s how to create a custom Apple QuickTime 7.x installation for virtualisation. This post specifically deals with virtualising QuickTime with Microsoft App-V, but the general process should be similar for any application virtualisation product.

Microsoft have posted a guide from Microsoft Consulting Services that details their best practises when sequencing applications.

has turned up from Amazon today. This is a hefty book - at 816 pages it weighs a ton but there’s plenty of detail.

Looking to bypass the Windows Live Installer and want direct access to the Live suite application installers? Here’s where to find them. Credits go to the Vistax64 forums and Snakodus.

Like all of the current Adobe applications, the CS3 suite comes bundled with Adobe Updater 5. When you are sequencing any of these applications you should ensure that Updater is disabled or not installed.

The Adobe CS3 products include the Apple Bonjour service for use with the Adobe Version Cue server. You can view information on this implementation here: Adobe Creative Suite 3 and Creative Suite 3 components install Bonjour (Windows)

Adobe uses Macrovision FLEXnet to enforce licensing for their applications. This is a service that is installed when you install any of the CS3 applications and will start when you launch a CS3 application. This licensing tool is installed even if you are using volume license media.

Like any good IT pro you’re probably keeping an eye on the latest software releases and updating to keep on top of security updates. When it comes to Adobe Flash under Citrix Presentation Server, you’ll want to ensure that the latest update is supported by SpeedFlash/SpeedScreen.

Expecting an application to execute correctly when run with limited user privileges should be something that we take for granted. Alas in the real world this is not the case, but things are getting better, if slowly.

The Service Pack 2 Administration Tools pack has been released as a stand alone package. I’m fairly certain this is new - I don’t recall seeing this download before and the knowledgebase article was updated just yesterday.

If you’re deploying applications on Citrix Presentation Server via Application Virtualisation/SoftGrid, you may run into issues with applications that utilise a local HTML based help system. These applications will generally launch Internet Explorer as the viewer and in our case, we’ve found that IE is launched outside of the protected environment and thus never sees the help content located inside the environment.

The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Thursday the 10^th of January 2008:

Testing applications inside the Microsoft Application Virtualisation (SoftGrid) bubble, from local packages (i.e. not streamed from the server) on Windows Vista requires a configuration change due to User Account Control. If you attempt to load an application from a local OSD file, you will receive the following error:

HP and the Chief Happiness Officer have teamed up to make the UK happy at work. It’s all about giving users choice and remote access looks to be a big part of that. 800 employees across different companies were ‘experimented’ on and the results speak for themselves:

It’s been a while since an entrant in the Hall of Shame, so today I’m pleased to bring you a bit of a chuckle courtesy of ACDSee Standard 5.0. It seems that the Tips dialog in this old version, doesn’t like it if you’ve installed the application to a non-default location (think sequencing in SoftGrid). Perhaps this dialog has a case of what my wife would call “Man eyes” - very similar to inattentional blindness.

If you’re deploying Office 2007 and haven’t yet standardised on the new file formats, you’re probably already aware of how to set the default file formats via Group Policy, or using the Office Customization Tool to set the defaults before installing Office.

No official word from the SoftGrid/Application Virtualisation blog yet, but Microsoft have released the MSI Utility for Microsoft Application Virtualization for converting your sequenced application to MSI installs.

Here’s a great example of the improvements to interaction with User Account Control in Windows Vista Service Pack -creating folders in system locations (e.g. the Start Menu, Program Files etc.). This is probably the most ‘in your face’ UAC interaction, and beyond this I’ve personally found UAC to be quite usable.

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Monday the 17th of December 2007:

Here’s a really simple method for using running the latest version of the Oracle JInitiator even though your application may require a specific version. DISCLAIMER: This is most likely unsupported by Oracle but it thus far it’s worked for me. If you’re worried about your applications breaking don’t implement this hack.

Adobe InDesign should be the last of the Adobe CS3 applications that I’ll have to sequence and like Illustrator, Photoshop and Acrobat, I had the same issues with sequencing and running the application on the client. So I don’t have to repeat myself, check out those posts first and here are the basics for sequencing InDesign CS3.

As with my earlier posts on sequencing Adobe Acrobat 8 and Adobe Photoshop CS3, I’ve struck the same manifest issues with Illustrator CS3. Here’s a quick breakdown on what I needed to do to get this application working:

Deploying Adobe applications with SoftGrid/Microsoft Application Virtualisation certainly takes a lot of patience, because like Adobe Acrobat, Photoshop took quite a long time to sequence and troubleshoot. Sequencing the application alone will take around 6 hours, but your mileage may vary.

After working on sequencing Adobe Acrobat 8 Professional for the better part of four days, I’ve come to the conclusion that this application is just not going to work well from within SoftGrid. Here’s my reasoning:

I’m not completely convinced that Adobe Acrobat (not Reader) is the best candidate for deploying via application virtualisation techniques, but if you’re looking to do it you’re in for a bit of a ride.

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Friday the 22nd of November 2007:

Microsoft have just made available a new series of Infrastructure Planning and Design (IPD) documents. The IPD documents are essentially the new version of the Windows Server System Reference Architecture:

The default behaviour of the SoftGrid Application Virtualisation 4.5 client is to not allow applications to be streamed from a file, i.e. streaming an application from a local OSD file rather than from the server. If you attempt to load from a local package, you may see an error similar to this:

If you’ve ever added regsitry entries to your SoftGrid OSD file, you may receive an error like this, even though the entries are completely valid:

Here’s a couple of new Group Policy white papers released to the Microsoft Download Centre. They detail some great Group Policy additions coming with Windows Server 2008 and the Microsoft Desktop Optimisation Pack. The Advanced Group Policy Management tool came out of what was DesktopStandard GPOVault and Group Policy Preferences is what used to be PolicyMaker.

If you’ve attempted to launch Windows Explorer as a component of your SoftGrid sequenced applications, you may find that you are not able to view folders within the SoftGrid protected environment (i.e. inside the bubble). When you attempt to view a folder that lies within the bubble or your SoftGrid drive letter, you will receive an ‘Access Denied’ error. The reason for this is that the Explorer process is not running within the bubble and thus you won’t have access to those folder locations.

Here’s a list of components developed for Windows Vista or during the same development time frame and included in Windows Vista, that have also been made available for installation on Windows XP:

Microsoft Deployment looks to have made it’s way to version 1.0 and is available on Microsoft’s Download Centre. There’s no real confirmation that this is the RTM/RTW release but it’s just been posted so I can only assume.

I’ve just updated my Java Runtime Environment install script for Sun Java 6 Update 3. Apart from supporting the latest JRE update, this version of the script fixes some registry changes that I hadn’t got quite right previously. If you’ve not seen this script before here’s a breakdown of what it does:

Looking to write to CD or DVD media via a script? Did you know that Windows includes an API to do just that? Version 2.0 of this API that is included in Windows Vista has also been made available for Windows XP and Windows Server 2003: Image Mastering API v2.0

Any review of a touch screen digital audio player or phone is going to inevitably compare to the iPhone/iPod touch, but touch interfaces are the way forward because they just make sense. So here’s my quick and dirty review of the Samsung P2 which turned up this morning.

Well they came close, really close, but full marks goes to Axialis for first making the command line options for their installer and then making them nice and easy to see too. I got a nice surprise when installing the latest version of Axialis IconWorkshop, which has a link to the command line options right on the setup wizard. Now if only the setup programme was based on Windows Installer I’d be even more impressed.

This is a about a week old (I’ve been away in Italy so I’m a bit behind), but Adobe have released Reader 8.1.1. Currently only available in English with quite a few languages still only receiving 8.0. You can download the full installer here and find what’s been updated here. Good news is that my deployment instructions and transform for 8.1 are still valid for this version.

Citrix provide a nice installer for the Access Management Console that you can automate to script the installation of the AMC. However, if you’ve ever needed to remove the AMC you’ll find that you need to remove each component one at a time. Because there are 9 components, this can become a little tedious.

Don’t get me started on the ridiculousness of wrapping an MMC console around a web application served by Apache Tomcat to administer McAfee’s ePolicy Orchestrator (surely one or the other, not both), but you may see this error after you log into the console instead of seeing the expected settings window:

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Friday the 28th of September 2007:

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. This one is a little too semi-regular, so this is almost three months worth of links. Here are the links for Wednesday the 12th of September 2007:

Don’t call it a service pack, but what’s a service pack by any other name? Seems it’s a “Supportability Update”. Microsoft have released an update for ISA Server 2006 that brings the features that ISA Server 2004 got with Service Pack 3. Here’s the breakdown of what’s included:

In a previous post I detailed updating your Citrix Presentation Server 4.5 environment to support true/high colour icons for published applications. One of the steps mentioned in the post is that you need to delete and re-publish each of your published applications to get a high colour icon, which detailed in the release notes for PSE450W2K3R01.

If you’re looking at deploying the updated Access Management Console you might be interested in how to perform an unattended install. There are really two ways to do this:

Here’s an interesting tool that Microsoft have just released - the Group Policy Diagnostic Best Practice Analyzer:

Citrix have released (and even re-released) whole slew of updates in the past few weeks that finally get’s a feature of Presentation Server working that’s close to my heart - high colour icons. Yes, high colour icons - the single most important feature that Citrix could add to Presentation Server! Forget application streaming, the new killer feautre is high colour icons!

Creating the Administrator
Now that we can read the privileges from an existing administrator object we can determine which privileges to write to a new administrator. In this post I have listed a script that you can use to create the custom administrator account.

Overview
Setting privileges on a custom administrator account in Presentation Server is not quite as simple as I thought when I set out to create a script to do so - there’s not much information on the CDN forums, so this was a bit of trial and error.

We all know that PowerShell is the future, but Microsoft have released an updated version of Windows Script for Windows 2000/XP and 2003 (to match the version included with Windows Vista). You can read the release notes here.

I don’t really want to admit to interacting with Lotus Notes but that’s a part of what I’m doing currently. More specificially I’m attempting to query Domino via LDAP with a VBS script. It turns out that this is a fairly simple process and you can use the Active Directory Provider built into Windows.

Following on from the Windows Server 2008 Component Posters, I’ve made a nice PNG of just the NAP component. This does a great job at giving you an overview of how the NAP components work, much easier than trawling though a document. Click on the picture below for a larger view and enjoy:

( Via Aaron Tiensivu and Bink, this might be old news)

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Thursday the 12th of July 2007:

Here’s something that’s caught my eye up on the Microsoft Download Centre which I thought might be useful to someone:

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Thursday the 14th of June 2007:

Dear Diary,

For anyone deploying Adobe Reader, the direct download links for Adobe Reader are far more useful than the standard download that attempts sell you on how great Adobe Photoshop Album Starter Edition and the Google Toolbar are.

Deployment of Adobe Reader in an enterprise environment has been much simplified since version 6, however there is still some important preparation before you think about deploying version 8. Adobe have compiled information on enterprise deployment which are available on the following pages - I prefer the developer page over the page aimed at IT professionals because it has more information and is a little easier to read:

Adobe have released version 8.1 of Reader that includes updates for Office 2007 and Windows Vista, including preview in Outlook 2007. I’ll update my Adobe Reader deployment tools as soon as I can, however I don’t see any reason why ~~[my existing transform files](/deployment/disable-adobe-updater-with-adobe-customization-wizard-8) won’t work with this version~~ my existing transform files won’t work with this version, so expect updates soon. If you are looking to download the latest version here is the direct download link:

Dear Diary,

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Thursday the 31st of May 2007:

TechNet has an article on moving the database and log file paths for a Storage Group in an Exchange cluster running in a Cluster Continuous Replication environment, however it’s missing a couple of steps which are fairly important to the process.

Dear Diary,

Dear Diary,

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Wednesday the 23rd of May 2007:

Dear Diary,

Dear Diary,

I was having some issues integrating Windows Server 2003 Service Pack 2 into a copy of Windows Server 2003 Enterprise R2 x64. The updater would keep reporting this error and bomb out:

Via the Microsoft IT Professional Blog Downunder, some very technical presentations are heading our way. These look great, if you’ve got the time and are local I recommend checking these out. You can register at the Australian TechNet site.

We’ve had some issues with 32bit Windows on VMware ESX 3.0 which has been causing servers that have been patched with the MS07-22 security update to freeze on boot. The severity rating for this patch is Important and it fixes a vulnerability in the Windows kernel, you can read more information about this patch here:

During a migration from Exchange Server 2003 to Exchange Server 2007 you need to add the Exchange 2007 server to replicas for each of the Public Folders (as you would need with any Exchange server migration) and this includes the System folders as well.

If you are looking at implementing remote access to Outlook Web Access 2007 through Citrix Access Gateway Advanced you’ll find that things aren’t going to work as expect and currently this configuration is not supported by Citrix.

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Monday the 7th of May 2007:

When install Office 2007 on your Terminal Servers there are a few things you’ll need to be aware of. The first of which is that you will need an Enterprise or Volume License key, i.e. those keys that use Volume Activation 1.0 and do not require activation. There is also some configuration and installation options that I recommend you set before and after installation.

In a previous post I discussed what you need to do to start deploying Office 2007. In that post I referenced a page that Microsoft linked to, but have not actually posted (Use Group Policy to Assign Startup Scripts for 2007 Office Deployment). So in this article I’ll go through a couple of ways you can use Group Policy startup scripts to deploy Office.

In this article I’ve outlined what I recommend for best utilising Group Policy to deploy applications. Deploying applications via Group Policy is a fairly straight-forward process, if a little limiting, however if you don’t do it right you could be setting yourself up for some pain down the track.

Microsoft have released ISA Server 2004 Service Pack 3, which includes support for Exchange Server 2007 and updated log viewer functionality:

Because non-native UI sucks, here’s a couple of extensions that help to make Firefox look much better on Windows Vista. These extensions mimic the Internet Explorer 7 interface, including the Windows Vista menus, making Firefox feel far more at home.

The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Wednesday the 25th of April 2007:

Here’s how to create an unattended installation of VMware Tools which I’ve aimed specifically at Terminal Servers, however you can apply the same concepts for any Windows server installed under any of the VMware virtualisation products.

On our internal Terminal Servers the CEO has been having an issue whereby files or folders are not sent to the Recycle Bin, rather they are immediately deleted. If you logon with administrative rights on the machine, you can send files to the Recycle Bin. To date, he’d been told that this would be fixed once we move to some new boxes (which I did last week). Unfortunately the problem also exists on the new Terminal Servers which I only found out after the CEO pointed the problem out to me (luckily he’s a pretty understanding guy).

The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Sunday the 22nd of April 2007:

While things haven’t changed much since Presentation Server 4.0, I’ve put together what you’ll need to create an unattended install for Presentation Server 4.5. First up I’ve made a copy of the installation files from the CD and added them to a single folder. This includes a copy of the administration tools in the same folder:

If you are working with PolicyMaker Registry Extension, or any of the other PolicyMaker products, you will find the Microsoft Management Console will crash when you select the User Settings / Registry node when editing the Group Policy on machine that also has Internet Explorer 7 installed. If you look at the crash details you will see that the fault is with MSHTML.DLL.

The ADM/ADMX templates have been updated and include the fix for the Outlook template. See the download link below to update your templates.

I had a need on a Terminal Server project last year to change the icon and label for client-mapped drives in use by Citrix Presentation Server clients. This proved to be quite easy to implement and actually worked well for users as they could more easily identify the drive mapped to their local C: drive.

I’ve upgraded our internal Exchange organisation over the last week and I’ve got to say Exchange 2007 is a completely different ball game. Now for seasoned Exchange architects and administrators a lot of the Exchange 2007 upgrade process is probably not new, but for those of us who don’t look after Exchange full time it’s a steep learning curve. The biggest challenges for me have been around the new Exchange Management Shell. I think the implementation of PowerShell as the basis for all Exchange management is a good thing - there’s nothing like being able to paste the exact command line into your change log. However there’s been a couple of issue that I’ve got with Exchange 2007:

If you are looking at deploying Office 2007 via Group Policy you may have noticed that Microsoft have changed the game. Office 2007 is no longer deployed using transform files; it now uses Windows Installer patches (.MSP) or CONFIG.XML to customise the Office installation.

I recently ran into a spot of trouble with integrating Windows Server 2003 Service Pack 2 into Windows Server 2003 R2. After successfully installing Windows Server 2003 with integrated Service Pack 2 on a server I ran the R2 installer (SETUP2.EXE) and was greeted with this message:

There’s got to be a quicker way of getting to the management tools in Windows right? Well here’s a quick look at the MMC files included in the base install of Windows Vista. I’ve put together a list of those files and whether you need to elevate to run them. If you do need to elevate you will have to do so by running them from an elevated command prompt. Note that you can run these without having to add the .MSC extension. The exception to this is SERVICES.MSC.

A couple of months back my old Toshiba TE2100 laptop that my wife has been using packed it in and it was time to look at a new one. I settled on a Dell and took delivery of a Dell XPS M1210 laptop last week. So far I’m pretty impressed. Here’s a breakdown of the features that I picked up for AU $2840:

The Short NAP is a quick list of NAP and Server/Domain Isolation links from around the web. Here are links for Wednesday the 4th of April 2007:

If you are starting to deploy Windows Vista you may have noticed that any user who has administrative access to their workstation will not receive mapped drives or printers. This is due to the new privilege model introduced in Windows Vista with User Account Control.

Upgrading our Access Gateway last night proved to be a bit of a challenge where perhaps it should not have been. The problem was not with the product, more due to the time between installs. Access Gateway is generally requires little administration after deployment and it’s certainly not a product I get to work with every day. So what problems did I run into? Well, things that should have been quite obvious from the start, so here’s how I got there and fixed them and how I won’t make the same mistakes twice.

Microsoft have pulled the PolicyMaker Regsitry Extension download. This product is part of what is now known as Group Policy Preferences, a new feature of Windows Server 2008 and 2008 R2.

The Endpoint Analysis feature of Citrix Access Gateway Advanced allows you to scan the client machine for specific criteria before the user is allowed access to internal network resources. One of these scans is machine membership of your internal domain. When configuring this scan you specify the NetBIOS name of your domain and apply this scan to a logon point or filter.

I came across a Windows Sidebar gadget the other day which is actually proving to be useful - the Microsoft Office 2007 Recently Used Documents gadget. It’s quite handy having a list of your recent documents available without having to go through the Start Menu. I recommend checking this one out.

I’ve spent some time in the past couple of days working out how to do an unattended install of Web Interface and Advanced Access Control and certainly been a challenge. Whilst I haven’t worked everything out, I thought that I would outline what I’ve found out thus far. Why would we want to automate the installation of AAC? Just like your Terminal Servers, the servers running AAC should be stateless, so an unattended installation will provide a method for replicating servers and for disaster recovery.

I’ve been speedlinking some interesting Network Access Protection links in the past (which you can find here, here, here and here) and as speedlinking is so very 2006, I thought that I would rebrand these types of posts to ‘The Short NAP’. So here’s The Short NAP for Tuesday 20 March 2007.

In my previous article on customising the Presentation Server Client, I outlined the steps required to make a custom package for deployment to your client machines. That just article covers creating the custom package using the packager, but there a few other customisations you might be interested in:

Here’s an easy way to crash the Microsoft Firewall service in ISA Server - create a server publishing rule that allows all high ports inbound to an internal NATed IP address.

Now that Service Pack 2 for Windows Server 2003 has been released, I thought that I would take a brief look at what’s new for Terminal Servers:

If for whatever reason you are looking to remove Adobe Reader from your computers, here’s how to remove these applications via a script or some other unattended means. I have tested this with Adobe Reader 6.0.1, 7.0.9 and 8.0 which are all readily available from the Adobe web site and all use Windows Installer. I was also able to test Adobe Reader 5.1 which utilises a standard setup application from InstallShield.

Gee, I expected a little more than this from Citrix - the new Presentation Server Client version 10 is still using the old 16-bit Windows Help format (.HLP). What’s the problem with this you say? Well, Windows Help is no longer included with Windows Vista and Microsoft have been discouraging its’ use for some time now. Yes you can now download a version of Windows Help for Vista from Microsoft, but it’s not guaranteed to work with all .HLP files.

The Citrix Presentation Server Client provides the ability to customise the client before you deploy it to your workstations. Customisation of the client is an important step to ensure the best possible experience for your users and it is yet very simple to achieve:

TweakVI is a tweaking and “optimisation” application from Totalidea that is essentially a front end for a large number of registry settings that you can enable or disable to change the behaviour of features in Windows Vista. The application is mainly aimed at power users but I would assume that some slightly less power users would be interested in this application as well.

There are quite a few design choices in Windows Vista that have me baffled, especially where an interface change to me seems quite logical but Microsoft have not implemented one. The Safely Remove Hardware feature is one such change.

While checking out where my disk space was being consumed on my Windows Vista machines, I found that System Restore was the main culprit. So to reclaim my lost space I disabled it. Here you can see the before and after impact on the system drive of my desktop - close to 3GB was freed:

Microsoft’s Windows Server 2003 Print Migrator 3.1 has now been rolled into the operating system with Windows Vista and Longhorn Server in the form of the Printer Migration Wizard. This new version is very simplified and comes as a UI, as you can see in the screenshot below, and a command line version.

If you are ever installing SafeWord RemoteAccess, don’t be in a hurry. Be prepared to wait while the Setup application downloads the application updates from the SafeWord site, you could be there a while. It’s clocked just over an hour now and it’s not my end:

Here’s a few interesting NAP links from the past several weeks:

Unfortunately life with Windows Vista means living with Microsoft’s Volume Activation 2.0. For complete information on Volume Activation 2.0 see this TechNet page:

Installing the Windows Deployment Services MMC on Windows Vista is a simple process:

Citrix have released version 10 of the Presentation Server Client and the new Citrix Streaming Client as well as Hotfix Rollup 3 for Presentation Server 4.0:

Being a project engineer for an outsourcing company, much of my time is spent working with system administrators rather than users but like users system administrators, need help from time to time. So here are a couple of tips related to support that I think are worth sharing (or re-sharing for those already in the know):

I’ve recently noticed a DLL file from Intel that keep reappearing on my system drive and I’ve tracked this down to the display software on my laptop - I’ve recently moved to a Dell laptop that has an Intel 945GM display adapter. Here’s the DLL in question:

I’ve never previously had to change the font face in Web Interface, but I’ve had to it today for the first time ever. Now one would think that this would be in a custom style sheet, but the CSS is actually inline in the Web Interface web pages.

On a semi-regular basis I see an issue on customer networks whereby users receive errors in Microsoft Word similar to the following:

UPDATE: Unfortunately the video has been pulled. Hopefully someone can track down another link.

I’ve seen some dumb software in my travels and Mercury Quality Center is no exception; however this one has got me scratching my head.

I received the following error (in a dialog box) from Windows Setup on a Terminal Server running Windows Server 2003 not long after GUI-mode setup started:

Microsoft have release a new tool, ClusPrep, for testing your servers readiness before you create a cluster to run things like Exchange and SQL:

During my quest to disable as many tray icons as I possibly can, I’ve had to track down how to disable the tray icon for Sophos Anti-Virus in a Terminal Server environment. This one is pretty easy, it’s just a single DWORD registry value:

Objective is an Enterprise Content Management system from Objective that uses a Win32 client that plugs into Office and can also be used as a stand-alone application for access to documents. I’m not a user of the application so I don’t really have an opinion on its effectiveness but organisations buy it so it must do the job.

Lot’s of NAP in the news over the past week or two, now if only I had the time and resources at the moment to do some more NAP testing.

I can find very little information on the Update Standalone Packages on the Microsoft site, with this knowledgebase article being it. What I do know about them is that they use a .MSU file extenstion and they display a dialog box similar to the Windows Update install dialog when installing.

Yay! (it is so very geeky to get excited over a scripting tool isn’t it?) Microsoft have released PowerShell 1.0 for Windows Vista today. It comes as a Microsoft Update Standalone Package.

UPDATE (09/12/2007): Updated with the list of applications and components listed here: Windows Vista components available for Windows XP.

This tickled my fancy too much so I had to post it: Bomberman Evolved

In case you were’nt aware, I have a number of install scripts for various applications that might be helpful for you if you are involved in any aspect of application deployment. A couple of these I have modified from an original script gleamed from AppDeploy.com. Hopefully you may find these useful:

Here’s a few NAP links worth checking out:

During testing of Adobe Reader 8 on a new Presentation Server 4.0 farm, I tested Adobe Reader 8 as a published application in a seamless window, using the ICA Client 9.230.50211. When using the toolbars in the published application (right clicking on the toolbars or clicking any of the drop down items) the application would exit completely without any errors logged on the server.

Every six to eight months or so, I have an issue logging onto a Terminal Server and then have to research the issue each time from scratch because I can’t remember how I fixed it. Here’s how it starts - after logging onto a Terminal Server I receive the following helpful error message:

Some bright spark over at WinZip thought that it would be a great idea to build in an auto-update utility into WinZip so that users would be prompted to download the lastest version of WinZip as they are released. Unfortunately, this updater prompts users when they first run WinZip even if they don’t have administrative access to their machine (I think the guy from WinZip and the guy from Adobe must know each other). Here’s the dialog that users see when they first run WinZip, not ideal in a corporate environment:

Last week Citrix released a hotfix for the Access Gateway 4.5. This hotfix fixes a number of issues, two of which are very interesting to me:

Microsoft have released an update for ISA Server 2006 to support publishing Exchange Server 2007. You will also need to install this patch on any machines running the ISA Server 2006 management console:

Microsoft have posted a whitepaper on utilising ISA Server as an IPSec gateway/proxy in a domain or server isolation environment to extend IPSSec protecttion to machines that do not support IPSec. This essentially involves ISA Server terminating the IPSec connection and passing traffic into a NAT’d network. It’s a 23 page document and applies to both ISA Server 2004 and 2006:

Adobe have released the Adobe Customization Wizard 8 to provide a method for customising the deployment of version 8 of the Acrobat products. This tool allows you to disable all of the most useless features included in the new release including Digital Editions, Adobe Online Services and even Adobe Updater 5. This means that you can get rid of the Updater5 folder that keeps appearing in your Documents folder.

Microsoft have posted some updated NAP documents on microsoft.com/downloads today:

WindowsNetworking.com has posted an article about Network Access Protection: An Introduction to Network Access Protection (Part 1) by Brien Posey.This is a good overview and introduction to NAP. The next article will go into configuration details.

We all know that Windows is not case sensitive when it comes to the command line. Someone forgot to tell DELPROF though - you can use DELPROF in a script to automatically and silently delete user profiles. However it seems that you need to run the command in lower case, if you use upper case it just ignores the silent switch completely and prompts you to delete profiles. Check it out in this screenshot - What The?:

I’m working on a Presentation Server deployment project at the moment, and am deploying the servers with Windows PE 2.0 via Windows Deployment Services (WDS). I need to launch Windows Setup via WINNT32.EXE because the servers have two RAID sets and the client wants the user profiles on the second disk set. So before deploying the unattended setup to hardware, I’m testing the deployment in VMware Workstation. Unfortunately Windows PE 2.0 does not recognise the VMware network card out of the box, so I’ve had to create a custom WinPE image with the drivers in it. This is the first time I’ve done this with Windows PE 2.0 so there was a little trial and error. Here are the steps I completed to create my custom image:

Microsoft has posted what appears to be an updated document (version 1.1) from August 2005, Introduction to Server and Domain Isolation with Microsoft Windows. Server and Domain Isolation using IPSec is a great method for creating isolated networks to protect those networks from unwanted traffic. Domain isolation solves the problem where access to domain resources should only be from domain member computers. If you are considering implementing NAP with Windows Server “Longhorn”, you should be planning your domain isolation strategies now.

Did you know that WinZip have an MSI installer available for WinZip 10.0 and 11.0? Neither did I until I was reading through their FAQ pages today. What I don’t get though is it’s not the default download you get for the product, you have to go looking for it on this FAQ page: Download WinZip with 64-bit Shell Extension Support. I’d like to welcome WinZip to the 21^st century - Windows Installer’s only been around since 1999..

Jason Conger has released Web Interface for Resource Manager 2.1. This couldn’t be more timely for me as I’m in the middle of a Presentation Server 4.0 implementation using Oracle 10g to host the data store and Resource Manager databases. Here’s what’s new in this release:

The November 13, World of NAP chat transcript is finally available on the TechNet site. Unfortunately I’m usually asleep when these chats and webcasts are live, so I missed out on taking part, but here are some highlight questions from the chat (edited slightly for readability):

If you implement SafeWord RemoteAccess with the agent software on a machine running Citrix Web Interface and use the Security Configuration Wizard (SCW) to lockdown the operating system, you may run into authentication issues.

In part 1 I discussed how I believe that proving identity should be your most important consideration when deciding to implement the Citrix Access Gateway or Secure Gateway for remote access. In this second part I want to discuss some of the features of both the Access Gateway (CAG) and the Secure Gateway (CSG) and how they compare.

Citrix have updated the Win32 Presentation Server Client Package to version 9.230. Here’s what I can find new or fixed specific to this version:

For an Adobe Reader 9 version of this post, go here. For an Adobe Reader 8.x version of this post, go here.

We recently had client with a requirement to provide Outlook Web Access and Exchange over the Internet/Outlook Anywhere (RPC over HTTPS) access using a single IP address on ISA Server. The problem with making both of these services available on a single IP address is that both utilise HTTPS which by default is TCP 443. RPC over HTTPS with Outlook can’t use an alternate port - if you attempt to specify and alternate port Outlook UI you receive the following error:

I’m a bit slow, it’s about a month old now, but I spotted this article in CRN Australia magazine about how HP and VMware are teaming to bring VDI to the masses. Here’s an intro from the article:

Mitchell Ashley over at The Converging Network, has a podcast with a discussion with Amith Krishnan from Microsoft about NAP:

The good guys over at Swivel have let me post a document that Graham Field (from Swivel) has created for integrating Swivel PINsafe into Access Gateway Advanced Edition 4.5. The document covers everything you’ll need to get PINsafe authentication working with Advanced Access Control, including setting up Turing or Single Channel authentication (use to stop bots not humans). You get a copy of the document in Word format here and the LOGIN.ASCX with the code for setting up the Turing authentication here.

Microsoft have posted the Windows Vista Product Guide on their Downloads Centre. At 61Mb and 316 pages this document is huge, but it’s go some great detail about what Windows Vista is all about. If you’re one of those people who thinks that Windows Vista is Windows XP Service Pack 3, then this document is for you, if you’re not, then this document is still for you too. This is the document to give to your sales team (you may have to read it to them - could take a while and you might need a little bell handy to let them know when to turn the page..). Here’s a break down of what the document covers:

I think that the attachment preview feature (see number 10) of Outlook 2007 is one of its best new features, however I’ve noticed that Outlook can’t preview calendar appointments sent as an attachment. So essentially, Outlook can’t preview it’s own files, do’h! Check out the screenshot:

Internally we have deployed SharePoint Portal Server 2003 as our intranet. To ensure that the Citrix Web Interface for SharePoint (WISP) web part works correctly, we need to ensure that there is only authenticated access to SharePoint (WISP fails if anonymous access is enabled). What I have found on Windows XP machines that have been upgraded to IE7, is that users are prompted for authentication when accessing SharePoint (IE presents the standard Windows authentication dialog) instead of the browser passing authentication through to IIS as it should.

Hotfix 5 (AAC420W005) is available for Advanced Access Control 4.2. The fix list is quite large - 50 fixes are listed in the readme file. One of the most important updates that you will need to be aware of, are changes to the Endpoint Analysis scans. This means that scans that you have installed into AAC will require updating to work with the new hotfix. From the Citrix readme:

Daemon Tools was giving me some grief after upgrading to Windows Vista RTM and I had to update to version 4.08 which includes an updated SPTD driver for the virtual CDROM drive. When running the 4.08 installer for the first time, I had to uninstall the old version and reboot. After the reboot, I ran the installer again and the following error message would be displayed: “You must reboot after a previous operation”

No, I haven’t written a step by step guide, but Microsoft has and they have released a document detailing 802.1X NAP enforcement for demonstration purposes. This is a very detailed resource that will require some time and effort to setup, but if you are interested in NAP and 801.2X then this document is for you. Here’s a view of the test lab configuration to give you an idea of what’s involved:

We are testing a private hotfix from Citrix that addresses a HTTP Error 500 on the Access Gateway Advanced Edition 4.2. You may have seen this error in your Access Gateway implementations where access to a Logon Point on the Access Gateway produces the error and a reboot of the appliance temporarily fixes the issue. The hotfix brings the Access Gateway version to Access Gateway 4.2.3 Build 81.31; Build Date: 2006-11-03. I’m unsure if this hotfix is generally available, but if you are experiencing the issue give the good looking guys at Citrix Support a call to obtain a copy of the fix, or wait until a general hotfix is available from the Citrix support web site.

Microsoft has made available a general beta for the Forefront Client Security product. Here’s a quote from the download to give you an idea of what Client Security is about:

Here’s a quick list of interesting NAP and Domain/Server Isolation related links for November:

ISAServer.org has an excellent four part tutorial on using LDAP to pre-authenticate Outlook Web Access. You can find them here:

I’ve been checking out the excellent UltraMon on Windows Vista, which provides some cool hacks for multiple displays under Windows. One of the excellent hacks is the ability to assign a hotkey that moves an application between screens - when you hit the hotkey the application or window appears on the next screen, very handy. However, this appears to work on the Start Menu too. I’m not sure if this happens on Windows XP but here’s what you get with the Start Menu open and then hit the hotkey:

Before I go into what I actually want to talk about, here’s a high level overview of the differences (and similarities) between the Access Gateway and Secure Gateway:

Ian Hameroff has put together a great webcast on the networking features of Windows Vista and Longhorn Server, and as you might expect from the title, how they work when the Longhorn client and server versions are teamed together. The webcast includes an overview of Network Access Protection and Windows Firewall with Advanced Security as well as Server and Domain Isolation and IPSec. The whole webcast is worth watching, however if you’re only interested in NAP and the Windows Firewall skip to about the 19 minute mark.

According to Sam Johnston, Access Gateway and Access Gateway Advanced Edition (Access Gateway with Advanced Access Control) 4.5 have been released as of last Friday 13^th October. Check out Sam's post for an excellent description of what to expect of the new version.

Citrix have a private hotfix to address issues with the Access Gateway 4.2.3 experiencing a hang when changes are made to a Logon Point in Advanced Access Control. If you are experiencing the issue, give the good looking guys at Citrix Support a call. You will have to give them information about your setup and they should be able to give you the hotfix to test out. If you are experiencing the issue, why not share your experiences over at the Brian Madden forums.

Three months before Jay Tomlin started blogging and well before Citrite.org and CitrixCommunity.com popped up, Citrix France has been podcasting and blogging over at http://podcast.citrix.fr. It appears to be very much a marketing exercise rather than employees blogging about Citrix technologies and their experiences, but it’s interesting none the less. If you are like me and your French is limited to “Parlez-vous anglais?” you can view a Google translated version here.

Gene Ferioli, a Program Manager with the Customer Connection Team at Microsoft did a webcast back in September on NAP, which is available for download. I’ve just gotten around watching this webcast and it weighs in at 1h 8m. Here’s my rough notes on what it covers:

Microsoft Australia are hosting a TechNet session on Windows Server “Longhorn” and Exchange Server 2007 in Melbourne, Canberra, Brisbane and Sydney. The second part of the session is all about Network Access Protection:

If you are looking to integrate the Swivel PINsafe one time password (OTP) authentication system into Advanced Access Control 4.2 you’ll find that it’s not going to work out of the box. You will see the following authentication packet sequence once you have configured PINsafe as a RADIUS profile within AAC and attempt to authenticate:

Here’s an interesting new feature of Windows Vista that will be a help to shared computing environments such as public libraries or those still inflicted with Windows NT 4.0 domains - Multiple Local Group Policy.

In case you weren’t aware, Microsoft have a web forum for support and discussion around NAP. It’s a little sparse at the moment with only 13 topics but once Longhorn Server is released this forum should become more widely used.

Jeff Sigman, the NAP Release Manager at Microsoft, has posted a link to a webcast he did recently for MVPs, which is now available for general viewing. This is quite a long webcast (1h 40m) but it goes into detail about NAP and demonstrates using DHCP or IPSec as an enforcement tool for NAP. It’s well worth checking out if you have the time, but if you don’t, here’s my (really) rough notes to give you an overview of the content:

Via Steve Riley and from the Today Tonight school of journalism comes NAP to be ‘kicked out’ of Vista. Here’s a couple of snippets:

Now that Microsoft have released ISA Server 2006, we have more authentication options available to us. This includes the ability to add two-factor authentication solutions to the existing forms based authentication, traditionally used to authentication against Active Directory only. I have a previous post on how to protect Outlook Web Access with RSA SecurID, which discusses using the RSA Web Agent with IIS and RSA SecurID authentication with ISA Server 2004, however both of those options are a little clunky. Now with ISA Server 2006, we have a more elegant solution that allows us to integrate RSA SecurID directly into the forms authentication method. Assuming ISA Server is a domain member, here’s how to do it.

With the release of Office 2007 not that far away, the new Open XML file formats should be starting to make an appearance in enterprises. By installing the Microsoft Office applications on your Advanced Access Control server you can provide HTML rendering of Word, Excel and PowerPoint documents to your users (You can also provide access to Visio documents too, but I won’t cover that here). At this stage, this will only cover the current .DOC, .XLS and .PPT file types. By installing the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats you can provide users with access to the new .DOCX, .XLSX and .PPTX. This is a simple process, here’s how to do it:

I upgraded our firewall a couple of days ago from ISA Server 2004 to ISA Server 2006, which went fairly smoothly with the actual setup routine only taking about 5 minutes to complete. However, after the upgrade there were a couple of items required some configuration changes:

Just in the process of upgrading our firewall from ISA Server 2004 to ISA Server 2006. Before I did this, though, I wanted to grab an export of my current config. However toward the end of the export, the management console would report this error:

Here’s a couple of nifty tips for Windows Vista that I’ve learnt this week and wanted to share:

Here’s a quick list of interesting NAP and Domain/Server Isolation related links from Microsoft for September:

I’m not alone in my frustration with Windows Vista (or Windows XP) and the inconsistency in font usage. Fonts are definitely in your face and consistent font usage helps the user distinguish between a UI element and content. David Vronay, Research Manager for Windows User Experience Compliance, has posted a response to a thread that I started on font inconsistency at shell: revealed. Here’s what he had to say on the topic:

I’m sure the use of adding .ICA files to web servers to launch published applications from Presentation Server doesn’t happen as often as it used to, but it’s still useful for adding a link to an application on an intranet site. After adding a .ICA file to IIS6, however, users may receive a file not found error:

Having issues getting Word 2007 to register your blog provider? You may receive the following error message when attempting to add a blog account to Word:

I’ve put together a diagram detailing the flow of IP traffic between the different components of an Access Gateway with Advanced Access Control implementation. This is designed to give everyone involved in implementation of the Access Gateway an understanding of each component and the communication required between each host. This diagram details these components:

This one is in reply to Long’s post, but to be fair I know he’s all for UAC. Windows Vista finally introduces some real security improvements to the Windows operating system that have been long overdue. The product is still in beta, however people are already up in arms about how ‘intrusive’ UAC is. Why is it that Linux and MacOS users understand why it’s not a good idea to run with administrative privileges and Windows users don’t? *

Microsoft and Cisco annouced some time ago that they were working on NAP and NAC interoperability. They’ve demonstrated this recently at the Security Standard conference in Boston (all the cool stuff seems to happen in Boston). You can view the Microsoft PressPass update here and the Cisco press release here (they’re the same thing, no need to read both). Cisco and Microsoft have cross-licensed their protocols to make this interoperability work. You can view a white-paper on this architecture here:

I went looking for this last week and just couldn’t find it. Well Sam Johnston has let us know how it’s done. If you want to stop the browser from offering to save your username and password when logging into the Access Gateway, follow these steps on your Advanced Access Control servers:

Check out the battery life on my IBM ThinkPad T41p. There’s way too much FUD out there about Windows Vista shortening battery life, this is almost two working weeks from a single charge..

I promise this won’t become yet another blog just reposting links to other sites (more original posts to come), but here a link to a new document on the Microsoft Download site that’s worth mentioning. This document goes into the various methods that can be used to protect your network from unmanaged clients. This includes:

Ah, the things you find when you’re looking for something else. I was extracting some icons from Window Vista with the excellent Axialis IconWorkshop and stumbled across MSSVP.DLL in the SYSTEM32 folder. It looks to be a part of Windows Seach. Well, this file has a number of Outlook icons in it and I don’t even have Office 2007 installed on that particular installation of Vista. What a strange behemoth Microsoft is. Here’s a look at the file properties and icons contained within:

Citrite Sam Johnston has posted about Certificate Revocation List retrieval by the Access Gateway. I’ve not had this issue myself, but I’ll have to keep an eye out for it.

Citrix (other than Jay Tomlin) have finally got their act together and started blogging. You can view the blogs at http://citrite.org/blogs/.

Customising Logon points in Advanced Access Control is a fairly easy process. Customisation allows you to add a corporate look and feel to the user interface. However, removing and redeploying the Logon Point will remove all customisations - the Logon Point is just a bunch of HTML and graphic files. Here’s how to customise the source files so that redeployed and new Logon Points will already have your customisations.

If you run CITRIX_ADMIN_MONITOR.EXE and after you enter the username and password the Access Gateway does not display, this could be related to proxy settings in Internet Explorer. Even adding the address of the Access Gateway to the proxy bypass list does not solve the issue. Disable proxy settings in Internet Explorer and the Access Gateway desktop displays immediately. In our case we have ISA Server 2004 as our firewall. ISA Server does not allow protocols other than HTTP to be tunnelled over SSL by default and if you check the log files you will see the connection being denied. So the solution here is to either, disable proxy settings when using CITRIX_ADMIN_MONITOR or enable port 9001 to be tunnelled over SSL.

System Center Configuration Manager (SMS4) will be able to act as a remediation server in a NAP environment, which we would expect of course. Given that, with 3rd party agents, SMS can support operating systems other than Windows, all you need is a NAP system health agent (SHA) for your OS of choice and you can support that OS in your NAP/SMS environment.

Advanced Access Control 4.5 includes a session viewer to enable the administrator to view logged in sessions, either directly to Advanced Access Control or view the Acces Gateway (existing versions require you to connect to the Access Gateway desktop to view sessions). Click the link for a full view, note the copy button, this allows you to copy the details of the session to the clipboard.

Martijn Kools has very kindly let me repost his instructions for enabling SSH on the Access Gateway and scheduling a reboot. WARNING: This is a totally unsupported method for enabling SSH. Be sure to have a backup of the config of the AG and access to the Access Gatway CD to be able to perform a reinstall if required.

Today’s entrant into the Hall of Shame is Esker Tun PLUS which can be used to provide an ActiveX based terminal emulator via the web. This product downloads no less than 11 ActiveX controls and then wants the user to run an application named TRUST.EXE from a page that has the following text:

After performing two Exchange disaster recoveries in as many months, I’ve come up with a list of Fifteen Ten Commandments for Exchange Server 😉

Windows Vista and Windows Server 2008 introduce a number of new user profile paths and environment variables that differ from earlier versions of Windows and these changes may have an impact on scripts such as logon scripts and application install scripts. Most scripts should work correctly - VBScript scripts that use system functions to find folder paths should work as expected, however batch scripts that use environment variables or hard codes scripts will require modifications. Here’s a short run down of the changes.

I’ve recently updated a few WSUS servers with WSUS SP1. The admin tool shows build numbers but does not state if the version is RTM or SP1. For reference these build numbers are:

Like all ridiculously expensive software we love to hate, the SAP GUI does not use standard Windows print queues to send print jobs, but implementes a printing method they call SAPLPD instead. This is launched by a process that looks to be external to the SAP GUI component and does not respect the working directory key in each users registry. This process will attempt to write a file named LPRINT.NUM to the working directory of it’s parent process, the SAP GUI. If user does not have rights to write to this location the SAP GUI will exit completely without warning.

When Microsoft released Windows 2000, the new default UI font was changed to Tahoma from Microsoft Sans Serif. Unfortunately, not every team involved in developing Windows got the memo detailing this change. (There€™s a whole team for the Display properties applet right?). I think it was also the same teams that then forgot to change the font in various dialogs in Windows XP. It still haunts us in various locations in Windows Vista as of build 5456 for which the new UI font is Segoe UI. Well if you€™re picky like me and just want to see the same font across all UI elements, you can get most of the way there with a couple of registry edits. Navigate to:

I’ve always thought that turning the little icon that displays network traffic on is dumb. From remote RDP or ICA sessions, it creates and endless loop of traffic. Here’s a quote from the “Advanced Concepts Guide: Citrix Presentation Server for Windows Version 4.0”

After adding my laptop running Windows Vista to our AD domain, Windows Update was unable to synchronise and would produce the following errors:

If the Citrix Program Neighbourhood Agent is slow to connect to the PNAgent web service and then takes time to display a list of applications, it’s probably related to folder redirection of the Application Data folder. Program Neighbourhood Agent, by default, stores cache information in the following folder:

Outlook Web Access can be protected with an extra layer of authentication via RSA SecurID. This can be implemented in one of two ways:

Truly geeky people will appreciate the ability to run their mailbox on their very own Exchange cluster running on their laptop. Not quite high availability but high on a list of silly things to do. Here’s how to create a cluser in VMware Workstation:

I’ve just spent yesterday and today working on a site where the client had a need to run both the Microsoft Java VM and the Sun Java VM on their Terminal Servers. (The Microsoft Java VM is used for one site only, yes developers strike again). I was pretty happy when I was able to use Presentation Server 4.0 and Application Isolation Environments to get these to work on the same server, in Internet Explorer, at the same time. Here’s how:

Back in June, Microsoft created a resource section on TechNet for the Windows Firewall, check it out here. There is also a link to an article from way back in May 2004 about how Windows determines if the computer is on the domain network or another network and thus when to apply the Domain Windows Firewall profile or the Standard Windows Firewall profile settings pushed out via Group Policy. Using Group Policy to deliver a Domain and a Standard firewall policy to your workstations, allows you to place a less restrictive firewall policy when inside the coporate network and place a tight firewall policy (read deny all inbound) when a machine is away from the corporate network. Check out the article here:

For an overview of what NAP is and how it works check out the following document from Microsoft:

The Access Gateway 4.2.3 hotfix includes the ability to set the speed of the network connection, a feature that is not mentioned in the readme. For the last AG installation I did the customer wanted to hard set speed and duplex settings, well now they can.

We’ve been accepted into the Citrix Access Gateway 4.5, Standard and Advanced Editions Beta Program. No word on a NDA yet, but hopefully I might get a chance to post some details.

After doing a few implementations of the Citrix Access Gateway with Advanced Access Control solution for remote access, I’ve found that successful implementations require some coordination to be implemented within a reasonable timeframe. This is especially challenging in large environment where things tend to move slowly. A checklist with prerequisites goes a long way to help, so here€™s one I prepared earlier in PDF format:

This is listed in the Access Gateway Administrators document, but it’s buried deep, so here’s my own version.

Microsoft have posted a document detailing Windows Firewall with Advanced Security in Windows Vista and Longhorn Server. Many organisations have wanted to apply outbound rules to traffic from their Windows boxes, which they will be able to do if they upgrade to Windows Vista or Longhorn, it’s going to be quite a challenge to implement on a large scale basis. It still suprises me though, how many organistations just turn the firewall off completely - in today’s networks, hosts need to actively protect themselves. Treat your internal network as hostile (more on that to come).

When a user reboots Windows XP or 2000 etc. with a program open the user is presented with all sorts of dialog boxes that are a little jaring and the whole experience has got to be confusing to users with only a basic understanding of Windows. Here’s how Windows Vista does it, quite nice I think. Click the thumbnail for more detail.

I’ve been checking out a recent build of Windows Vista today and took the chance to look at connecting to a remote Windows Vista machine from Windows Vista over RDP. The result was impressive to say the least. The remote session has full support for Aero Glass including all the minimise/maximise effects as well as Flip 3D. Now this would require that the Aero Glass is drawn on the screen locally rather than sent directly via RDP, which is what WPF Remoting is all about. Brian Madden has more on this here and here. Once this is teamed with seamless window support in Windows Longhorn Server the line between a local and remote application will be further blurred - users should almost never notice the difference. This is exciting stuff, as I am really into the user experience. In the Terminal Server world we are always battling what users perceive to be performance related issues. Once we can say good-bye to the current screen scraping type technologies in RDP and ICA I think users will be much happier. Of course we just need to get the applications to use WPF. Developers are you listening?

The latest TechNet Magazine has an article by Raymon Chen on the “Program Files” and “Documents and Settings” folders, including changes to the profiles folder in Windows Vista. It gives some clarification to the changes in Vista and I thought that it applies to my previous post.

I’ve recently updated a few WSUS servers with WSUS SP1. The admin tool shows build numbers but does not state if the version is RTM or SP1. For reference these build numbers are:

More fun with consoles developed in Java. Check out the administration tool for Symantecs’ Gateway Security 1600 appliance - 100% CPU usage just to display the logon dialog then 100Mb of RAM just after opening the console:

One of the great features of Citrix Advanced Access Control is the ability to control access to internal resources from trusted machines with End Point Analysis. Citrix have implemented their own client and server components to perform end-point analysis and ensure that client machines are safe for access.

When Microsoft released Windows 2000, the new default UI font was changed to Tahoma from Microsoft Sans Serif. Unfortunately, not every team involved in developing Windows got the memo detailing this change. (There’s a whole team for the Display properties applet right?). I think it was also the same teams that then forgot to change the font in various dialogs in Windows XP. It still haunts us in various locations in Windows Vista as of build 5456 for which the new UI font is Segoe UI. Well if you’re picky like me and just want to see the same font across all UI elements, you can get most of the way there with a couple of registry edits. Navigate to:

I have a discussion topic that comes up again and again - client A has an application from vendor X that has only just been certified to run on Citrix Presentation Server version Y. This discussion topic is driving me nuts, driving me up the wall, round the bend, I think I’m gonna have an aneurism. Why is the concept of Presentation Server so hard to understand? Presentation Server does not do anything to applications, it’s Terminal Services that is doing the work. Write the applications properly in the first place so we can run it anywhere, run it as a limited user, run it on the latest Service Pack and run on Terminal Server. It’s not that hard, start here: http://msdn.microsoft.com.

Citrix have added a new ICA client to their download site. This client is very interesting as it uses application virtualisation from Thinstall that allows the user to run the ICA client without installing it. This is great for users who travel and may want to access applications from their corporate network, but end up in an Internet cafe where the computers don’t have the Citrix ICA Client installed.This client runs from a single compressed executable and evidently requires no change to the host PC. You can read more about the client here.

If you currently have Office 2003 (or any Office 2003 component such as Visio or Publisher) installed you’ll run into some problems if you upgrade to Office 2007 Beta 2*. The Office 2003 components will not be completely removed and you may have issues such as returning shortcuts or Outlook add-ins trying to reinstall eventually bringing Office 2007 to a grinding halt. If this happens, check out the “Windows Installer CleanUp Utility” for removing all vestiges of Office 2003. You may then have to perform a repair of the Office 2007 applications. See KB290301 for more information. Probalby best to remove an ealier version of Office before installing Office 2007.

Now that Microsoft intends to expand their virtualisation strategy with the purchase of Softricity, I expect that we will see a few things with SoftGrid:

Always an interesting discussion around the traps is that of how much memory to install in Terminal Servers. Due to the nature of Terminal Server and limitations of the 32bit architecture, kernel address space will be exhausted before a Terminal Server will run out of RAM (depending on the number of users, of course). Brian Madden has an excellent article discussing this limitation.

I’ve recently had conversations about running anti-virus software on some specialised servers. Specifically Windows Servers running ISA Server 2004 or VMware Server (or Virtual Server). The argument for installing anti-virus software on these servers is to ensure they are protected against viruses and worms. I’ve been arguing against installing anti-virus software to ensure maximum performance. The reasons I have argued against are the following:

The User Profile Hive Cleanup Service is a tool that I’ve even been installing on desktops. A beta for version 2.x is underway and Thomas Koetzing has an impressive writeup of the tool on his site here, where you can also sign-up for the beta. Version 2.x sounds great and I hope that all of the features in this new version make it into Vista which a a similar service built in.

Check out this great Firefox extension that allows you to view pages with the Internet Explorer engine inside Firefox: ietab

Here’s an excellent document I’ve added to my list of articles to give to clients:

Over the past week, I’ve been creating an internal Exchange best practice/check list document so that we can standardise on how we configure Exchange servers for our clients. This document includes a number of items including information on configuring AV scanners to exclude certain Exchange folders. I thought it best to provide the reader of this document direct links to knowledgebase articles on various AV products. I attempted to cover the following vendors:

Has Microsoft realised the power of EventID.Net? They’ve added an ‘Events and Errors Message Center’ page @ TechNet.

I spend alot of time troubleshooting applications on Windows XP and Windows Terminal Server. The challenge, especially in Terminal Server environments is to get applications running and still keep the environment secure. This means spending time with the Sysinternals tools and various others. Brian Madden has started posting videos and presentations from this years BriForum. The first video and slide deck are a great resource for those of us who deploy and manage applications. Definitely worth a watch:

Backup the system state on your domain controllers. “Like duh!” you say, well that’s what I said too. I spent Friday a client’s site where a domain controller had gone down and they were experiencing issues with logons and Exchange. The client has/has four domain controllers, one at each of their four sites and all were marked as Global Catalog(ue)s. However once this single DC went down, due to hardware failure, AD essentially went bye-bye. Backups were no good and all the usual diagnostic tools would only show the downed DC as the lone GC. We could not seize the Schema Master and after spending about 6 hours on the phone with PSS, the decision was made to start again with a new domain, DC and Exchange server. Lots of fun that could have been avoided with products like Microsoft Operations Manager or NetIQ AppManager. I still don’t understand why these types of products are generally a hard sell.

I’ll file this under “Stupid Things I Didn’t Know”. Citrix Presentation Server relies on the PATH variable for core components to run. I was adding to the PATH variable, in a scripted build after the CPS install and before a reboot, with a command like this:

In a previous topic, I used the Application Isolation Environment feature in Citrix Presentation Server 4.0 to solve an issue where sites require different versions on the Java VM. A side effect of this was, however, that the application would take around 60 seconds to launch. Turns out the issue pops up on Windows Server 2003 Service Pack 1 and has to do with certificate autoenrollment. Essentially a 60 second delay is implemented to speed things up… Hmm, let ponder that for a second, accept it and move on. To relieve my application launch delay issue, I created the following registry key, the planets aligned, and all worked well.

Having previously having issues installing an applications on IIS where the Default Web Site (i.e. the site with an identifier of 1) no longer exists, I was hesitant to edit the METABASE.XML. So I bit the bullet, stopped IIS, opened METABASE.XML in Notepad and changed all instances of the existing identifier to 1, saved and restarted IIS, and away she went. Bowl me over with a feather, by jove she works!

If I could live in a world without Java, I’d be happy…

The Active Directory Migration Tool v3.0 has just been released. I’ll have to add this to my list of things to check out.

Last night I attempted to install Citrix Web Interface for Presentation Server 4.0 on a Windows box and received the following error:

Today’s lesson is: Virtual PC and shared folders are slow. I mean really, really slow. Try install Exchange Server 2003 Service Pack 1 into a VM with the source files in a shared folder (Virtual PC shared folders), I almost slit my wrists waiting for that to install. It ended up taking well over an hour. My work around: ROBOCOPY the sources files onto the VM’s hard drive and install from there.

There are 3 reasons why I use Firefox:

Found this via Stanislas Quastana’s blog: ISA Client Spy. Free tools for ISA Server are great and this one, should be an excellent troubleshooting tool.

Placing an Exchange Front-end server in the DMZ does nothing to increase security.

This is a great article discussing the features of ISA Server as a layer 7 firewall (without the usual zealous bubble from Dr T. Shinder)