Posts

Cross-platform Profiles with Profile Container and User Experience Virtualization

FSLogix Profile Container has plenty of advantages in a virtual desktop environment that show a measurable improvements to end-user experience. It’s important to understand what a container approach to roaming a user profile is as you consider adoption of Profile Container, now that you own the license.

Manage User Experience Virtualization on the Modern Desktop

On the modern Windows 10 desktop with Office 365 and Azure AD Premium, application preferences are roamed by two components - the Office 2013+ desktop applications roam settings when used with Office 365 and when enabled, Enterprise State Roaming synchronises specific settings.

Crowd Sourced Redirections.xml for FSLogix Profile Containers

Here’s a new tool that I’ve pushed to the PowerShell Gallery - ConvertTo-RedirectionsXml for generating a Redirections.Xml for use with Profile Container. This makes the task of generating a new Redirections.xml as simple as running two PowerShell commands:

A Practical Guide to FSLogix Containers Capacity Planning and Maintenance

A container approach to profiles in your virtual desktop environment means you’re going to deal with additional storage requirements that you likely haven’t had previously. Profile containers have gone mainstream with the Microsoft acquisition of FSLogix, making Profile Container and Office 365 Container available to practically everyone.

Goodbye WordPress. Hello, Jekyll!

With a hosting renewal pending I thought it past time to migrate to a new platform for stealthpuppy.com. While I’ve found WordPress to be OK with plenty of support for extensibility through plug-ins, I’m not keen on paying for a blogging platform that I don’t actively make an income from, nor do I want to deal with the hassle of a multi-tier platform using MySQL, PHP and WordPress itself.

Signing Git Commits for Sweet Verified Badges

Confession time - I’ve had a GitHub account since 2014 and haven’t signed a single commit. I’ve read various tweets and articles about signing your commits, but never committed (git it? … see what I did there…) to setting up a signature until recently.

Default Start Menu Customisation via Intune

The promise of a modern management approach to deployment and management of Windows 10 is that you no longer create and manage a custom SOE image. User experience is still important though and a large part of that experience in an enterprise environment, is the default Start menu.

Dynamic Software Update Rings in Microsoft Intune

Microsoft Intune provides management of Window 10 Update Rings to enable Windows as a Service, via the Software Updates feature. This enrols a Windows PC into Windows Update for Business to manage feature and quality updates the device receives and how quickly it updates to a new release. As you scale the number of devices managed by Microsoft Intune, the need to manage the software update or deployment rings is key to adopting Windows 10 successfully. Being able to do so dynamically and empowering end-users by involving them in the process sounds like an idea that’s just crazy enough to work. This article details an approach to achieve dynamic software update rings.

Visualising ConfigMgr, Intune and Windows 10 Releases

I recently presented a session titled ‘Modern Management Methodology Imaginarium’ at the xenappblog.com Virtual Expo September 2018 event. In this session, I discussed my thoughts and approach to modern management, primarily for Windows 10. The session provided a bit of background, some definitions for what makes up the modern desktop and a high-level approach to implementing it.

Storage Sense on Windows 10 configured with Intune

In a modern management scenario, enabling end-points to perform automatic maintenance tasks will reduce TCO by avoiding scenarios that might result in support calls. Storage Sense in Windows 10 is a great way to manage free disk space on PCs by clearing caches, temporary files, old downloads, Windows Update cleanup, previous Windows Versions, and more, but it it’s not fully enabled by default. Storage Sense can potentially remove gigabytes of data, freeing up valuable space on smaller drives.

Citrix Workspace app deployed with Microsoft Intune

Citrix Workspace app is here to replace Citrix Receiver with a new UI and capabilities (primarily for Citrix Cloud customers). Here’s how to deploy it across various supported platforms in a modern management capacity with Microsoft Intune.

Thunderbolt end-user experience macOS vs. Windows

Thunderbolt 3 (and USB-C) are here to provide a single cable for everything, although your experience with this technology will differ depending on your choice of operating system. Here’s a quick look at the end-user experience of TB on macOS and Windows.

Thunderbolt 3 - One Cable to Rule Them All

Thunderbolt 3 and USB-C have arrived to make our life easier and more confusing all at the same time. The promise of a single cable that does everything is appealing but for the average consumer, knowing what to purchase is challenging. This article is a view into my research into Thunderbolt, USB-C and 4K monitors and what I’ve ultimately purchased.

Adobe Reader DC deployment with Microsoft Intune Part 2

In the previous article we saw how to customise the Adobe Reader DC installation and deploy it via Microsoft Intune. Now that it’s installed on Windows 10 end-points let’s look at how updates work.

Adobe Reader DC deployment with Microsoft Intune Part 1

Adobe Reader is of course one of the most common applications on Windows desktops and if you’re moving to a Modern Management approach you’re likely looking at how to deploy Adobe Reader DC to Windows 10 via Microsoft Intune.

Download, Install, Import Visual C++ Redistributables with VcRedist

Note: for a more up to date version of the content in this article, VcRedist now has documentation available here: https://docs.stealthpuppy.com/docs/vcredist

Get latest Citrix Receiver version with PowerShell

I’ve previously written about deploying Citrix Receiver to Windows 10 via Intune with PowerShell. In that article, I included a script that will detect an installed version of Receiver and update to the latest version if it is out of date. To start with, I’ve hard-coded the current Receiver for Windows version into the script; however, that’s not necessarily the best approach, because it will require updating whenever a new version is released.

Folder Redirection to OneDrive on Windows 10 with Intune

If you’re deploying Windows 10 with Modern Management (Azure AD joined, MDM managed), you’ll likely have wondered about data protection - if users aren’t intentionally saving documents to their OneDrive folder, that data is likely, not synchronised and therefore not protected against data loss.

Deploy Citrix Receiver to Windows 10 with Intune and PowerShell

If you’ve deployed Windows 10 Modern Management you’ll know that some applications present a challenge for deployment, because Windows 10 MDM supports the Win32 applications via a single MSI file only. Applications such as Citrix Receiver, that are a single EXE (that wraps multiple MSI files), can, therefore, be challenging. You can create a custom wrapper to deploy Receiver, but this requires a packaging tool and some specific knowledge on how to package applications.

Improving Ivanti Application Control Message Boxes

Ivanti Application Control (previously AppSense Application Manager) is an application whitelisting and privilege management solution; however, I think you’re likely aware of that since you’re reading this article. Application Control has a number of customisable message boxes that are displayed to the end-user for Windows application whitelisting or privilege elevation scenarios. In this article, I’ll discuss improving the end-user experience with some visual flair and text.

Melbourne CUGC IV - It's LTSR in the Spotlight!

We’ve been busy planning our next CUGC meet-up for 2017, which will be on the 24th of October at the Telstra Conference Center at 242 Exhibition St. To attend the meet-up, ensure you’ve signed up at the MyCUGC.org site: Melbourne Citrix User Group Local Meeting

Simple Country of Origin Control for NetScaler with Azure AD

Great news! Microsoft has enabled a number of available conditions and custom controls in Azure AD for use in Conditional Access making these policies even more useful. This includes a simple method to control access to Citrix NetScaler by country of origin.

Intune Company Portal for macOS Experience

Microsoft released a beta version of the Intune Company Portal for macOS just last month; however, it’s since been pulled from the Download Center. This app had been made available along with the announcement of Conditional Access supporting macOS in preview.

Setting up Windows Defender Advanced Threat Protection

Understanding what Windows Defender Advanced Threat Protection (ATP) actually is had eluded me for a while - it’s not included in something like EMS, it’s not available with a Visual Studio Enterprise subscription and you’ll need to request an evaluation from Microsoft (and hope it’s approved) to test it out. Windows Defender ATP is licensed as a component of the Windows 10 Enterprise E5 or the Secure Productive Enterprise (soon to be Microsoft 365) E5 subscriptions.

Protecting a Cloud Jump Box with Duo Free

Deploying a jump box into a cloud environment such as Azure or AWS, is a common way of providing access into said environment through a single entry point. Often access to the jump box will be restricted by source IP, but that approach isn’t completely secure for many reasons - admins don’t update the rules, source IP doesn’t identify the user etc.

Office 365 ProPlus Deployed with Intune in under 5 Minutes

Intune has simplified the process for deploying Office 365 ProPlus to Windows 10 PCs with a wizard driven process that will get you deploying the Office suite in less that 5 minutes. I’m not exaggerating either - the process is so simple, it will take you longer to make a cup of coffee.

Automatic Download and Import of Updates into MDT

A couple of months back, I sent an email to the Microsoft MVP mailing list to see if anyone knew of a JSON feed of Windows 10 updates from Microsoft. I’d found a way to grab the latest Firefox version via PowerShell and was hoping to do something similar for Windows 10. Keith Garner responded with something even better - a working script that pulls from a JSON resource on the Windows 10 and Windows Server 2016 Update History page, to return the most recent cumulative update.

Enabling Modern Authentication for Office

Enabling Azure AD and Office 365 features including multi-factor authentication and Conditional Access will impact your users because they’ll need utilise App Passwords (one time passwords used for authentication with legacy applications). Unfortunately this will only serve to confuse users and result in calls to your service desk. Modern authentication is, of course, the way to improve user experience but it’s not enabled by default.

Install-VisualCRedistributables.ps1 – Now with ConfigMgr Support!

I recently posted an article on a script I’ve written for downloading and installing the Microsoft Visual C++ Redistributables. Thanks to Cornelius Schuchardt, the script now supports creating applications for each redistributable in Configuration Manager (ConfigMgr).

Install-VisualCRedistributables.ps1 - A Visual C++ Redistributable Installer

In updating my MDT deployment shares recently, I got tired of having to do something about the Visual C++ Redistributable installers and finally decided to do something about it, so I’ve written a script that will download the installers and optionally install them - Install-VisualCRedistributables.ps1.

Integrating Citrix NetScaler with Azure AD and Conditional Access

Every so often a few of your favourite technologies intersect to create something magical and your passion for IT is renewed. That happened for me this week when configured Citrix NetScaler to authenticate to Azure Active Directory via SAML and enforce access to XenApp via Azure Multi-factor Authentication and Azure AD Conditional Access policies. The possibilities for securing remote access and the improved user experience that this configuration provides is so damn cool, everyone should know about it.

Tips for Enabling SSO with Salesforce and Azure AD

I was recently testing out the setup of single sign-on (SSO) and user provisioning with Azure Active Directory and Salesforce via the Azure Resource Manager portal and came across a couple of minor hiccups that I wanted to share. With Salesforce being as popular as it is, it’s a great target for enabling SSO in any organisation and improving the user experience.

Managing Universal Apps with Microsoft Intune

I am excited about the opportunities that managing Windows 10 devices with Azure AD Join and MDM (i.e. modern management) provides for both users and admins. In this article, I’ll cover deploying and managing modern applications (Universal apps) on a modern platform with a modern device management solution - Microsoft Intune standalone for managing Universal apps.

Setting up the Windows Store for Business

While the Universal app platform on Windows 10 isn’t going to replace legacy Win32 apps for some time, the potential of this platform to improve the way IT approaches application lifecycle management is high. Apps can be deployed, updated and removed without packaging or having to worry about application conflicts. It’s encouraging to see a number of useful enterprise applications available - the future is mobile apps, even on the desktop, so every enterprise should be looking at the Windows Store for Business.

Monitoring AV and Windows 10 Updates with Intune MDM

In a previous article, I wrote about the differences between managing Windows 10 PCs with the Intune Client vs. the Windows 10 MDM channel. Two key monitoring pieces that you lose with going to MDM instead of the Intune Client is the ability to report on Windows updates and Endpoint Protection (Windows Defender) status.

Inaugural Meeting of the Melbourne Citrix User Group

It’s been a long time coming and the time is nearly here for the inaugural meeting of the Melbourne Citrix User Group. On the 6th of December 2016, we’ll be really proud to kick off an independent Citrix User Group at the Golden Gate Hotel, South Melbourne.

Machine Creation Services Capacity Sizing on Hyper-V

To understand sizing Machine Creation Services on Hyper-V, we should first look at how XenDesktop creates virtual machines across the various deployment choices. XenDesktop 7.9 and 7.11 have introduced new features to MCS that will require additional consideration for storage requirements over previous versions.

Storage Capacity Required for Machine Creation Services

How much storage capacity do you need for Citrix Machine Creation Services? If you’re designing a XenApp or XenDesktop environment, one question you’re going to ask is “how much storage do we need?”. Let’s dig into the fundamentals of Machine Creation Services and have a look at how much capacity you’ll need to provision.

Automating the Citrix ShareFile Drive Mapper Install

Automating the installation of the Citrix ShareFile Drive Mapper requires deploying a code signing certificate to target machines before setup will complete. If you’ve installed the Drive Mapper client, you will have seen the following dialog box during setup:

Resolving Issues Starting a CA due to an Offline CRL

I recently wrote a couple of articles on setting up and Root Certification Authority and a Subordinate Certification Authority as a basic cheat sheet for setting up and Enterprise PKI. One configuration item that is less well understood and often the cause of major headaches with certificate authorities, is the Certificate Revocation List (CRL). An Offline CRL can bring down your PKI and other services that rely on it.

Deploying an Enterprise Subordinate Certificate Authority

In the last article, I documented the steps for deploying an offline Root Certificate Authority on Windows Server 2012 R2. This article will continue the process and show how to install and configure a Subordinate Certificate Authority that will be used to issue certificates to users and devices.

Deploying an Enterprise Root Certificate Authority

Setting up an Enterprise Root Certificate Authority isn’t a task that you’ll complete on a regular basis and something I think I’ve done twice, maybe 3 times, ever. Each time I forget what I did previously and you can guarantee I’m using a different version of Windows Server each time. Please note as you read these article and the next, that whilst I have an interest in PKI, I don’t consider myself an expert. Deploying a PKI is not a simple task, so read up carefully if you’ve not done this before.

Choose Your Own Adventure with Microsoft Intune

Microsoft Intune has multiple methods for managing Windows 10 - you can choose to deploy a client or use the mobile device management capabilities built into the operating system. However, guidance from Microsoft on the comparing the capabilities of each, especially from a policy perspective, is currently unclear.

Windows Store User Experience in the Enterprise in Windows 10

Chicken Little seems to be working overtime when it comes to the Windows Store in Windows 10. I’ve read and heard many different thoughts and approaches to the Store in Windows 10, but I believe that the Store and Universal apps should be embraced. It would; however, be nice to have more control over user interaction with the Store and in-box Univeral apps.

Citrix Synergy 2016: UX and the Enterprise Desktop like Oil and Water

I had the pleasure recently to present a session at Citrix Synergy 2016 in Las Vegas with Helge Klein (of uberAgent and UPM fame) on enterprise desktop performance in a session titled: SYN239: UX and the enterprise desktop: like oil and water?. We’ve previously presented on performance related topics with folder redirection, and this year we wanted to take a wider look at performance on an enterprise desktop and how user experience is affected.

Hands On with the Citrix ShareFile Drive Mapper

Citrix recently made the ShareFile Drive Mapper tool available for mapping a drive letter into your ShareFile data available on Windows clients. This is an interesting approach to providing access to ShareFile data which changes the data access approach from sync to on-demand.

Configuring Remote Desktop Certificates for OS X Clients

Windows has supported TLS for server authentication with RDP going back to Windows Server 2003 SP1. When connecting to a Windows PC, unless certificates have been configured, the remote PC presents a self-signed certificate, which results in a warning prompt from the Remote Desktop client. An environment with an enterprise certificate authority can enable certificate autoenrollment to enable trusted certificates on the RDP listener, thus removing the prompt. To get OS X clients to accept the certificate takes a little extra configuration not required on Windows clients.

Enabling App-V and UE-V in Windows 10 Enterprise 14316

Enabling the App-V client and UE-V client in Windows 10 Enterprise Build 14316 via PowerShell and viewing the behaviour of filter drivers for each client.

An Intel NUC6i5SYB for My Home Lab

I’ve recently added a new PC to my home lab - the Intel NUC6i5SYB, to replace a Lenovo laptop that I’ve been using to host VMs on Hyper-V. In this article, I’ll cover an overview of the NUC, how I’ve configured this device and some details on performance.

Managing PowerShell Scripts Across Machines & Platforms

I use several physical PCs and virtual machines. I use OS X and Windows. I (sometimes) write PowerShell scripts to perform various tasks.

Can the Apple TV 4 Make It As Our Primary Media Center?

With an App Store now on the Apple TV, is the latest Apple TV 4 the ultimate media centre? I think it comes pretty darn close and here’s why.

OS Automation Survey Results - How Often Are Master Images Updated?

Now that we’ve covered the main questions in the survey - which hypervisors are in use, the VDI solutions are run on those hypervisors, how master images are built, the automation solutions used to build images and the solutions used to deliver images to SBC and VDI environments, we’ll take a short look at how often master images are updated.

OS Automation Survey Results - What Solution is Used to Deliver Images?

In the previous article, we covered which automation solutions are in use to create (and manage) master images. In this article we’ll cover what tools or technologies are used to deliver an image to an end-point (that being a virtual machine or a physical device).

App-V 5 FAQ: Visual C++ Redistributable as local installs or allow App-V to deploy as needed?

Thamim Karim has worked across the globe assisting customers with their user experience and application deployment strategies offering both consultancy and training services. He also has made many speaker appearances at conferences including TechEd, App-V User Groups and Microsoft Ignite.

OS Automation Survey Results - How Do You Build Master Images?

Previously we’ve looked at which hypervisors are in use and the virtual desktop solutions deployed on those hypervisors, so now we’ll take a look at how organisations are building their master images.

OS Automation Survey Results - What Virtual Desktop Platforms are Deployed?

Digging further into the details of the data we’ve gathered from our OS Automation survey, let’s take a look at the virtual desktop platforms in use by those who responded. I’ll largely present this as is and leave any further analysis for later articles.

App-V 5 FAQ: How Do I Suppress UAC Prompts in Applications Delivered with App-V?

Some older applications (and perhaps even some newer applications) will prompt for elevation on Windows via User Account Control (UAC) - this might be a valid request for elevation, but in the case of many older applications it’s because they expect to run with administrative rights.

OS Automation Survey Results - What Hypervisor Do You Use?

We had an amazing response to our OS automation deployment survey with well over 700 respondents. In this series of articles to be posted here and on xenappblog.com, we’ll cover and analyse the results.

App-V 5 FAQ: How Do I Deliver Microsoft Office with App-V?

Here’s is a list of articles and resources for delivering the currently supported versions of Microsoft Office with App-V 5.

App-V 5 FAQ: Where Can I Find App-V Training?

Kevin Kaminski, a long time App-V MVP based in Calgary, Canada. He’s a long time presenter at events such as BriForum and MMS. As well as consulting on application delivery, he provides training services for App-V and application packaging._

3 Months with the Microsoft Surface 3

Here’s a review of my experiences with the Microsoft Surface 3 and some thoughts on the hardware and running Windows 10 on the device.

App-V 5 FAQ: What versions of Windows is App-V 5 supported on?

Operating system support for App-V is ultimately determined by the Microsoft Product Support Lifecycle. You can search the Product Support Lifecycle page for “Application Virtualization” to return the product lifecycle for all versions of App-V. This FAQ covers the most recent version of App-V: 5.1.

Final Days To Take Part in the OS Deployment Automation Survey

We’re into the closing days of the OS Deployment Automation Survey over at xenappblog.com and we need you to help make this a success. So far we’ve had a great response with over 600 people taking part, but with a week still left there’s still plenty of time to get involved.

I've Got 99 Problems and Folder Redirection is Every One of Them. 2015 Testing Results. Part 3.

This is a multi-part article detailing our testing results and presentations for the 2015 series on Folder Redirection:

I've Got 99 Problems and Folder Redirection is Every One of Them. 2015 Testing Results. Part 2.

This is a multi-part article detailing our testing results and presentations for the 2015 series on Folder Redirection:

I've Got 99 Problems and Folder Redirection is Every One of Them. 2015 Testing Results. Part 1.

This is a multi-part article detailing our testing results and presentations for the 2015 series on Folder Redirection:

App-V 5 FAQ: Where Can I Download App-V 5.0?

Microsoft Application Virtualization (App-V) can be downloaded in a number of locations; however you will first require access to these locations which are typically via a paid subscription or because you have paid for licenses.

App-V 5 FAQ: How Do I License Microsoft Application Virtualization 5?

This article is part of the Microsoft Application Virtualization 5 FAQ series. Last update: September 1st, 2015

App-V 5 FAQ: What is Microsoft Application Virtualization 5?

This article is part of the Microsoft Application Virtualization 5 FAQ series.

Synergy 2015 Session Replay - I've Got 99 Problems and Folder Redirection is Every One of Them

Citrix have made available the recording of our session at Synergy 2015 in Orlando - I’ve Got 99 Problems and Folder Redirection is Every One of Them. This is a standard 45-minute, level 400 session. Shawn and I will be repeating this as a 75-minute session at BriForum Denver with additional content and testing scenarios.

Replicating Our 2015 Folder Redirection Performance Tests In Your Own Lab

Helge, Shawn and myself had a great session this week at Citrix Synergy with our session SYN502: I’ve got 99 problems, and folder redirection is every one of them.

Looking forward to Citrix Synergy 2015

Citrix Synergy 2015 is just next week, so for me that means several things - attending CTP meetings (from about 8:00 am to 9:00 pm each day) on the Sunday and Monday, presenting a Geek Speak Live session on Tuesday, helping to man the Atlantis booth on the solutions expo floor, taking part in Geek Speak on Wednesday evening, meet old and new friends and generally have some fun.

Using the Citrix X1 Prototype Mouse

I received a Citrix X1 Prototype mouse a few days ago, so I’ve put together here a short video that shows paring the mouse and using it in a remote Windows 8 desktop.

File Sync Solutions as Alternatives to Folder Redirection - AppSense DataNow

I’ve previously covered the use of AppSense DataNow as an alternative to folder redirection and Offline Files. In that article I provided an approach to using DataNow to sync a copy of the user’s home drive locally instead of redirecting user folders to the network. I’ve previously used a beta version of DataNow and with the release of DataNow 3.5, I want to take an updated look at this solution.

VDI 101: Persistent vs. Non-persistent

A conversation about desktop virtualisation will invariably turn to the topic of persistent vs. non-persistent. Anyone new to VDI or Server Based Computing (SBC), may need persistent and non-persistent defined in context. This is a discussion that I have on a semi-regular basis, so for easy reference, I’d thought I would put down a discussion on this topic into an article.

Replies in Outlook for Mac

There’s a particular behaviour in Outlook for Mac, that for several years I have thought was a bug. If you reply to an email, you often only get some of the text from the original email, rather than the entire email being copied into the reply. Like this:

Webinar Replay: How Folder Redirection Impacts User Experience and Breaks Applications

Last week, thanks to xenappblog.com, Helge Klein and I presented a webinar titled: How Folder Redirection Impacts User Experience and Breaks Applications. This was a great webinar for us to present thanks to Eric. This is the first time Helge and I have presented this topic together - previously Helge and Shawn Bass presented at BriForum London and Shawn and I presented it as BriForum Boston.

Participate in the Project VRC "State of the VDI and SBC union 2015" survey

The independent R&D project ‘Virtual Reality Check’ (VRC) was started in early 2009 by Ruben Spruijt (@rspruijt) of PQR and Jeroen van de Kamp (@thejeroen) of Login Consultants, and focuses on research in the desktop and application virtualization market. Several white papers with Login VSI test results were published about the performance and best practices of different hypervisors, Microsoft Office versions, application virtualization solutions, Windows Operating Systems in server hosted desktop solutions and the impact of antivirus in VDI environments.

Measuring the Impact of Folder Redirection - User Logon

This is the forth in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass.

Visualizing the Impact of Folder Redirection - Logon and Application Launch

This is the second in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass.

Updating an MCS-based XenDesktop Machine Catalog with PowerShell

I wrote previously about automating the creation of an MCS-based machine catalog in XenDesktop with PowerShell, so in this article I’ll cover updating that machine catalog via PowerShell.

Separate to this article would be the process of creating the updated image - that could be done manually (by updating the existing master image), or by automating a new master image deployment with MDT, or any other method that you can think of.

Just as with creating the machine catalog, the PowerShell output from Studio when updating a catalog is a place to start - the code provided isn’t reusable without some effort to make it work.

Linking the Code to the UI

I’ll walk briefly through the wizards to show, in part, how the code relates to each step when updating a machine catalog via the Studio UI.

In this case, I’ve already created the machine catalog and updated my master image and created a snapshot. The hypervisor isn’t important because Citrix Studio abstracts this from the process when performing the update (I do need to be using the same infrastructure as the target catalog).

To find the snapshot to use, I’ve obtained the path to the master image and a specified snapshot via the Get-ChildItem command (on the path XDHyp:\HostingUnits<Storage Resource>). This is essentially a path/directory that I can parse - I’ve explicitly specified the master image and the snapshot to use. I need the path to the snapshot so that I can use that in the publish step for the image update.

Get-ChildItem "XDHyp:\HostingUnits\"

Selecting the master image snapshot

I can choose from a couple of rollout strategies for the image update - I can choose to update on next shutdown of the desktop, or update immediately (with a specified delay).

Rollout the image update on next reboot - Start-BrokerRebootCycle or Start-BrokerNaturalRebootCycle (still need to work this out)

Start-BrokerRebootCycle is used to control the the reboot cycle, but this is called at the end of the script to ensure the update process is completed first.

Start-BrokerRebootCycle -InputObject @(<Machine Catalog Name>) -RebootDuration 120 -WarningDuration 15 -WarningMessage <message> -WarningTitle <message>

Rollout

Publish-ProvMasterVmImage is used to publish the image. The process can then be monitored by getting updates for the process via Get-ProvTask. I’ve opted to show a progress bar while the update is on-going before initiating the desktop reboot.

Catalog update summary

There’s plenty that the wizard does to hide the complexity of setting up a catalog from the administrator. If you attempt the same via PowerShell, what goes on under the hood is laid bare.

The Code

Below is the full code listing with comments inline that should provide some detail on the process the code follows. At this point the code provides some error checking for the most important steps. There are still some additional steps and error checking that could be integrated:

  • The code will get a specified snapshot from the target VM. I’ve done this to ensure I’m using the correct version of the image
  • Publish the image update to the catalog
  • Monitor the update process until completion
  • Start the desktop reboot cycle

At this stage, I haven’t added too much error checking, but an important step to add will be to check that the image update process was successful and rollback if it wasn’t.

#---------------------------------------------------------------------------
## Author: Aaron Parker
## Desc:   Using PowerShell to update a XenDesktop 7.x machine catalog 
## Date:   Oct 27, 2014
## Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------

## Set variables for the target infrastructure
## ----------
$adminAddress = 'xd71.home.stealthpuppy.com' #The XD Controller we're going to execute against
$xdControllers = 'xd71.home.stealthpuppy.com'

## Hypervisor and storage resources
## These need to be configured in Studio prior to running this script
## This script is hypervisor and management agnostic - just point to the right infrastructure
$storageResource = "HV2-EVOPro" #Storage
$hostResource = "Lab vCenter" #Hypervisor management

## Master image properties
$machineCatalogName = "Windows 8 vSphere"
$masterImage ="Windows8*"
$snapshot = "VDA 7.6"

$messageDetail = "Your computer has been updated and will be automatically restarted in 15 minutes."
$messageTitle = "Help desk message"
## ----------

## Load the Citrix PowerShell modules
Write-Verbose "Loading Citrix XenDesktop modules."
Add-PSSnapin Citrix*

## Get information from the hosting environment via the XD Controller
## Get the storage resource
Write-Verbose "Gathering storage and hypervisor connections from the XenDesktop infrastructure."
$hostingUnit = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits" | Where-Object { $_.PSChildName -like $storageResource } | Select-Object PSChildName, PsPath
## Get the hypervisor management resources
$hostConnection = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\Connections" | Where-Object { $_.PSChildName -like $hostResource }

## Get the broker connection to the hypervisor management
## http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/get-brokerhypervisorconnection-xd75.html
$brokerHypConnection = Get-BrokerHypervisorConnection -AdminAddress $adminAddress -HypHypervisorConnectionUid $hostConnection.HypervisorConnectionUid

## Set a provisioning scheme for the update process
## http://support.citrix.com/proddocs/topic/citrix-machinecreation-admin-v2-xd75/set-provschememetadata-xd75.html
$ProvScheme = Set-ProvSchemeMetadata -AdminAddress $adminAddress -Name 'ImageManagementPrep_DoImagePreparation' -ProvisioningSchemeName $machineCatalogName -Value 'True'

## Get the master VM image from the same storage resource we're going to deploy to. Could pull this from another storage resource available to the host
Write-Verbose "Getting the snapshot details for the catalog: $machineCatalogName"
$VM = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits\$storageResource" | Where-Object { $_.ObjectType -eq "VM" -and $_.PSChildName -like $masterImage }
## Get the snapshot details. This code will grab a specific snapshot, although you could grab the last in the list assuming it's the latest.
$VMSnapshots = Get-ChildItem -AdminAddress $adminAddress $VM.FullPath -Recurse -Include *.snapshot
$TargetSnapshot = $VMSnapshots | Where-Object { $_.FullName -eq "$snapshot.snapshot" }

## Publish the image update to the machine catalog
## http://support.citrix.com/proddocs/topic/citrix-machinecreation-admin-v2-xd75/publish-provmastervmimage-xd75.html
$PubTask = Publish-ProvMasterVmImage -AdminAddress $adminAddress -MasterImageVM $TargetSnapshot.FullPath -ProvisioningSchemeName $machineCatalogName -RunAsynchronously
$provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $PubTask

## Track progress of the image update
Write-Verbose "Tracking progress of the machine creation task."
$totalPercent = 0
While ( $provTask.Active -eq $True ) {
    Try { $totalPercent = If ( $provTask.TaskProgress ) { $provTask.TaskProgress } Else {0} } Catch { }

    Write-Progress -Activity "Provisioning image update" -Status "$totalPercent% Complete:" -percentcomplete $totalPercent
    Sleep 15
    $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $PubTask
}

## Start the desktop reboot cycle to get the update to the actual desktops
## http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/start-brokerrebootcycle-xd75.html
Start-BrokerRebootCycle -AdminAddress $adminAddress -InputObject @($machineCatalogName) -RebootDuration 60 -WarningDuration 15 -WarningMessage $messageDetail -WarningTitle $messageTitle

Comments or feedback on bugs, better ways to do things or additional steps is welcome. the code is provided as-is, so ensure you test before using in a production environment.

Adding App-V Publishing Information to a XenDesktop Site with PowerShell

Adding Microsoft App-V publishing information to a XenDesktop or XenApp 7.x site is very easy via the Citrix Studio UI, but what if you want to automate this process? Of course, you’ll need to reach for PowerShell.

What may not be widely known is that you can add additional App-V publishing configuration to a XenDesktop site beyond what you see in the UI. This allows you to set publishing information per delivery group. Useful for complex XenDesktop sites such as multi-tenant environments.

Creating the App-V publishing information with PowerShell is a multi step process. You’ll need to create the publishing information with New-CtxAppVServer and then apply the configuration with New-BrokerMachineConfiguration.

Applying this in practice however may ultimately require testing the App-V management and publishing servers and ensuring that the configuration does not already exist before adding it.

So to do that, I’ve written a function that will take the App-V Management and Publishing servers as parameters, ensure that they test OK and check that the configuration does not already exist before importing the configuration into the site.

This function is fairly basic and while it does do some error checking, it could probably go a little further to ensure the configuration is applied successfully.

Function Set-CtxAppvConfig {
    <#
        .SYNOPSIS
            Sets new App-V publishing information in a XenDesktop site.
 
        .DESCRIPTION
            This function can be used to set or add App-V publishing information in a XenDesktop or XenApp 7.x site.
 
        .PARAMETER AdminAddress
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .PARAMETER AppvMgmtSvr
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .PARAMETER AppvPubSvr
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .PARAMETER Description
            Specifies a remote XenDesktop controller to apply the configuration against. If omitted, the local host will be used instead.
 
        .EXAMPLE
            Set-CtxAppvConfig -AdminAddress 'xd71.home.stealthpuppy.com' -AppvMgmtSvr 'http://appv1:8080' -AppvPubSvr 'http://appv1:80' -Description 'Created by PowerShell'
 
        .NOTES
 
        .LINK
    #>
    param(
        [Parameter(Mandatory = $false, Position = 0, HelpMessage = "XenDesktop Controller address.")]
        [string]$AdminAddress = 'localhost',

        [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Microsoft App-V Management Server address.")]
        [string]$AppvMgmtSvr = $(throw = "Please specify an App-V Management Server address."),

        [Parameter(Mandatory = $true, Position = 2, HelpMessage = "Microsoft App-V Publishing Server address.")]
        [string]$AppvPubSvr = $(throw = "Please specify an App-V Publishing Server address."),

        [Parameter(Mandatory = $true, Position = 2, HelpMessage = "App-V publishing configuration description.")]
        [string]$Description = $(throw = "Specify a description to apply to the App-V publishing information. Specify 'Created by Studio' to set the App-V publishing inforamtion viewed in Citrix Studio.")
    )

    Function Add-AppvConfig {
        # Add the AppV Server settings to the new specified settings
        Write-Verbose "Setting App-V Management Server to specified URI."
        #http://support.citrix.com/proddocs/topic/citrix-appv-admin-v1-xd71/new-ctxappvserver-xd71.html
        $newAppvConfig = New-CtxAppVServer -ManagementServer $AppvMgmtSvr -PublishingServer $AppvPubSvr

        # Applying configuration to the site
        Write-Verbose "Saving configuration to the site."
        #http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokermachineconfiguration-xd75.html
        $machineConfig = New-BrokerMachineConfiguration -AdminAddress $AdminAddress -ConfigurationSlotUid 3 -LeafName 1 -Description "Created by Studio" -Policy $newAppvConfig -Verbose
    }

    # Obtain FQDN from Management server URL
    $urlGroups = [regex]::Match($AppvMgmtSvr, '^(?&lt;protocol&gt;(http|https))://(?&lt;fqdn&gt;([^:]*))((:(?&lt;port&gt;\d+))?)').Groups

    # Test specified Management Server.
    Write-Verbose "Testing Management Server."
    If (Test-CtxAppVServer -AppVManagementServer $urlGroups["fqdn"].Value -ErrorAction SilentlyContinue -ErrorVariable $manError) {
        Write-Verbose "Management Server tested OK."

        # Test specified Publishing Server
        Write-Verbose "Testing Publishing Server."
        If (Test-CtxAppVServer -AppVPublishingServer $AppvPubSvr -ErrorAction SilentlyContinue -ErrorVariable $pubError) {
            Write-Verbose "Publishing Server tested OK."
            # Get any existing AppV configuration from the broker
            #http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd71/get-brokermachineconfiguration-xd71.html
            If ($Config) { Remove-Variable Config }
            $Config = Get-BrokerMachineConfiguration -AdminAddress $AdminAddress -Name AppV* -ErrorAction SilentlyContinue

            $cfgMatch = $False
            If ($Config) {
                ForEach ($cfg in $Config) {

                    # Grab the AppV configuration details
                    #http://support.citrix.com/proddocs/topic/citrix-appv-admin-v1-xd71/get-ctxappvserver-xd71.html
                    $appvConfig = Get-CtxAppVServer -ByteArray $cfg.Policy

                    # If the existing Management Server matches the specified Management Server
                    If (($appvConfig.ManagementServer -eq $AppvMgmtSvr) -and ($appvConfig.PublishingServer -eq $AppvPubSvr)) {
                        Write-Verbose "Specified config matches existing config."
                        $cfgMatch = $True
                    }
                }

                If (!($cfgMatch)) {
                    # Add config
                    Add-AppvConfig
                }
                Else {
                    Write-Verbose "App-V configuration already exists."
                }
            }
            Else {
                # Add config
                Add-AppvConfig
            }
        }
        Else {
            Write-Error "[Aborting] App-V Publishing Server test failed with: $pubError"
        }
    }
    Else {
        Write-Error "[Aborting] App-V Management Server test failed with: $manError"
    }
}

Please ensure that you test thoroughly before using in a production environment. Comments or feedback on bugs, better ways to do things or additional steps is welcome.

Note - a very big thanks to David Wagner at Citrix (and team) for assisting with working out how to write the App-V publishing information that you see in the Studio UI. This is done by applying the description “Created with Studio” to the publishing configuration (presumably only the first configuration that you apply with that description).

Implementing a Workaround for issue affecting the App-V Client in KB2984972

A recent security update for the Remote Desktop Connection client in Windows 7 and Windows Server 2008 R2 has affected both the Microsoft App-V 4.6 and 5.0 client.

Does Horizon View RDS stack up against XenApp?

Is VMware Horizon View 6 RDS a viable replacement or competitor to Citrix XenApp? A competitor, most certainly. View RDS as a replacement for XenApp deserves further investigation and I recommend no assumptions be made as to the suitability of View RDS, especially if you are a current Citrix customer, or a VMware partner.

Configuring IIS Prerequisites for the App-V 5 Server with PowerShell

App-V Server 5.0 Setup with missing prerequisitesApp-V Server 5.0 Setup with missing prerequisites

View Memory Stats on a Hyper-V Server

I’ve got a very simple setup in my home lab with a couple of machine running either Hyper-V or ESXi. I typically don’t have monitoring solutions running and manage each host directly, rather than part of a cluster or with SCVMM or vCenter. For Hyper-V, I try to manage it remotely via PowerShell as much as I can and so it’s handy to be able to see memory utilisation on the remote host to understand how much capacity I’ve got before powering on a VM. I’ve written a PowerShell function to return various memory stats:

  • Total RAM available in the host - using Get-VMHost.
  • Total memory in use by running VMs - by returning the running VMs and finding the current amount of RAM assigned to each VM with Get-VM. This works with dynamic memory.
  • Available memory to run additional VMs - using Get-Counter to gather the ‘\Memory\Available Bytes’ performance counter
  • How much memory is used by the system - this is calculated by adding what’s in use by VMs, to the available memory and subtracting the results from the physical RAM in the host. This is a rough calculation, but an interesting metric to view.

The function returns an array that includes each stat. Here’s an example of what the function returns. All values are in gigabytes and multiple hosts can be specified to gather details from.

PS C:\> Get-HvMem -ComputerName hv1


Name         : hv1
HostRAMGB    : 11.904224395752
VMInUseGB    : 7.12890625
SystemUsedGB : 1.46017837524414
AvailableGB  : 3.31513977050781

Here’s the code listing for the Get-HvMem function:

Function Get-HvMem {
    <#
        .SYNOPSIS
            Return Hyper-V host RAM details.
 
        .DESCRIPTION
            This function returns the total available RAM, RAM in use by VMs and the available RAM on a Hyper-V host.
 
        .PARAMETER ComputerName
            Specifies one or more Hyper-V hosts to retrieve stats from.
 
        .EXAMPLE
            Get-HvRAM -ComputerName hyperv1

        .NOTES
 
        .LINK
            /hyperv-memory-powershell
 
    #>
    param(
        [Parameter(Mandatory=$true, Position=0,HelpMessage="Hyper-V host.")]
        [string[]]$ComputerName = $(throw = "Please specify a remote Hyper-V host to gather memory details from.")
    )

    # Create an array to return
    $allStats = @()

    ForEach ( $computer in $ComputerName ) {

        # Create an array to contain this computer's metrics
        $a = @()

        # Get details for Hyper-V host
        $vmHost = Get-VMHost -ComputerName $computer

        If ($vmHost) {

            # Get total RAM consumed by running VMs.
            $total = 0
            Get-VM -ComputerName $computer | Where-Object { $_.State -eq "Running" } | Select-Object Name, MemoryAssigned | ForEach-Object { $total = $total + $_.MemoryAssigned }

            #Get available RAM via performance counters
            $Bytes = Get-Counter -ComputerName $computer -Counter "\Memory\Available Bytes"

            # Convert values to GB
            $availGB = ($Bytes[0].CounterSamples.CookedValue / 1GB)
            $hostGB = ($vmhost.MemoryCapacity / 1GB)
            $vmInUse = ($total / 1GB)

            # Construct an array of properties to return
            $item = New-Object PSObject

            # Add host name
            $item | Add-Member -type NoteProperty -Name 'Name' -Value $vmHost.Name

            # Host RAM in GB
            $item | Add-Member -type NoteProperty -Name 'HostRAMGB' -Value $hostGB

            # In use RAM in GB
            $item | Add-Member -type NoteProperty -Name 'VMInUseGB' -Value $vmInUse

            # System used in GB
            $item | Add-Member -type NoteProperty -Name 'SystemUsedGB' -Value ($hostGB - ($vmInUse + $availGB))

            # Available RAM in GB
            $item | Add-Member -type NoteProperty -Name 'AvailableGB' -Value $availGB
            $a += $item
        }

        # Add the current machine details to the array to return
        $allStats += $a
    }
    Return $allStats
}

Comments or feedback on bugs, better ways to do things or additional steps is welcome.

Creating a XenDesktop Delivery Group with PowerShell

My last article was on creating a XenDesktop machine catalog with PowerShell - in this article I’m going to create a Delivery Group which provides access to the virtual machines that a part of that catalog.

Like the last article, I’ve taken the PowerShell generated by Citrix Studio, banged my head against the wall a few times, and improved it to create the code presented in this article.

Linking the Code to the UI

To help explain the code, I’ll first run through the Create Delivery Group wizard and show how the code relates to options in the wizard and the Delivery Group properties.

Add-BrokerMachinesToDesktopGroup assigns virtual machines from a specified Machine Catalog to the new Delivery Group.

Selecting the Machine Catalog and the number of desktops - Add-BrokerMachinesToDesktopGroup -Catalog "Windows 8 x86" -Count 5Selecting the Machine Catalog and the number of desktops - Add-BrokerMachinesToDesktopGroup -Catalog “Windows 8 x86” -Count 5

Specify the delivery type for this Delivery Group when using New-BrokerDesktopGroup.

Selecting the delivery type - New-BrokerDesktopGroup  -DeliveryType 'DesktopsOnly'Selecting the delivery type - New-BrokerDesktopGroup -DeliveryType ‘DesktopsOnly’

New-BrokerEntitlementPolicyRule is used to assign user or group accounts to the Delivery Group.

Assigning users to the Desktop Group - New-BrokerEntitlementPolicyRule -Name "Windows 8 x86_1" -IncludedUsers $brokerUsers -DesktopGroupUid 11Assigning users to the Desktop Group - New-BrokerEntitlementPolicyRule -Name “Windows 8 x86_1” -IncludedUsers “HOME\Domain Users” -DesktopGroupUid 11

Add-BrokerMachineConfiguration adds StoreFront and UPM configurations to a Delivery Group. The function just adds a machine configuration - the configuration is setup separately. To avoid selecting a StoreFront server for the Delivery Group, don’t use this function.

Selecting a StoreFront server - Add-BrokerMachineConfiguration -DesktopGroup "Windows 8 x86" -InputObject @(1005)Selecting a StoreFront server - Add-BrokerMachineConfiguration -DesktopGroup “Windows 8 x86” -InputObject @(1005)

When calling New-BrokerDesktopGroup, the Delivery Group name, display or published name and description is specified.

Group name, Display name and description - New-BrokerDesktopGroup -Name "Windows 8 x86" -PublishedName "Windows 8 x86" -Description "Windows 8 x86 with Office 2013, Pooled desktops"Group name, Display name and description - New-BrokerDesktopGroup -Name “Windows 8 x86” -PublishedName “Windows 8 x86” -Description “Windows 8 x86 with Office 2013, Pooled desktops”

The wizard does not expose all settings for the Delivery Group, so additional settings require opening the properties of the new group. These can be set during creation of the group when using PowerShell.

The same call to New-BrokerDesktopGroup is used to specify user settings including colour depth and time zone preferences.

Controlling various user settings - New-BrokerDesktopGroup -ColorDepth TwentyFourBit -TimeZone "AUS Eastern Standard Time" -SecureIcaRequired $FalseControlling various user settings - New-BrokerDesktopGroup -ColorDepth TwentyFourBit -TimeZone “AUS Eastern Standard Time” -SecureIcaRequired $False

New-BrokerDesktopGroup and New-BrokerPowerTimeScheme are both used to manage virtual machine power management settings. Setting or modifying the peak and off peak hours isn’t friendly either.

Virtual machine power management settings - New-BrokerPowerTimeScheme -DisplayName 'Weekdays' -DaysOfWeek 'Weekdays' -DesktopGroupUid 11; New-BrokerDesktopGroup -OffPeakDisconnectAction Suspend -OffPeakDisconnectTimeout 15Virtual machine power management settings - New-BrokerPowerTimeScheme -DisplayName ‘Weekdays’ -DaysOfWeek ‘Weekdays’ -DesktopGroupUid 11; New-BrokerDesktopGroup -OffPeakDisconnectAction Suspend -OffPeakDisconnectTimeout 15

New-BrokerAccessPolicyRule modifies the access policies. This is called twice - once for connections through NetScaler Gateway and once for direct connections.

Modifying access policies - New-BrokerAccessPolicyRule -Name "Windows 8 x86_AG" -AllowedConnections 'ViaAG' -AllowedProtocols @('HDX','RDP') -DesktopGroupUid 11 -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedSmartAccessTags @() -IncludedUserFilterEnabled $TrueModifying access policies - New-BrokerAccessPolicyRule -Name “Windows 8 x86_AG” -AllowedConnections ‘ViaAG’ -AllowedProtocols @(‘HDX’,’RDP’) -DesktopGroupUid 11 -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedSmartAccessTags @() -IncludedUserFilterEnabled $True

Creating the Delivery Group is relatively straight-forward; however there are some additional steps, such as creating a StoreFront server and working out how to manage peak and off peak times, that require a bit more investigation.

The Code

Below is the full code listing with comments inline that should provide some detail on the process the code follows. At this point the code provides some error checking for the most important steps. There are still some additional steps and error checking that could be integrated into the code.

#---------------------------------------------------------------------------
# Author: Aaron Parker
# Desc:   Using PowerShell to create a XenDesktop 7.x Delivery Group
# Date:   Aug 23, 2014
# Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------
# 

# Set variables for the target infrastructure
# ----------
$adminAddress = 'xd71.home.stealthpuppy.com' #The XD Controller we're going to execute against
$xdControllers = 'xd71.home.stealthpuppy.com'

# Desktop Group properties
$desktopGroupName = "Windows 8 desktops"
$desktopGroupPublishedName = "Windows 8 desktops"
$desktopGroupDesc = "Windows 8 x86 with Office 2013, Pooled desktops"
$colorDepth = 'TwentyFourBit'
$deliveryType = 'DesktopsOnly'
$desktopKind = 'Shared'
$sessionSupport = "SingleSession" #Also: MultiSession
$functionalLevel = 'L7'
$timeZone = 'AUS Eastern Standard Time'
$offPeakBuffer = 10
$peakBuffer = 10
$assignedGroup = "HOME\Domain Users"

#Machine Catalog
$machineCatalogName = "Windows 8 x86"
# ----------

# Change to SilentlyContinue to avoid verbose output
$VerbosePreference = "Continue"

# Create the Desktop Group
# http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokerdesktopgroup-xd75.html
If (!(Get-BrokerDesktopGroup -Name $desktopGroupName -ErrorAction SilentlyContinue)) {
    Write-Verbose "Creating new Desktop Group: $desktopGroupName"
    $desktopGroup = New-BrokerDesktopGroup -ErrorAction SilentlyContinue -AdminAddress $adminAddress -Name $desktopGroupName -DesktopKind $desktopKind -DeliveryType $deliveryType -Description $desktopGroupPublishedName -PublishedName $desktopGroupPublishedName  -MinimumFunctionalLevel $functionalLevel -ColorDepth $colorDepth -SessionSupport $sessionSupport -ShutdownDesktopsAfterUse $True -TimeZone $timeZone -InMaintenanceMode $False -IsRemotePC $False -OffPeakBufferSizePercent $offPeakBuffer -PeakBufferSizePercent $peakBuffer -SecureIcaRequired $False -TurnOnAddedMachine $False -OffPeakDisconnectAction Suspend -OffPeakDisconnectTimeout 15 -Scope @() 
}

# At this point, we have a Desktop Group, but no users or desktops assigned to it, no power management etc.
# Open the properties of the new Desktop Group to see what's missing.

# If creation of the desktop group was successful, continue modifying its properties
If ($desktopGroup) {

    # Add a machine configuration to the new desktop group; This line adds an existing StoreFront server to the desktop group
    # Where does Input Object 1005 come from?
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/add-brokermachineconfiguration-xd75.html
    # Write-Verbose "Adding machine configuration to the Desktop Group: $desktopGroupName"
    # Add-BrokerMachineConfiguration -AdminAddress $adminAddress -DesktopGroup $desktopGroup -InputObject @(1005)

    # Add machines to the new desktop group. Uses the number of machines available in the target machine catalog
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/add-brokermachinestodesktopgroup-xd75.html
    Write-Verbose "Getting details for the Machine Catalog: $machineCatalogName"
    $machineCatalog = Get-BrokerCatalog -AdminAddress $adminAddress -Name $machineCatalogName
    Write-Verbose "Adding $machineCatalog.UnassignedCount machines to the Desktop Group: $desktopGroupName"
    $machinesCount = Add-BrokerMachinesToDesktopGroup -AdminAddress $adminAddress -Catalog $machineCatalog -Count $machineCatalog.UnassignedCount -DesktopGroup $desktopGroup

    # Create a new broker user/group object if it doesn't already exist
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokeruser-xd75.html
    Write-Verbose "Creating user/group object in the broker for $assignedGroup"
    If (!(Get-BrokerUser -AdminAddress $adminAddress -Name $assignedGroup -ErrorAction SilentlyContinue)) {
        $brokerUsers = New-BrokerUser -AdminAddress $adminAddress -Name $assignedGroup
    } Else {
        $brokerUsers = Get-BrokerUser -AdminAddress $adminAddress -Name $assignedGroup
    }

    # Create an entitlement policy for the new desktop group. Assigned users to the desktop group
    # First check that we have an entitlement name available. Increment until we do.
    $Num = 1
    Do {
        # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/test-brokerentitlementpolicyrulenameavailable-xd75.html
        $Test = Test-BrokerEntitlementPolicyRuleNameAvailable -AdminAddress $adminAddress -Name @($desktopGroupName + "_" + $Num.ToString()) -ErrorAction SilentlyContinue
        If ($Test.Available -eq $False) { $Num = $Num + 1 }
    } While ($Test.Available -eq $False)
    #http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokerentitlementpolicyrule-xd75.html
    Write-Verbose "Assigning $brokerUsers.Name to Desktop Catalog: $machineCatalogName"
    $EntPolicyRule = New-BrokerEntitlementPolicyRule -AdminAddress $adminAddress  -Name ($desktopGroupName + "_" + $Num.ToString()) -IncludedUsers $brokerUsers -DesktopGroupUid $desktopGroup.Uid -Enabled $True -IncludedUserFilterEnabled $False

    # Check whether access rules exist and then create rules for direct access and via Access Gateway
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokeraccesspolicyrule-xd75.html
    $accessPolicyRule = $desktopGroupName + "_Direct"
    If (Test-BrokerAccessPolicyRuleNameAvailable -AdminAddress $adminAddress -Name @($accessPolicyRule) -ErrorAction SilentlyContinue) {
        Write-Verbose "Allowing direct access rule to the Desktop Catalog: $machineCatalogName"
        New-BrokerAccessPolicyRule -AdminAddress $adminAddress -Name $accessPolicyRule  -IncludedUsers @($brokerUsers.Name) -AllowedConnections 'NotViaAG' -AllowedProtocols @('HDX','RDP') -AllowRestart $True -DesktopGroupUid $desktopGroup.Uid -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedUserFilterEnabled $True
    } Else {
        Write-Error "Failed to add direct access rule $accessPolicyRule. It already exists."
    }
    $accessPolicyRule = $desktopGroupName + "_AG"
    If (Test-BrokerAccessPolicyRuleNameAvailable -AdminAddress $adminAddress -Name @($accessPolicyRule) -ErrorAction SilentlyContinue) {
        Write-Verbose "Allowing access via Access Gateway rule to the Desktop Catalog: $machineCatalogName"
        New-BrokerAccessPolicyRule -AdminAddress $adminAddress -Name $accessPolicyRule -IncludedUsers @($brokerUsers.Name) -AllowedConnections 'ViaAG' -AllowedProtocols @('HDX','RDP') -AllowRestart $True -DesktopGroupUid $desktopGroup.Uid -Enabled $True -IncludedSmartAccessFilterEnabled $True -IncludedSmartAccessTags @() -IncludedUserFilterEnabled $True
    } Else {
        Write-Error "Failed to add Access Gateway rule $accessPolicyRule. It already exists."
    }

    # Create weekday and weekend access rules
    # http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd75/new-brokerpowertimescheme-xd75.html
    $powerTimeScheme = "Windows 8 Pooled Desktop_Weekdays"
    If (Test-BrokerPowerTimeSchemeNameAvailable -AdminAddress $adminAddress -Name @($powerTimeScheme) -ErrorAction SilentlyContinue) {
        Write-Verbose "Adding new power scheme $powerTimeScheme"
        New-BrokerPowerTimeScheme -AdminAddress $adminAddress -DisplayName 'Weekdays' -Name $powerTimeScheme -DaysOfWeek 'Weekdays' -DesktopGroupUid $desktopGroup.Uid -PeakHours @($False,$False,$False,$False,$False,$False,$False,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$False,$False,$False,$False,$False) -PoolSize @(0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0)
    } Else {
        Write-Error "Failed to add power scheme rule $powerTimeScheme. It already exists."
    }
    $powerTimeScheme = "Windows 8 Pooled Desktop_Weekend"
    If (Test-BrokerPowerTimeSchemeNameAvailable -AdminAddress $adminAddress -Name @($powerTimeScheme) -ErrorAction SilentlyContinue) {
        Write-Verbose "Adding new power scheme $powerTimeScheme"
        New-BrokerPowerTimeScheme -AdminAddress $adminAddress -DisplayName 'Weekend' -Name $powerTimeScheme -DaysOfWeek 'Weekend' -DesktopGroupUid $desktopGroup.Uid -PeakHours @($False,$False,$False,$False,$False,$False,$False,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$True,$False,$False,$False,$False,$False) -PoolSize @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
    } Else {
        Write-Error "Failed to add power scheme rule $powerTimeScheme. It already exists."
    }

} #End If DesktopGroup

Comments or feedback on bugs, better ways to do things or additional steps is welcome.

Creating an MCS-based XenDesktop Machine Catalog with PowerShell

Driving XenDesktop with PowerShell is a challenge to say the least. While documentation for the XenDesktop PowerShell modules is OK and Citrix Studio outputs PowerShell code after you’ve completed a task in the console, there’s still plenty of work to get that code into something usable.

As part of an ongoing series of articles themed around automating virtual desktop deployment, I’ve written some PowerShell code to automate the creation of an non-persistent, MCS-based Machine Catalog based on a specific Windows image, that we’ve already automated with a solution such as MDT.

Don’t expect to copy and paste the PowerShell output in Citrix Studio and have a complete script. The code is missing a number of lines that link tasks together. I found this article on the Citrix Blogs quite useful - Using PowerShell to Create a Catalog of Machine Creations Services Machines; however I’ve taken my script a few steps further.

Linking the Code to the UI

While the Create Machine Catalog wizard doesn’t expose everything that goes on behind the scenes when a machine catalog is created, I think it’s still worth showing how specific functions relate to choices that the administrator makes in the wizard.

The screenshots below show just a snippet of the functions required to automate the catalog creation using PowerShell. These walkthrough the same environment that the full code listing at the end of this article is creating. See the image captions for example code that applies to each step.

New-BrokerCataog is used to create the machine catalog and set a number of properties. You’ll see New-BrokerCatalog across a number of these screen shots. First up is setting the broker type - in this instance, I’m deploying a Windows 8 image, so need to choose ‘Windows Desktop OS’:

Selecting the Machine Catalog type - New-BrokerCatalog SessionSupport SingleSessionSelecting the Machine Catalog type - New-BrokerCatalog -SessionSupport SingleSession

Because were using MCS, I’m going to specify that I’m using virtual machines and choose the storage on which to deploy those VMs and use the ProvisioningType parameter on New-BrokerCatalog to specify MCS. This is done in PowerShell via a number of commands - see around line 45 where we specify the hypervisor management and storage resource to use.

Selecting the provisioning type - New-BrokerCatalog -ProvisioningType $provTypeSelecting the provisioning type - New-BrokerCatalog -ProvisioningType MCS

Also on the New-BrokerCatalog, we can specify that this is a set of randomly assigned desktops.

Selecting Random or Static desktops - New-BrokerCatalog -AllocationType RandomSelecting Random or Static desktops - New-BrokerCatalog -AllocationType Random

To find the image to use, I’ve obtained the path to the master image and its snapshot via the Get-ChildItem command (on the path XDHyp:\HostingUnits<Storage Resource>) and passed that to New-ProvScheme.

Selecting the master image and snapshot to use - New-ProvScheme -ProvisioningSchemeName "Windows 8" -HostingUnitName "HV1-LocalStorage -MasterImageVM "XDHyp:\HostingUnits\HV1-LocalStorage\WIN81.vm\MasterImage.snapshot"Selecting the master image and snapshot to use - New-ProvScheme -ProvisioningSchemeName “Windows 8” -HostingUnitName “HV1-LocalStorage” -MasterImageVM “XDHyp:\HostingUnits\HV1-LocalStorage\WIN81.vm\MasterImage.snapshot”

Also with New-ProvScheme we can set the number of virtual CPUs and the amount of RAM to assign to each virtual desktop. To specify the number of desktops to create, we’re actually first specifying the number of AD machine accounts to create via New-AcctADAccount and then creating the same number of desktops to assign to those accounts.

Selecting the virtual machine configurations - New-ProvScheme -VMCpuCount 2 -VMMemoryMB 2048Selecting the virtual machine configurations - New-ProvScheme -VMCpuCount 2 -VMMemoryMB 2048

New-AcctIdentityPool is used to create an identity pool that stores the machine accounts by specifying the naming convention and where the accounts will be stored.

Setting machine account names and location - New-AcctIdentityPool -Domain 'home.stealthpuppy.com' -NamingScheme 'W8-MCS-###'-NamingSchemeType Numeric -OU 'OU=MCS Pooled,OU=Workstations,DC=home,DC=stealthpuppy,DC=com'Setting machine account names and location - New-AcctIdentityPool -Domain ‘home.stealthpuppy.com’ -NamingScheme ‘W8-MCS-###’-NamingSchemeType Numeric -OU ‘OU=MCS Pooled,OU=Workstations,DC=home,DC=stealthpuppy,DC=com’

Again we can see where New-BrokerCataog is used to specify the catalog name and description.

Setting the machine catalog name and description - New-BrokerCatalog  -Name "Windows 8 x86" -Description "Windows 8.1 x86 SP1 with Office 2013"Setting the machine catalog name and description - New-BrokerCatalog -Name “Windows 8 x86” -Description “Windows 8.1 x86 SP1 with Office 2013”

There’s plenty that the wizard does to hide the complexity of setting up a catalog from the administrator. If you attempt the same via PowerShell, what goes on under the hood is laid bare.

The Code

Below is the full code listing with comments inline that should provide some detail on the process the code follows. At this point the code provides some error checking for the most important steps. There are still some additional steps and error checking that could be integrated:

  • This code should find the last snapshot of the target master image; it would be simple enough to specify a particular snapshot if required
  • Checking whether provisioning schemes are already available or exist before attempting to create a new provisioning scheme
  • Additional checking that some tasks have completed successfully before continuing
#---------------------------------------------------------------------------
# Author: Aaron Parker
# Desc:   Using PowerShell to create a XenDesktop 7.x machine catalog 
# Date:   Aug 19, 2014
# Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------

# Set variables for the target infrastructure
# ----------
$adminAddress = 'xd71.home.stealthpuppy.com' #The XD Controller we're going to execute against
$xdControllers = 'xd71.home.stealthpuppy.com'

# Hypervisor and storage resources
# These need to be configured in Studio prior to running this script
# This script is hypervisor and management agnostic - just point to the right infrastructure
$storageResource = "HV1-LocalStorage" #Storage
$hostResource = "Lab SCVMM" #Hypervisor management

# Machine catalog properties
$machineCatalogName = "Windows 8 x86"
$machineCatalogDesc = "Windows 8.1 x86 SP1 with Office 2013"
$domain = "home.stealthpuppy.com"
$orgUnit = "OU=MCS Pooled,OU=Workstations,DC=home,DC=stealthpuppy,DC=com"
$namingScheme = "W8-MCS-###" #AD machine account naming conventions
$namingSchemeType = "Numeric" #Also: Alphabetic
$allocType = "Random" #Also: Static
$persistChanges = "Discard" #Also: OnLocal, OnPvD
$provType = "MCS" #Also: Manual, PVS
$sessionSupport = "SingleSession" #Also: MultiSession
$masterImage ="WIN81*"
$vCPUs = 2
$VRAM = 2048
# ----------

# Change to SilentlyContinue to avoid verbose output
$VerbosePreference = "Continue"

# Load the Citrix PowerShell modules
Write-Verbose "Loading Citrix XenDesktop modules."
Add-PSSnapin Citrix*

# Get information from the hosting environment via the XD Controller
# Get the storage resource
Write-Verbose "Gathering storage and hypervisor connections from the XenDesktop infrastructure."
$hostingUnit = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits" | Where-Object { $_.PSChildName -like $storageResource } | Select-Object PSChildName, PsPath
# Get the hypervisor management resources
$hostConnection = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\Connections" | Where-Object { $_.PSChildName -like $hostResource }
$brokerHypConnection = Get-BrokerHypervisorConnection -AdminAddress $adminAddress -HypHypervisorConnectionUid $hostConnection.HypervisorConnectionUid
$brokerServiceGroup = Get-ConfigServiceGroup -AdminAddress $adminAddress -ServiceType 'Broker' -MaxRecordCount 2147483647

# Create a Machine Catalog. In this case a catalog with randomly assigned desktops
Write-Verbose "Creating machine catalog. Name: $machineCatalogName; Description: $machineCatalogDesc; Allocation: $allocType"
$brokerCatalog = New-BrokerCatalog -AdminAddress $adminAddress -AllocationType $allocType -Description $machineCatalogDesc -Name $machineCatalogName -PersistUserChanges $persistChanges -ProvisioningType $provType -SessionSupport $sessionSupport
# The identity pool is used to store AD machine accounts
Write-Verbose "Creating a new identity pool for machine accounts."
$identPool = New-AcctIdentityPool -AdminAddress $adminAddress -Domain $domain -IdentityPoolName $machineCatalogName -NamingScheme $namingScheme -NamingSchemeType $namingSchemeType -OU $orgUnit

# Creates/Updates metadata key-value pairs for the catalog (no idea why).
Write-Verbose "Retrieving the newly created machine catalog."
$catalogUid = Get-BrokerCatalog | Where-Object { $_.Name -eq $machineCatalogName } | Select-Object Uid
$guid = [guid]::NewGuid()
Write-Verbose "Updating metadata key-value pairs for the catalog."
Set-BrokerCatalogMetadata -AdminAddress $adminAddress -CatalogId $catalogUid.Uid -Name 'Citrix_DesktopStudio_IdentityPoolUid' -Value $guid

# Check to see whether a provisioning scheme is already available
Write-Verbose "Checking whether the provisioning scheme name is unused."
If (Test-ProvSchemeNameAvailable -AdminAddress $adminAddress -ProvisioningSchemeName @($machineCatalogName))
{
  Write-Verbose "Success."

  # Get the master VM image from the same storage resource we're going to deploy to. Could pull this from another storage resource available to the host
  Write-Verbose "Getting the master image details for the new catalog: $masterImage"
  $VM = Get-ChildItem -AdminAddress $adminAddress "XDHyp:\HostingUnits\$storageResource" | Where-Object { $_.ObjectType -eq "VM" -and $_.PSChildName -like $masterImage }
  # Get the snapshot details. This code will assume a single snapshot exists - could add additional checking to grab last snapshot or check for no snapshots.
  $VMDetails = Get-ChildItem -AdminAddress $adminAddress $VM.FullPath
  
  # Create a new provisioning scheme - the configuration of VMs to deploy. This will copy the master image to the target datastore.
  Write-Verbose "Creating new provisioning scheme using $VMDetails.FullPath"
  # Provision VMs based on the selected snapshot.
  $provTaskId = New-ProvScheme -AdminAddress $adminAddress -ProvisioningSchemeName $machineCatalogName -HostingUnitName $storageResource -MasterImageVM $VMDetails.FullPath -CleanOnBoot -IdentityPoolName $identPool.IdentityPoolName -VMCpuCount $vCPUs -VMMemoryMB $vRAM -RunAsynchronously
  $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $provTaskId

  # Track the progress of copying the master image
  Write-Verbose "Tracking progress of provisioning scheme creation task."
  $totalPercent = 0
  While ( $provTask.Active -eq $True ) {
    Try { $totalPercent = If ( $provTask.TaskProgress ) { $provTask.TaskProgress } Else {0} } Catch { }

    Write-Progress -Activity "Creating Provisioning Scheme (copying and composing master image):" -Status "$totalPercent% Complete:" -percentcomplete $totalPercent
    Sleep 15
    $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskID $provTaskId
  }

  # If provisioning task fails, there's no point in continuing further.
  If ( $provTask.WorkflowStatus -eq "Completed" )
  { 
      # Apply the provisioning scheme to the machine catalog
      Write-Verbose "Binding provisioning scheme to the new machine catalog"
      $provScheme = Get-ProvScheme | Where-Object { $_.ProvisioningSchemeName -eq $machineCatalogName }
      Set-BrokerCatalog -AdminAddress $adminAddress -Name $provScheme.ProvisioningSchemeName -ProvisioningSchemeId $provScheme.ProvisioningSchemeUid

      # Associate a specific set of controllers to the provisioning scheme. This steps appears to be optional.
      Write-Verbose "Associating controllers $xdControllers to the provisioning scheme."
      Add-ProvSchemeControllerAddress -AdminAddress $adminAddress -ControllerAddress @($xdControllers) -ProvisioningSchemeName $provScheme.ProvisioningSchemeName

      # Provisiong the actual machines and map them to AD accounts, track the progress while this is happening
      Write-Verbose "Creating the machine accounts in AD."
      $adAccounts = New-AcctADAccount -AdminAddress $adminAddress -Count 5 -IdentityPoolUid $identPool.IdentityPoolUid
      Write-Verbose "Creating the virtual machines."
      $provTaskId = New-ProvVM -AdminAddress $adminAddress -ADAccountName @($adAccounts.SuccessfulAccounts) -ProvisioningSchemeName $provScheme.ProvisioningSchemeName -RunAsynchronously
      $provTask = Get-ProvTask -AdminAddress $adminAddress -TaskId $provTaskId

      Write-Verbose "Tracking progress of the machine creation task."
      $totalPercent = 0
      While ( $provTask.Active -eq $True ) {
        Try { $totalPercent = If ( $provTask.TaskProgress ) { $provTask.TaskProgress } Else {0} } Catch { }

        Write-Progress -Activity "Creating Virtual Machines:" -Status "$totalPercent% Complete:" -percentcomplete $totalPercent
        Sleep 15
        $ProvTask = Get-ProvTask -AdminAddress $adminAddress -TaskID $provTaskId
      }

      # Assign the newly created virtual machines to the machine catalog
      $provVMs = Get-ProvVM -AdminAddress $adminAddress -ProvisioningSchemeUid $provScheme.ProvisioningSchemeUid
      Write-Verbose "Assigning the virtual machines to the new machine catalog."
      ForEach ( $provVM in $provVMs ) {
        Write-Verbose "Locking VM $provVM.ADAccountName"
        Lock-ProvVM -AdminAddress $adminAddress -ProvisioningSchemeName $provScheme.ProvisioningSchemeName -Tag 'Brokered' -VMID @($provVM.VMId)
        Write-Verbose "Adding VM $provVM.ADAccountName"
        New-BrokerMachine -AdminAddress $adminAddress -CatalogUid $catalogUid.Uid -MachineName $provVM.ADAccountName
      }
      Write-Verbose "Machine catalog creation complete."

   } Else {
    # If provisioning task fails, provide error
    # Check that the hypervisor management and storage resources do no have errors. Run 'Test Connection', 'Test Resources' in Citrix Studio
    Write-Error "Provisioning task failed with error: [$provTask.TaskState] $provTask.TerminatingError"
   }
}

Comments or feedback on bugs, better ways to do things or additional steps is welcome.

Retrieving a VM's UUID from Hyper-V

I’ve previously posted about retrieving the UUID from a virtual machine hosted on vSphere. UUIDs are useful if you want to uniquely identify a target machine for OS deployment task sequences and the like (e.g. MDT). Here’s how to obtain the UUID from a virtual machine hosted on Hyper-V.

Just like with vSphere, the UUID isn’t a property of the virtual machine that can be queried directly. We need to go via WMI to query the target virtual machine. Note that in this function, I’m using version 2 of the Root\Virtualization WMI namespace (root\virtualization\v2. This means the function as written, will only work on Windows 8 and Windows Server 2012 (and above). If you want to use this function on earlier versions of Hyper-V, remove the “\v2” from the namespace.

As an example, here’s how to retrieve the UUIDs from a set of VMs on a target Hyper-V host named hv1:

C:\> Get-HypervVMUUID -ComputerName hv1 -VM win71, file3, pvs1

Name		BIOSGUID
----		----
WIN71		E6E1A176-0713-4BB0-99E9-4570A1A3A94A 
FILE3		9E9D788A-15E2-4760-A049-9F6EB88677A9 
PVS1		74EFF5BC-A24E-48C3-85BE-12D758FE7AB6

Here’s the full function code listing. Please let me know if you find any bugs:

#---------------------------------------------------------------------------
# Author: Aaron Parker
# Desc:   Function that uses retrieves the UUID from a specified VM and
#         formats it into the right format for use with MDT/SCCM etc
# Date:   Aug 18, 2014
# Site:   http://stealthpuppy.com
#---------------------------------------------------------------------------
Function Get-HypervVMUUID {
   <#
        .SYNOPSIS
            Retrieve the UUID from a virtual machine or set of virtual machines.
 
        .DESCRIPTION
            This function will retrieve the UUID from from a virtual machine or set of virtual machines from a Hyper-V host.
 
        .PARAMETER ComputerName
            Specifies the host from which to query the virtual machine or set of virtual machines.
 
        .PARAMETER VM
            Specifies the virtual machine or set of virtual machines (a comma delimited list) from which to obtain the UUID/s.
 
         .EXAMPLE
            PS C:\&gt; Get-HypervVMUUID -ComputerName hv1 -VM win71, win72
 
            This command retrieves the UUIDs from the virtual machines win71 and win72 from the host hv1.
 
        .EXAMPLE
            PS C:\&gt; Get-HypervVMUUID -VM win71, win72
 
            This command retrieves the UUIDs from the virtual machines win71 and win72 from the local host.
 
        .EXAMPLE
            PS C:\&gt; Get-HypervVMUUID
 
            This command retrieves the UUIDs from the all of the virtual machines on the local host.
 
        .NOTES
            /retrieving-a-vms-uuid-from-hyperv/ for support information.
 
        .LINK
            /retrieving-a-vms-uuid-from-hyperv/
    #>
    [cmdletbinding(SupportsShouldProcess=$True)]
    param(
        [Parameter(Mandatory=$false,HelpMessage="Specifies one or more Hyper-V hosts from which virtual machine UUIDs are to be retrieved. NetBIOS names, IP addresses, and fully-qualified domain names are allowable. The default is the local computer — use ""localhost"" or a dot (""."") to specify the local computer explicitly.")]
        [string]$ComputerName,

        [Parameter(Mandatory=$false, Position=0,HelpMessage="Specifies the virtual machine from which to retrieve the UUID.")]
        [string[]]$VM
    )

    # If ComputerName parameter is not specified, set value to the local host
    If (!$ComputerName) { $ComputerName = "." }

    # If VM parameter is specified, return those VMs, else return all VMs
    If ($VM) {
        $UUIDs = Get-VM -ComputerName $ComputerName -VM $VM -ErrorAction SilentlyContinue | Select-Object Name,@{Name="BIOSGUID";Expression={(Get-WmiObject -ComputerName $_.ComputerName -Namespace "root\virtualization\v2" -Class Msvm_VirtualSystemSettingData -Property BIOSGUID -Filter ("InstanceID = 'Microsoft:{0}'" -f $_.VMId.Guid)).BIOSGUID}}
    } Else {
        $UUIDs = Get-VM -ComputerName $ComputerName -ErrorAction SilentlyContinue | Select-Object Name,@{Name="BIOSGUID";Expression={(Get-WmiObject -ComputerName $_.ComputerName -Namespace "root\virtualization\v2" -Class Msvm_VirtualSystemSettingData -Property BIOSGUID -Filter ("InstanceID = 'Microsoft:{0}'" -f $_.VMId.Guid)).BIOSGUID}}
    }

    # Remove curly brackets from the UUIDs and return the array
    ForEach ( $UID in $UUIDs ) { $UID.BIOSGUID = $UID.BIOSGUID -replace "}"; $UID.BIOSGUID = $UID.BIOSGUID -replace "{" }
    Return $UUIDs
}

BriForum 2014 - Hands Off My Gold Image! The Slides

Hands off my gold image

Performing vSphere VM RAM Overhead Lookups in Excel

Running VMs under ESXi will incur a memory overhead for each virtual machine.  You can read about this overhead here: Understanding Memory Overhead. Essentially memory overhead is:

Building a Lab Server to Run ESXi and Hyper-V

One of the great things I enjoyed about working at Kelway was the access to a pretty solid lab environment. While I do have access to a lab environment at Atlantis (3 in fact), now that I work primarily from home, I really prefer a lab environment that can provide me more flexibility. Only a local environment can do that.

Cleaning up and Reducing the Size of your Master Image

There’s typically not too much that you can do to reduce the size of your master image. You might use application virtualization or layering solutions to reduce the number of master images, but once you work out what needs to go into the core image, that’s going to dictate the size of the image.

Sequential Starting of a List of VMs

In my lab environment, I often want to start a list of virtual machines, but without taxing the system in the process by starting them all at the same time.  I could do that manually, but that’s no fun.

Here’s a short function I wrote to sequentially start a list of virtual machines - the script will start a VM and wait for that VM to boot before starting the next VM. You can optionally also wait additional time before starting the next VM to give the first one some time to finish starting it’s services etc.

This version currently supports Hyper-V only. The script does not currently return anything, but has a number of parameters:

  • ComputerName - the name of the Hyper-V host. Specify “.” for the local machine (without quotes)
  • VM - specify a comma separated list of VMs
  • Wait - the number of seconds to wait between starting a VM after the previous VM. Specify the number of VMs as a number (integer) only. This will default to 180 seconds
  • ShowProgress - Specify whether to show progress while starting the VMs. This is cosmetic only, but does give some indication as to how far through the boot process the script is.
  • Other standard parameters such as Verbose are supported.
Function Start-SequentialVMs {
    <#
        .SYNOPSIS
            Starts a list of VMs.
 
        .DESCRIPTION
            This function starts a list of VMs sequentially. It will wait until a VM is booted, optionally pause for a number of seconds, before starting the next VM.
 
        .PARAMETER ComputerName
            Specifies the Hyper-V host to start the VM on.
 
        .PARAMETER VM
            Specifies a list of VMs to start.
 
        .PARAMETER Wait
            Specifies a number of seconds to wait after the previous VM has booted successfully. Defaults to 180 seconds.

        .PARAMETER ShowProgress
            Specified whether to show progress as VMs are started.
 
        .EXAMPLE
            Start-SequentialVMs -ComputerName hyperv1 -VMList "sql1", "pvs1", "xd71" -Wait 20

        .NOTES
 
        .LINK 
    #>
    param(
        [Parameter(Mandatory=$true, Position=0,HelpMessage="Hyper-V host.")]
        [string]$ComputerName = $(throw = "Please specify a remote Hyper-V host to start VMs on."),

        [Parameter(Mandatory=$true, Position=1,HelpMessage="List of VMs to start.")]
        [string[]]$VMList = $(throw = "Please specifiy a list of VMs to start"),

        [Parameter(Mandatory=$false)]
        [int]$Wait = 180,

        [Parameter(Mandatory=$false)]
        [bool]$ShowProgress
    )

    # Connect to Hyper-V host before attempting to start VMs. Stop script if unable to connect
    Write-Verbose "Connecting to VM host."
    Get-VMHost -ComputerName $ComputerName -Verbose $False -ErrorAction Stop

    # Start progress at 0
    $Percent = 0

    # Step through list of provided VMs
    ForEach ( $vm in $VMList ) {

        # Convert current location in list of VMs to a percentage
        $Percent = ($VMList.IndexOf($vm)/$VMList.Count) * 100

        # Show progress if specified on the command line
        If ($ShowProgress -eq $True) { Write-Progress -Activity "Starting VMs." -Status "Starting VM $vm." -PercentComplete $Percent }

        # Get status for current VM
        Remove-Variable currentVM -ErrorAction SilentlyContinue
        Write-Verbose "Getting status for VM $vm..."
        $currentVM = Get-VM -ComputerName $ComputerName -Name $vm -ErrorAction SilentlyContinue

        # If the VM exists, then power it on if it is in an Off state
        If ($currentVM.Length -gt 0) {
            If ($currentVM.State -eq "Off" ) {
                Start-VM -ComputerName $ComputerName -Name $vm -Verbose
                
                # Wait for VM to boot and report a heartbeat
                Write-Verbose "Waiting for VM heartbeat."
                Do {
                    Start-Sleep -milliseconds 100
                } Until ((Get-VMIntegrationService $currentVM | ?{$_.name -eq "Heartbeat"}).PrimaryStatusDescription -eq "OK")

                # Wait the specified number of seconds before booting the next VM, unless this is the last VM in the list
                If ($Wait -gt 0 -and $VMList.IndexOf($vm) -lt ($VMList.Count-1)) {
                    Write-Verbose "Waiting for $Wait seconds before starting next VM."
                    Start-Sleep -Seconds $Wait
                }
            } Else {
                Write-Verbose "VM $vm already running."
            }
        } Else {
            Write-Error -Message "Unable to find VM $vm on host $ComputerName." -Category ObjectNotFound
        }
     }
     Write-Verbose "Started VMs."

     # Show progress if specified on the command line
     If ($ShowProgress -eq $True) { Write-Progress -Activity "Starting VMs." -Status "Started all VMs." -PercentComplete 100 }
     Start-Sleep -Seconds 1
}

Save the script as Start-SequentialVMs.ps1 and run it or add the function to your PowerShell profile so that the function is available when starting PowerShell. Use Get-Help to see the full syntax and examples from within a PowerShell window.

"There isn’t enough memory available to create a ramdisk device" booting VMs on Hyper-V

Booting a virtual machine under Windows Server 2012 R2 Hyper-V may result in the following:

Work around for getting File Transfer Manager to download from TechNet/MSDN

Update: August 8, 2015 - Microsoft have discontinued the Microsoft Download Manager as of March 2015, so the below workload will no longer work. If fact there are no workaround now, you’ll need to rely on your browser’s download manager. See this article for more info: Using Subscriber Downloads

A Better Way to Customize the Windows Default Profile

Multiple Methods

The Deployment Guys have a great article from 2009 that I recommend reading for a overview of customisation methods: Configuring Default User Settings – Full Update for Windows 7 and Windows Server 2008 R2. This article is still applicable today and the process hasn’t changed that much between Windows versions. Here are most of the ways that you could edit the default user profile:

  • Copy a configured profile over the default profile - this is the most common way of changing the default user experience but this approach is unsupported by Microsoft and therefore I recommend against using it.
  • Using Sysprep and the CopyProfile value - this approach requires creating a reference image and using Sysprep to generalise the image. Many enterprise desktop deployments will use reference images so this isn’t too hard; however Microsoft has not documented every setting that is copied to the default user profile, so it’s a bit of pot luck.
  • Place a default profile in NETLOGON - a default profile copied to the NETLOGON share of a domain controller (and replicated) will be copied down to the local machine at first logon. The downside of this approach is that there can be only one default profile and it will be copied to all machines, regardless as to whether the profile should apply to that machine or not.
  • Commands or scripts run from the RunOnce Registry key to edit the user profile.
  • Logon scripts to edit the user profile.
  • Group Policy Preferences - GPP has become more prevalent in the past few years, so should now be available across the board.
  • Editing the default profile directly, typically during an automated deployment, but you could run the same script on any existing PC.

So there are multiple methods (of driving yourself to madness), I’d recommend experimenting with each approach and you’ll most likely implement a combination of approaches to best suit your environment.

Group Policy As A Last Resort

Group Policy is great, until it isn’t. Group Policy is pervasive and every Windows admin is familiar with it, but there a two things to consider when using it to manage the default user experience:

  1. Group Policy is is a policy - that is, if you’re using policies to manage default user settings, the user cannot then change to their own preference.
  2. Group Policy Preferences must be processed to determine whether they have been applied. Whilst GPPs can implement a preference rather than a policy, Windows must determine whether the preference has been applied by reading a flag. Whilst checking those flags isn’t a big problem, implementing GPPs should be considered in the context of whatever else is running at logon, how many preferences are implemented plus what happens to the environment over time (how many additional policies, applications, scripts etc. will be added to the environment over the life of that desktop).

I have seen many organisations over-relying on Group Policy and missing the most important component user environment management - change control and ownership. Group Policy becomes a black hole, complete with settings that no one can remember why they were implemented and settings that are no longer relevant. Group Policy Preferences are great for replacing logon scripts, but use Group Policy and GPP sparingly so as not to adversely affect the user experience.

A Better Way - Edit the Default Profile Directly

My preferred method for modifying the default user experience is to edit the default user profile directly using a script that is run during Windows deployment. This type of script can also be run on existing machines or used in combination with CopyProfile. A benefit of this approach is that you can modify the default profile with or without a reference image.

Editing the Default Profile

To edit the default profile, we’ll use the command line tool REG to mount and make changes to the default user registry hive. Additionally we can make folder and file changes to the default profile and a couple of other command line tools to perform tasks such as pin and unpin shortcuts or change the Windows 7 Libraries. As far as this article is concerned, the default profile is in its default location, usually C:\Users\Default. In a script, you could refer to this location as %SystemDrive%\Users\Default.

Finding Settings

To find the profile locations to modify there’s a couple of methods that I rely on:

  • Google (or your favourite search engine)
  • Process Monitor and Process Explorer

In most cases, someone (or even Microsoft) will have documented a registry value or profile location that is used to store a setting. More obscure or new settings will require detecting the location with Process Monitor. For example, to determine where a setting is stored in the Registry, create a filter in Process Monitor using the process name or process ID, additionally filtering on the operation such as RegSetValue, as shown below:

ProcessMonitor-Explorer-Filter.png

A trace with Process Monitor when making a preference change should result in something like this:

ProcessMonitor-Explorer.png

Regshot is also useful for comparing a before and after change to the profile for determining registry value locations.

Additionally Process Explorer can be useful for tracking down a process that might be responsible for writing a setting by viewing the command line used to launch the process. Finding settings can sometimes be a time consuming process, but once found and documented, you’ve got a detailed understanding of the default profile.

Editing the Registry

To make direct registry edits to the default user profile, the REG command line utility is used to load the default profile registry hive, change a registry value and then unload the hive, saving it back to the default profile. The following lines show a rough example of how this is done:

REG LOAD HKU\DefaultUser %SystemDrive%\Users\Default\NTUSER.DAT
REG ADD HKU\DefaultUser\Software\KeyName /v ValueName /d Data /t REG_SZ /f
REG UNLOAD HKU\DefaultUser

Note that this will need to be run with administrative privileges and in an elevated context, so that you have write access to the default profile.

Pinning and Unpinning Shortcuts

A common requirement is to modify the the pinned shortcuts on the Taskbar or Start menu. This can be automated using a script, which needs to run a first logon (either as the user, or in the profile copied over the default profile via Sysprep/CopyProfile). Unfortunately I can’t find the original source for this script; however it works quite well and allows you to pin shortcuts to and unpin shortcuts from the Taskbar and Start menu via a command line. The script is available here:

[download id="62″ format="1″]

Note that Windows 8 and above, do not expose a programatic method to pin and unpin shortcuts to the Start screen. If you’re looking to customise the Start screen, refer to this existing article: Customizing the Windows 8.1 Start Screen? Don’t follow Microsoft’s guidance.

Modifying the Windows Libraries

By default, the Libraries introduced in Windows 7, include the public folder locations. Removing these or adding locations requires editing the Libraries; however they’re stored in XML files and are created at first logon. To modify the libraries, you can use a command line tool ShLib.exe. Like pinning and unpinning shortcuts, this tool also needs to be run at first logon (and won’t work via CopyProfile). This article, Administratively Create and Modify Windows 7 Libraries, covers the use of ShLib.exe quite well.

Implementing a Script to Modify the Default Profile

Once you’ve created your script to make changes to the default registry, modify the default profile folder locations, pin and unpin shortcuts and make changes to the Libraries, you’ll need to implement the changes on the target PCs via script. Using an automation solution such as the Microsoft Deployment Toolkit (or an ESD like System Center Configuration Manager) the script can be run during a deployment task sequence. In the case of MDT, the script will be run after Windows unattended setup has completed in the local Administrator context. This way the script will have full elevation and write access to the default profile. An ESD solution will typically run the script via the local SYSTEM account. If you need to make changes to existing PCs, you’ll need a method to do so, such as an advertisement in Configuration Manager. If you take this approach, you can combine a script that makes direct changes to the default profile with the CopyProfile approach. That allows you to modify the profile for deployments from an unmodified OS as well as a custom image, keeping consistency across deployment types.

Example Scripts

Included here, along with some notation, are some example scripts for modifying the Windows 7 and Windows 8.1 default profiles. These example scripts include creation of a script at runtime that will run during first logon of any new profile. This is implemented as a batch file to keep things as simple as possible. Users will see a Command Prompt window as the script runs (but only once). The command lines includes in the script could be implemented with a UEM solution such as AppSense Environment Manager or even Group Policy to improve the user experience.

Windows 7

Here’s a sample script that will modify the default profile on a Windows 7 PC (x86 and x64). At a high level, the script will perform the following steps:

  • Load and modifies the registry of the default profile
  • Copies ExecuteVerbAction.VBS and ShLib.exe to folder under %ProgramFiles%
  • Creates a batch script that will run on first logon to edit the Libraries and pin/unpin shortcuts. Once the script runs for the user, it will delete itself.
@ECHO OFF
REM Load the default profile hive
SET HKEY=HKU\Default
REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT

REM Sound and end-application
REG ADD "%HKEY%\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f

REM Command Prompt settings
REG ADD "%HKEY%\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Command Processor" /v CompletionChar /t REG_DWORD /d 9 /f
REG ADD "%HKEY%\Software\Microsoft\Command Processor" /v PathCompletionChar /t REG_DWORD /d 9 /f
REG ADD "%HKEY%\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections" /v SaveConnections /d "no" /t REG_SZ /f

REM Language bar - only apply if using single regional settings
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f

REM Windows Explorer and Start Menu
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ServerAdminUI /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_AdminToolsRoot /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_PowerButtonAction /t REG_DWORD /d 2 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowDownloads /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyGames /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuAdminTools /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuFavorites /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarSizeMove /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "%HKEY%\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f

REM Set IE as default browser, prevent prompting user
REG ADD "%HKEY%\Software\Clients\StartmenuInternet" /ve /d "IEXPLORE.EXE" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice" /v Progid /d "IE.AssocFile.URL" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice" /v Progid /d "IE.AssocFile.SVG" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice" /v Progid /d "IE.AssocFile.PARTIAL" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice" /v Progid /d "IE.AssocFile.WEBSITE" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v Progid /d "IE.HTTPS" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v Progid /d "IE.FTP" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice" /v Progid /d "IE.HTTP" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\message/rfc822\UserChoice" /v Progid /d "IE.message/rfc822" /f
REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\text/html\UserChoice" /v Progid /d "IE.text/html" /f

REM Additional Internet Explorer options
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\TabbedBrowsing" /v PopupsUseNewWindow /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d YES /f
REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 2 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.local" /v * /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\New Windows\Allow" /v *.domain.local /t REG_BINARY /d 0000 /f

REM Windows Media Player
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f

REM Help and Support
REG ADD "%HKEY%\Software\Microsoft\Assistance\Client\1.0\Settings" /v OnlineAssist /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\Assistance\Client\1.0\Settings" /v IsConnected /d 1 /t REG_DWORD /f

REM Remove localisation - Themes, Feeds, Favourites
REG DELETE "%HKEY%\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v mctadmin /f

REM Snipping Tool
REG ADD "%HKEY%\Software\Microsoft\Windows\TabletPC\Snipping Tool" /v ShowCaptureStroke /d 0 /t REG_DWORD /f

REM Unload the default profile hive
REG UNLOAD %HKEY%

REM Setup Taskbar unpin items on first login
IF NOT EXIST "%ProgramFiles%\Scripts" MD "%ProgramFiles%\Scripts"
COPY /Y ExecuteVerbAction.VBS "%ProgramFiles%\Scripts\ExecuteVerbAction.VBS"
COPY /Y ShLib.exe "%ProgramFiles%\Scripts\ShLib.exe"

MD "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
ECHO @ECHO OFF &gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO cscript.exe "%ProgramFiles%\Scripts\ExecuteVerbAction.vbs" "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk" UnpinFromTaskbar &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Documents.library-ms" %PUBLIC%\Documents &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Music.library-ms" %PUBLIC%\Music &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Pictures.library-ms" %PUBLIC%\Pictures &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Videos.library-ms" %PUBLIC%\Videos &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO DEL /Q "%%APPDATA%%\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd" &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"

If you use this in a production environment, please test and confirm each setting to ensure you understand what the script will implement.

Windows 8.1

Here’s a sample script that will modify the default profile on a Windows 8.1 PC (x86 and x64). At a high level, the script will perform the following steps:

  • Load and modifies the registry of the default profile
  • Import a pre-configured Start screen
  • Copies ExecuteVerbAction.VBS and ShLib.exe to folder under %ProgramFiles%
  • Creates a batch script that will run on first logon to edit the Libraries and pin/unpin shortcuts. Once the script runs for the user, it will delete itself
@ECHO OFF
REM Load the default profile hive
SET HKEY=HKU\Default
REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT

REM Sound and end-application
REG ADD "%HKEY%\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "%HKEY%\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "%HKEY%\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f

REM Command Prompt settings
REG ADD "%HKEY%\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections" /v SaveConnections /d "no" /t REG_SZ /f

REM Language bar - only apply if using single regional settings
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f

REM Windows Explorer
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarSizeMove /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "%HKEY%\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f

REM Windows 8 navigation settings
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v OpenAtLogon /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v DesktopFirst /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v MakeAllAppsDefault /t REG_DWORD /d 0 /f
REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage" /v MonitorOverride /t REG_DWORD /d 0 /f

REM Set IE as default browser, prevent prompting user
REM	REG ADD "%HKEY%\Software\Clients\StartmenuInternet" /ve /d "IEXPLORE.EXE" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v Progid /d "IE.AssocFile.HTM" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice" /v Progid /d "IE.AssocFile.URL" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice" /v Progid /d "IE.AssocFile.MHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice" /v Progid /d "IE.AssocFile.SVG" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice" /v Progid /d "IE.AssocFile.PARTIAL" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice" /v Progid /d "IE.AssocFile.WEBSITE" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice" /v Progid /d "IE.AssocFile.XHT" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v Progid /d "IE.HTTPS" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v Progid /d "IE.FTP" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice" /v Progid /d "IE.HTTP" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\message\rfc822\UserChoice" /v Progid /d "IE.message/rfc822" /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\Shell\Associations\MIMEAssociations\text\html\UserChoice" /v Progid /d "IE.text/html" /f

REM Additional Internet Explorer options
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\TabbedBrowsing" /v PopupsUseNewWindow /t REG_DWORD /d 0 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d YES /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 2 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.local" /v * /t REG_DWORD /d 1 /f
REM	REG ADD "%HKEY%\Software\Microsoft\Internet Explorer\New Windows\Allow" /v *.domain.local /t REG_BINARY /d 0000 /f

REM Windows Media Player
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "%HKEY%\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f

REM Unload the default profile hive
REG UNLOAD %HKEY%

REM Configure the default Start Screen
IF NOT EXIST %SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows MD %SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows
POWERSHELL -NonInteractive -Command Import-StartLayout -LayoutPath .\CustomStartScreenLayout.bin -MountPath %SystemDrive%\

REM Setup Taskbar unpin items on first login
IF NOT EXIST "%ProgramFiles%\Scripts" MD "%ProgramFiles%\Scripts"
COPY /Y ExecuteVerbAction.VBS "%ProgramFiles%\Scripts\ExecuteVerbAction.VBS"
COPY /Y ShLib.exe "%ProgramFiles%\Scripts\ShLib.exe"

MD "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
ECHO @ECHO OFF &gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
REM	ECHO cscript.exe "%ProgramFiles%\Scripts\ExecuteVerbAction.vbs" "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk" UnpinFromTaskbar &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Documents.library-ms" %PUBLIC%\Documents &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Music.library-ms" %PUBLIC%\Music &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Pictures.library-ms" %PUBLIC%\Pictures &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO "%ProgramFiles%\Scripts\shlib" remove "%%APPDATA%%\Microsoft\Windows\Libraries\Videos.library-ms" %PUBLIC%\Videos &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"
ECHO DEL /Q "%%APPDATA%%\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd" &gt;&gt; "%SystemDrive%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PinnedItemsLibraries.cmd"

If you use this in a production environment, please test and confirm each setting to ensure you understand what the script will implement.

Summing Up

There are numerous ways to edit the default profile, some more complicated and involved than others. It’s my view that the best way to modify the default profile is targeting the required settings, which does mean more work. However, this approach results in a better understanding of the user environment and with any luck a better user experience.

Each new major release of Windows results in less modifications, so your job will be easier. There are a few scripts and tools you’ll need to have in place and I’m confident the approach outlined here will result in happy users (or at least users who aren’t complaining).

In the next article on the same subject, I’ll cover customising the default profile for Remote Desktop Services Session Hosts.

Customizing the Windows 8.1 Start Screen? Don't follow Microsoft's guidance

Windows 8.1 Start screen

Testing Citrix Receiver on Android without an Android device

I have too many devices but not one of them runs Android. A good part of my job is testing, presenting and demoing, so it’s handy being able to show the user experiences across different devices. One of everything is perhaps going a bit too far, so I’d prefer to run Android as a VM.

A Quick Look at Work Folders in Windows Server 2012 R2

Microsoft announced some interesting new features in Windows Server 2012 R2 at TechEd 2013 and one of those that piqued my interest is Work Folders. I’m not the biggest fan of Redirected Folders and Offline files, but it’s essentially the only enterprise solution Microsoft provides today for taking your data offline. Microsoft needs to provide a completely new method of syncing file data - one that is designed for todays use cases and computing environment.

Automating the XenDesktop 7 Virtual Desktop Agent Installation

Citrix provides a nice wizard for installing the XenDesktop 7 VDA and some pretty good documentation on using a command line installation, but the wizard does not expose all of the available options and working out what the wizard is doing in relation to the command line takes a bit of translation. Here’s how to automate a typical VDA deployment.

Monitoring MDT Task Sequences with PowerShell

The Microsoft Deployment Toolkit provides a Lite Touch deployment model - typically a device requires an engineer to manually start the deployment task sequence. Using PowerShell to drive MDT offers the chance to provide a little more automation around OS deployments.

Hands off my gold image! A recap from Citrix Synergy 2013

Here’s an overview of my talk from Citrix Synergy 2013 - Hands off my gold image!  If you were unable to attend Synergy or missed my session, this is a short version of the talk, but hopefully it will give you an idea of what was covered.

Hands off my gold image! – Video: PowerShell, MDT, Atlantis ILIO and XenDesktop deployment

Here’s a deployment demo that I showed during my Geek Speak Live session at Citrix Synergy 2013 at Anaheim last week as well as during BriForum London 2013 when I had the opportunity to co-present a session with fellow CTP, Jim Moyle.

Hands off my gold image! – Video: Windows 8 zero-touch deployment

Here’s another demo that I showed during my Geek Speak Live session at Citrix Synergy 2013 at Anaheim yesterday.

Hands off my gold image! - Video: automated PVS image deploy and capture

Thanks to everyone who attended my Geek Speak Live session at Citrix Synergy 2013 in Anaheim yesterday. I’ll post details about the session and the slide deck next week for those who couldn’t attend.

Take part in the OS Deployment Automation Survey

At Citrix Synergy in Anaheim next month, I’ll have the opportunity to present a Geek Speak Live session - Hands Off My Gold Image! If you aren’t automating the creation of your gold images, there’s lots to learn in this session. Even if you are automating your gold images, perhaps there’s something new that I can still share with you. In this session, which will be demo heavy, I’ll show you some ways that you can deliver build automation with toolsets provided by Microsoft and Citrix.

400 App-V Recipes!

With thanks to Nicke’s latest post, the App-V Recipes and Tips list has hit 400 links!

Retrieving a Virtual Machine's UUID from vSphere

While working on a PowerShell script to drive OS deployment through MDT, I’ve needed to obtain the UUID from a target virtual machine. Unfortunately this isn’t just a property of the VM that you get through Get-VM. Instead you’ll need jump through a few hoops to retrieve the right UUID.

Sequencing Mozilla Firefox with App-V 5.x

It’s a simple task to virtualize Firefox, as it lends itself well to application virtualization; however getting it right takes a little preparation. Before embarking on sequencing Firefox, please refer to this companion article - Prepare Mozilla Firefox for Enterprise Deployment and Virtualization - which covers configuring a Firefox installation for virtualizing. It’s important that Firefox is configured correctly for virtualization by disabling specific features.

App-V 5 Sequencer Template

The App-V 5 Sequencer, just like version 4.6 SP1, includes support for Sequencer Templates. These are an ideal approach for ensuring the use of the same set of Sequencer settings and exclusions across all packages.

Prepare Mozilla Firefox for Enterprise Deployment and Virtualization

I’ve previously written articles on virtualizing Mozilla Firefox, but with Firefox releases more regular these days and the release of App-V 5, it makes sense to split details on configuring Firefox for an enterprise deployment and virtualizing Firefox into separate articles.

Context based automation in Mac OS X

ControlPlane Icon

Creating App-V 5.0 Connection Groups with PowerShell

Connection Groups (or Dynamic Suite Composition v2) in App-V 5.0 are great for enabling separate App-V packages to talk to each other. Connection Groups are easy enough to deploy with the App-V Management Server or Configuration Manager 2012; however that isn’t the case for stand-alone scenarios or 3rd party ESDs.

App-V 5.0 delivers Internet Explorer Plugin Nirvana

One of the great promises of application virtualization is dynamic delivery of software to end-points; however delivering plugins or add-ons to installed (i.e. not virtualized) software has thus far been a stumbling block.

Sequencing Apple iTunes 11 with App-V 5

Two recent releases presents an opportunity to revisit the state of virtualizing Apple iTunes. iTunes 11 looks great, but is it just lipstick on a pig? Under the hood, it doesn’t appear to differ that much from previous versions, but lets see whether a combination of Apple’s latest and greatest along with App-V 5 offers a better virtualisation experience.

Prepare your Office 2013 Customizations for Better Deployments and User Experience

User settings that might impact the default Office experience or may require special consideration in your environment, are worth investing in planning time because you’ll often have only one chance to get deployment right.

Hands off my gold image - The Scripts

HandsOff

Hands off my gold image - The Task Sequence

If you’ve been following along so far you’ll have read my follow up coverage of  my (and co-host, Jonathan Eyton-Williams) Geek Speak talk at Citrix Synergy in Barcelona, with  Hands off my gold image – Automating Citrix XenApp/PVS Image Creation and Hands off my gold image – Microsoft Deployment Toolkit details. In this article I’ll cover the task sequence that deploys Windows Server, installs XenApp and captures the image into PVS.

App-V 5 PowerShell One Liners – Adding and Publishing A Folder of App-V Client Packages

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

Converting CTX114501 to a readable format

You’ll then have tackled with the product matrix that comes as a PDF instead of something more reasonable like, say, a spread sheet. There’s probably a good reason for this document to be a PDF, but it’s not the best format for reading this type of information.

App-V 5 PowerShell One Liners – Sequencing an application

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

Hands off my gold image - Microsoft Deployment Toolkit details

After the corresponding Geek Speak talk at Citrix Synergy in Barcelona, I posted an article on automating a XenApp deployment and capture into Provisioning Services via the Microsoft Deployment Toolkit (MDT): Hands off my gold image – Automating Citrix XenApp/PVS Image Creation.

App-V 5 PowerShell One Liners – Adding and Publishing App-V Client Packages

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

App-V 5 PowerShell One Liners - Adding and Publishing App-V Server Packages

App-V 5.0 is PowerShell driven, which means opportunity for automating and scripting tasks that might have to be completed manually or might have been a challenge to script previously.

Hands off my gold image - Automating Citrix XenApp/PVS Image Creation

Citrix Provisioning Services is a great solution for the rapid deployment of Windows workloads from a master image. However, rapid deployment is not a replacement for a consistent, repeatable method of creating that master image.

Adobe Reader XI Deployment

Adobe Reader XI is now available and along with this release comes some interesting tools for deployment:

Replacing Redirected Folders and Offline Files with AppSense DataNow

Note: this article covers a product that is in beta at the time of writing; therefore the specifics of the approach outlined in this article may be subject to change. This is not a recommendation to use this approach in production; rather it’s an exercise in understanding what’s possible with a new data synchronisation product.

Delivering Citrix XenApp Controllers and Workers with the Microsoft Deployment Toolkit

CitrixWindows8Desktop128

Mailbag - Pre-caching App-V 4.6 packages on Laptops using AppSense Environment Manager 8

Rory asks via Twitter - can we pre-cache App-V packages on laptop clients so that all applications are available offline, using AppSense Environment Manager?:

White Paper - The Definitive Guide to Delivering Microsoft Office with App-V

The Definitive Guide to Virtualizing Office header

Sequencing Mozilla Firefox with App-V 4.6

It’s a simple task to virtualize Firefox, as it lends itself well to application virtualization; however getting it right takes a little more effort. I’ve previously shown you how to sequence Firefox 8, Firefox 7 and Firefox 5. Before embarking on sequencing Firefox, please refer to this companion article - Prepare Mozilla Firefox for Enterprise Deployment and Virtualization - which covers configuring a Firefox installation for virtualizing. It’s important that Firefox is configured correctly for virtualization by disabling specific features..

Unattended Windows deployment fails with 0x80004005 under Hyper-V

There’s one thing that I can’t get enough of when automating Windows deployments, it’s ambiguous and confusing error messages. More please, I’m a sucker for punishment.

Automated Citrix Receiver deployment hangs indefinitely

Deploying Citrix Receiver (full or Enterprise) via an unattended command-line, may result in the installer running indefinitely and not completing until you interact with the target machine.

BriForum London 2012 - Slide deck for The Definitive Guide to delivering Office with App-V

I shared a lightning round session at BriForum London 2012 with Dan Brinkmann. I rolled two lightning rounds (including Should Office Be in the Base Image?) into one with The Definitive Guide to delivering Office with App-V.

Citrix Synergy 2012 - Slide deck for Geek Speak Live 'User Environment Management smackdown 2012'

At Citrix Synergy 2012, I had the distinct pleasure of moderating a Geek Speak panel:  ”User Environment Management smackdown 2012” with Shawn Bass, Helge Klein, Harry Labana from AppSense, Bob Janssen from RES Software and Mike Larkin from Citrix on the state of User Environment Management.

App-V Books from Packt Publishing available with discounts in May

I’ve been fortunate enough to have performed technical editor duties on a couple of App-V books by Augusto AlvarezGetting Started with Microsoft Application Virtualization 4.6 and Microsoft Application Virtualization Advanced Guide.

BriForum talk - Office and App-V

Migrating packages from App-V 4.x to App-V 5.0

The App-V 5.0 Sequencer includes a couple of PowerShell modules and for converting packages is the only interface to use. Here’s how to automate the migration of packages from the old 4.x format to the new App-V 5.0 format.

Citrix Technology Professional Award

Last Friday turned out to be a pretty awesome day - my wife and I found out we’ll be having a girl in July and I’ve been selected to receive the Citrix Technology Professional award for 2012.

Configuring Hyper-V Virtual Networks with PowerShell

I’ve been configuring a Windows Server 2008 R2 Hyper-V deployment in the lab via MDT to a couple of ProLiant DL380 G5’s. I’ve been keeping the deployment as simple as possible, so there’s no SCVMM integrated at this point and as such I’ve need to configure the Hyper-V networking once the OS is deployed to the machine. Naturally, I don’t want to do that manually.

Client Side Performance Testing coming to Login VSI

Mark Plettenberg, the lead developer of Login VSI. This new module looks very interesting because it will allow us to objectively measure and analyse the performance of remoting protocols such as Teradici PCoIP, Microsoft RDP, Citrix ICA/HDX and Quest EOP.

Delivering Office with App-V – Sequencer Recommendations &#038; Best Practices

Having had to travel to Australia and the US recently, I’ve not had that much time to work on an upcoming white paper, but I have been posting some of the early versions of the chapters. So here’s another in that series while I work on getting the paper finished.

App-V White Papers

Update (28/03/2012): This list of white papers are now available on the Microsoft Download Centre: Microsoft Application Virtualization (App-V) Documentation Resources Download Page

Mailbag - Deploying multiple editions of Office 2010 with App-V

I’m not sure why I didn’t think of this earlier – I get emails from readers fairly regularly and many of them make great topics for blog posts. So here’s the first in a series of posts where I’ll cover interesting questions I get via email and where I think other readers will benefit from a public response.

Reducing Profile Size with a Profile Clean Up Script - PowerShell Edition

I recently posted a script for removing unnecessary files and pruning files based on their age, which can be used at logoff to keep profile sizes manageable - Reducing Profile Size with a Profile Clean Up Script.

Andrew Morgan (@andyjmorgan) has kindly translated my very basic VBscript to PowerShell. This can be used as a standalone script or the function (remove-itembyage) could be integrated into your own scripts and has the added benefit of in-built help and the ability to run silently.

Just like the original script, this could be executed at logoff, before the profile is saved back to the network, to perform two actions:

  1. Delete all files of a specific file type in a specified folder, including sub-folders
  2. Delete all files older than X days in a specified folder, including sub-folders

For example, you could use the script to delete all .log or temporary files below %APPDATA% that aren’t required to be roamed, or delete all Cookies older than 90 days to keep the Cookies folder to a manageable size.

Note: the script listing below has the -whatif parameter applied when calling the function, so no deletes will occur unless the parameter is removed.

function remove-itembyage {
    <#
        .SYNOPSIS
        remove items from folders recursively.

        .DESCRIPTION
        this function removes items older than a specified age from the target folder

        .PARAMETER Days
        Specifies the ammount of days since the file was last written to you wish to filter on.

        .PARAMETER Path
        Specifies the path to the folder you wish to search recursively.

        .PARAMETER Silent
        Instructs the function not to return any output.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 0 -path $recent

        This command searches the $recent directory, for any files, then deletes them.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 5 -path $recent

        This command searches the $recent directory, for files older than 5 days, then deletes them.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 10 -path $appdata -typefilter "txt,log"

        This command searches the $cookies directory, for files older than 10 days and end with txt or log extensions, then deletes them.

        .EXAMPLE
        PS C:\&gt; remove-itembyage -days 10 -path $cookies -typefilter "txt,log" -silent

        This command searches the $cookies directory, for files older than 10 days and end with txt or log extensions, then deletes them without a report.

        .NOTES
        /user-virtualization/profile-clean-up-script-powershell-edition/ for support information.

        .LINK
        /user-virtualization/profile-clean-up-script-powershell-edition/
    #>

    [cmdletbinding(SupportsShouldProcess = $True)]
    param(
        [Parameter(Mandatory = $true, Position = 0, HelpMessage = "Number of days to filter by, E.G. ""14""")]
        [int]$days,
        [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Path to files you wish to delete")]
        [string]$path,
        [string]$typefilter,
        [switch]$silent)

    #check for silent switch
    if ($silent) {$ea = "Silentlycontinue"}
    Else {$ea = "Continue"}

    #check for typefilter, creates an array if specified.
    if (!($typefilter)) {$filter = "*"}
    Else {$filter = foreach ($item in $typefilter.split(",")) {$item.insert(0, "*.")}}

    if (test-path $path) {
        $now = get-date
        $datefilter = $now.adddays( - $days)
        foreach ($file in get-childitem "$path\*" -recurse -force -include $filter | where {$_.PSIsContainer -eq $false -and $_.lastwritetime -le $datefilter -and $_.name -ne "desktop.ini"}) {
            if (!($silent)) {write-host "Deleting: $($file.fullname)"}
            remove-item -literalPath $file.fullname -force -ea $ea
        }#end for
    }#end if

    Else {
        if (!($silent)) {write-warning "the path specified does not exist! ($path)"}
    }#end else
}#end function

#Get KnownFolder Paths
$appdata = $env:appdata
$Cookies = (new-object -com shell.application).namespace(289).Self.Path
$History = (new-object -com shell.application).namespace(34).Self.Path
$recent = (new-object -com shell.application).namespace(8).Self.Path
$profile = $env:userprofile

#commands
remove-itembyage -days 0 -path $appdata -typefilter "txt,log" -silent -whatif
remove-itembyage -days 90 -path $cookies -silent -whatif
remove-itembyage -days 14 -path $recent -silent -whatif
remove-itembyage -days 21 -path $history -silent -whatif
remove-itembyage -days 14 -path "$appdata\Microsoft\office\Recent" -silent -whatif

App-V MVP renewed for 2012

I was quite relieved and grateful to receive the Microsoft MVP award again for 2012:

Reducing Profile Size with a Profile Clean Up Script

Windows profiles become larger over time - it’s an inescapable fact. This means that if you are using roaming profiles, logons (and logoff) will be longer and longer. It’s not just individual file sizes, but also the number of files stored in a profile that will make the synchronisation process slower.

One approach to reducing profile sizes is to exclude certain folders. A better solution is to ditch roaming profiles and use a third-party solution to manage roaming of the user environment.

However, there will still be folders that need to be roamed to maintain the experience that users expect when moving between devices (i.e. consistency). For those folders we can implement some maintenance to keep them at a manageable size - that is remove files that are not needed in a roaming profile (e.g. log files) or delete files older than a specific number of days.

Warning: there’s a reason that Windows doesn’t do this maintenance itself - only each application vendor will have an understanding of whether specific files are required or can be discarded (hence the roaming and local portions of AppData). However, as any experienced Windows admin knows - many vendors either don’t test for or don’t care about roaming scenarios, therefore I strongly recommend testing this approach before production deployment.

As a part of an upcoming version of this configuration, I’ve created a script that will execute at logoff, before the profile is saved back to the network, that will perform two actions:

  1. Delete all files of a specific file type in a specified folder, including sub-folders
  2. Delete all files older than X days in a specified folder, including sub-folders

So for example, you could use the script to delete all .log files below %APPDATA% or delete all Cookies older than 90 days.

The script is extremely simple on purpose and I recommend testing thoroughly before implementing - use at your own risk; however feedback is welcome.

' Profile clean up - remove unneeded or old files before logoff
' --------------------------------------------------------------
' Original scripts:
' http://www.wisesoft.co.uk/scripts/vbscript_recursive_file_delete_by_extension.aspx
' http://ss64.com/vb/syntax-profile.html
' http://csi-windows.com/toolkit/csigetspecialfolder

' Version 2.0; 27/12/2011

Option Explicit
On Error Resume Next 'Avoid file in use issues

Dim strExtensionsToDelete, strAppData, strUserProfile, objFSO, strCookies, strHistory, strRecent, objShellApp
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShellApp = CreateObject("Shell.Application")
Const CSIDL_COOKIES = "&H21"
Const CSIDL_HISTORY = "&H22"
Const CSIDL_RECENT = "&H08"
Const CSIDL_NETHOOD = "&H13"
Const CSIDL_APPDATA = "&H1A"
Const CSIDL_PROFILE = "&H28"

' Folder to delete files from (files will also be deleted from Subfolders)
strUserProfile = objShellApp.NameSpace(cint(CSIDL_PROFILE)).Self.Path
strAppData = objShellApp.NameSpace(cint(CSIDL_APPDATA)).Self.Path
strCookies = objShellApp.NameSpace(cint(CSIDL_COOKIES)).Self.Path
strHistory = objShellApp.NameSpace(cint(CSIDL_HISTORY)).Self.Path
strRecent = objShellApp.NameSpace(cint(CSIDL_RECENT)).Self.Path
strNetHood = objShellApp.NameSpace(cint(CSIDL_NETHOOD)).Self.Path

' Main
RecursiveDeleteByExtension strAppData, "tmp,log"
RecursiveDeleteOlder 90, strCookies
RecursiveDeleteOlder 14, strRecent
RecursiveDeleteOlder 21, strHistory
RecursiveDeleteOlder 21, strNetHood
RecursiveDeleteOlder 14, strAppData & "\Microsoft\Office\Recent"
'RecursiveDeleteOlder 5, strAppData & "\Sun\Java\Deployment\cache"
'RecursiveDeleteOlder 3, strAppData & "\Macromedia\Flash Player"
'RecursiveDeleteOlder 14, strUserProfile & "\Oracle Jar Cache"

Sub RecursiveDeleteByExtension(ByVal strPath,strExtensionsToDelete)
    ' Walk through strPath and sub-folders and delete files of type strExtensionsToDelete
    Dim objFolder, objSubFolder, objFile, strExt

    If objFSO.FolderExists(strPath) = True Then
        Set objFolder = objFSO.GetFolder(strPath)
        For Each objFile in objFolder.Files
            For each strExt in Split(UCase(strExtensionsToDelete),",")
                If Right(UCase(objFile.Path),Len(strExt)+1) = "." & strExt then
                    WScript.Echo "Deleting: " & objFile.Path
                    objFile.Delete(True)
                    Exit For
                End If
            Next
        Next
        For Each objSubFolder in objFolder.SubFolders
            RecursiveDeleteByExtension objSubFolder.Path,strExtensionsToDelete
        Next
    End If
End Sub

Sub RecursiveDeleteOlder(ByVal intDays,strPath)
    ' Delete files from strPath that are more than intDays old
    Dim objFolder, objFile, objSubFolder

    If objFSO.FolderExists(strPath) = True Then
        Set objFolder = objFSO.GetFolder(strPath)
        For each objFile in objFolder.files
            If DateDiff("d", objFile.DateLastModified,Now) &gt; intDays Then
                If UCase(objFile.Name) &lt;&gt; "DESKTOP.INI" Then ' Ensure we don't delete desktop.ini
                    WScript.Echo "Deleting: " & objFile.Path
                    objFile.Delete(True)
                End If
            End If
        Next
        For Each objSubFolder in objFolder.SubFolders
            RecursiveDeleteOlder intDays,objSubFolder.Path
        Next
    End If
End Sub

Don't put yourself at risk by virtualizing Adobe Reader X

Adobe released a new security advisory for Reader and Acrobat 9 and X this week to address details of an upcoming fix to these versions for a 0 day vulnerability. Exploits for this vulnerability exist for Reader and Acrobat 9 and are currently active:

Delivering Office with App-V - The Need for Profile Management

Because Office is a core application of most desktop deployments, user interaction with Office and the user experience are important factors in the deployment of Office. From an administration perspective, providing a seamless user experience requires managing the user preferences of an application, independent of the application delivery method.

An Archive and Analysis of #AppV Tweets

Several months ago, I used the The Archivist to create an archive and analysis of tweets with the #AppV hash tag. 1,740 tweets later (not all of which I’m sure are App-V related), we get an interesting picture of conversations around App-V. To view the archive visit this URL: http://bit.ly/appvarchive.

Sequencing Mozilla Firefox 8

Mozilla has just released Firefox 8, so it’s time to look at virtualizing the new version. It’s a simple task to virtualize Firefox, as it lends itself well to application virtualization; however getting it right takes a little more effort. Here’s how to successfully sequence Mozilla Firefox 8.x.

Sequencing Google Chrome 15

Here’s how to successfully sequence Google Chrome 15; however the same approach should work for Chrome 13, 14 and 16 and maybe even some other versions.

The Case of the Disappearing Application during Sequencing

In the official Microsoft TechNet forums, a question had been asked about sequencing Google Chrome and the poster states that when using the Chrome Enterprise Installer (a downloadable MSI for deployment inside an organisation), Chrome installs OK during the monitoring phase, but the folder is deleted at the end of monitoring and thus isn’t captured.

One profile, or Two, or Three, or...

Surely one of the main goals of any good desktop delivery project is to remove the user’s reliance on any single device?

Comparing User Profiles Sizes for Microsoft Office Suites

I’ve been doing some work recently virtualizing various versions of Office in App-V plus managing user preferences for those Office packages. Here’s something interesting that I’ve found – the size of the profile settings for a default installation of Office 2010 is massively different in size over previous versions of Office.

Delivering Office with App-V - Error 0x80070424 installing the Office 2010 Deployment Kit

If you have issues installing the Office 2010 Deployment Kit for App-V (OffVirt.msi) to install the licensing component for a virtualized Office 2010 package, it may fail to install. A typical command line to install the licensing component look like this:

Delivering Office with App-V - The User Profile

If you follow any of the following guidance from Microsoft for sequencing Office with App-V:

Delivering Office with App-V - The Deployment Kit and Product Key issues

When attempting to install the Office 2010 Deployment Kit for App-V using a MAK activation key, via the following command-line (or similar):

Sequencing Mozilla Firefox 7

It’s easy to virtualize Firefox with App-V; however getting it right takes a little more effort. Here’s how to successfully sequence Mozilla Firefox 7.x.

Reducing the size of App-V packages

If you’re looking to reduce the size of your App-V packages, you can compress them when saving them in the Sequencer; however if that content in the package doesn’t actually compress that well, you may not save as much space as you might expect. Here a quick win to reduce the size of your packages.

First Annual European App-V User Group

Great news - the first annual European App-V User Group has been announced, for Friday November 18, 2011 9:00 AM to be held at Microsoft HQ, in the Netherlands:

Is it legal to virtualize Apple iTunes?

Preface: I don’t speak legalese and this post is based on my own intepretation of the iTunes distribution agreement.

Microsoft Office Click-to-Run for Office 2010 KB articles help explain how Office runs under App-V

A number of knowledgebase articles have been updated recently that are interesting reading if you’re looking to understand how Microsoft Office works under App-V, and the limitations if you deploy Office in this method. If you’re already not aware, Office delivered by Click-to-Run is actually a modified version of App-V under the hood. There’s also an overview of Microsoft Office Click-to-Run for Office 2010 worth reading.

AppSense Environment Manager 8 Baseline Configuration

Here’s something that I’ve been looking to share with the community for some time - something to get you started when implementing AppSense Environment Manager 8.x.

Disable Hibernation before enabling Hyper-V on a laptop

If you enable Hyper-V on a laptop (or any other machine where hibernation is enabled automatically) you’ll find that you won’t be able to delete the hibernation file (hiberfil.sys).  Although hibernation is effectively disabled, the file remains in use once Windows has booted:

Sequencing Mozilla Firefox 5

It’s easy to virtualize Firefox with App-V; however getting it right takes a little more effort. Here’s how to successfully sequence Mozilla Firefox 5.x.

Sequencing Apple iTunes 10

Here’s a nut I’ve been trying to crack for some time – successfully virtualizing Apple iTunes with App-V. I think a combination of iTunes 10 and App-V 4.6 SP1 did the trick. Here’s how to do it.

Adding Shell Extensions to App-V Packages

Inspired by a post on the ThinApp blog on Adding Shell Extensions to ThinApp Packages, I’ve documented here how to add Shell Extensions to an App-V package using the Windows Installer file generated by the App-V Sequencer.

Announcing the Server App-V Recipes, Tips &#038; Tricks feed

I’ve previously written about the Desktop App-V Recipes, Tips and Tricks list that fellow App-V MVP, Nicke Källén and I have been compiling over the past year. This list has recently reached well over 220 links and highlights the fantastic efforts of many different contributors.

Sequencing Microsoft Comic Chat

How the App-V 4.6 Service Pack 1 Sequencer helps you implement best practices

The App-V 4.6 Sequencer introduces some major changes in the user interface and the sequencing workflow. These changes have been designed to assist the sequencing engineer with virtualising applications in App-V while aligning with best practices.

Just how do Exclusions in App-V packages work?

Exactly how do folder and Registry exclusions work in App-V? I had presumed that exclusions for both folder and Registry paths would carry over to package execution. This is something that I had made some assumptions about and it’s only recently that I looked into exclusions in detail to get a better understanding.

200 App-V Recipes, Tips and Tricks to keep you busy

With (far) more than a little help from another App-V MVP, Nicke Källén, we’ve been compiling a list of completed App-V recipes plus links to various places around the Internets where you’ll find assistance in getting your applications virtualised in App-V..

Sequencing the App-V Management Console

Sequencing the the App-V Management Console is reasonably straight-forward; however it wasn’t quite as simple as you would expect.

App-V FAQ: What are Providers Policies?

This is a guest post from Jurjen van Leeuwen, an App-V MVP (new for 2011) and independent consultant based in Norway. You can read more from Jurjen at his web site.

MVP in App-V for 2011

This arrived in my inbox on the 1st of Jan, which was a great way to finish off a day of snowboarding:

App-V FAQ: Can I virtualize the .NET Framework or Visual C++ Redistributables?

This is a guest post from Nicke Källén, an App-V MVP from Sweden. He posts as Znack on the TechNet Forums, and you can read more articles from Nicke at his blog here.

Virtualizing Adobe Reader X

ReaderXVirtualise

Deploying Adobe Reader X

For a Reader XI version of this document see: Adobe Reader XI Deployment

How to silently deploy RemoteApp Programs to the Start Menu

RemoteApp in Windows Server 2008 R2 Remote Desktop Services finally allows you to do what some 3rd party solutions have been doing for years – delivering published applications directly to the user’s Start Menu. The bad news is that this feature requires Windows 7 and Windows Server 2008 R2, but your migrations plans are well underway right?

App-V presentations from TechEd 2010 Australia &#038; NZ

I’ve embedded the videos here. You’ll need an HTML 5 capable browser to view them, otherwise go to the TechEd Online site links I’ve provided, to view Silverlight and download MP4 versions plus access to the slide decks.

App-V FAQ: My virtual application won't start. Where do I start troubleshooting?

If you have successfully virtualised an application, imported the package into the Management Server but you are having issues publishing the package, streaming the application or getting it to launch, the first place to start is the the App-V client log.

App-V FAQ: How do I configure my App-V clients to stream from a local source?

If you have decided on streaming your App-V packages to client machines (rather than deploying via Windows Installer or SCCM), you will most certainly need to control where clients stream packages from. This, of course, would be the source closest to the client computer.

App-V FAQ: How do I restrict access to specific applications in an App-V package?

AppV logoConsider the following scenario - I have created a Microsoft Office package with App-V that includes the base Office applications (Word, Excel, PowerPoint and Outlook). In addition to these I have also included Project and Visio. So I have a single App-V package that includes all of the Office applications – the base set of applications plus a couple of additional applications that I want to provide to a subset of users.

App-V FAQ: How do I get an application into the App-V bubble for troubleshooting?

AppV logo

App-V FAQ: What 3rd party tools are there for managing App-V?

Even in the absence of an App-V SDK, the 3rd party tools available for App-V are wide and varied. Here’s what I hope is a complete list. If I missed anything out, please let me know.

App-V FAQ: What tools does Microsoft provide for App-V?

AppV logo

App-V FAQ: Can I use Active Upgrade without RTSP(S)?

AppV logo

App-V FAQ: How do I troubleshoot the App-V Management Server?

Common scenarios for troubleshooting the Management Server (or the Streaming Server) are connectivity issues between the client and server, opening the Management Console from a remote machine and upgrading the Management Server.

App-V FAQ: Do I need to backup the App-V Management Server?

If you’ve deployed the native App-V infrastructure, you will have the following components in your environment:

Configuring an Automatic Resolution Policy for Offline Files in Windows 7

If you’ve ever had any experience implementing Offline Files for Windows laptops, you’re no doubt aware that users are required to manually resolve synchronisation conflicts. Well that’s the impression I’ve always been under until recently – there’s no documentation on TechNet on how to automatically resolve conflicts and certainly no Group Policy controls available either.

App-V FAQ: Does the delivery method change how applications are sequenced?

AppV logo

App-V FAQ: What are the deployment methods for App-V?

There are several methods that you can use to deliver App-V packages in your environment – you could even combine the methods depending on your requirements. I will summarise the methods here and give you some links to existing Microsoft articles and white papers and some excellent blog posts that discuss these options in detail:

App-V FAQ: Does App-V replace Citrix XenApp or Remote Desktop Services?

AppV logo

App-V FAQ: Can I virtualise Internet Explorer with App-V?

AppV logo

App-V FAQ: Can I run an application on Windows 7 that was sequenced on Windows XP?

As you should hopefully know by now App-V is not a compatibility solution, which means that you can’t use App-V to run applications that aren’t compatible with a specific version of Windows, you’ll need to use other means to do that.

App-V FAQ: Where can I find information on sequencing applications?

Before you even attempt your first sequence with App-V, I strongly recommend reading the Microsoft Application Virtualization 4.6 Sequencing Guide. This document lays the ground work for creating a successful sequencing environment and describes the best practices you should follow when sequencing. An older knowledgebase article exists, but it is still worth referencing: Best practices to use for sequencing in Microsoft SoftGrid.

App-V FAQ: Where do I go to find out how the App-V Client works?

AppV logo

App-V FAQ: Can I configure the App-V Client via Group Policy?

AppV logo

App-V FAQ: How do I configure the App-V Client in stand-alone mode?

Stand-alone mode in App-V is useful where you are deploying App-V applications via Group Policy or a 3rd party ESD (using the MSI file), or you have the App-V packages available on a file share and import them with the SFTMIME command.

App-V FAQ: How do I create a silent installation for the App-V Client?

TechNet has the documentation you need for creating a silent or unattended installation of the App-V client for deployment to existing workstations or during your base image build. Before embarking on customising the install, I usually recommend first understanding how to perform a manual installation of the App-V Client.

App-V FAQ: What are the dependencies of the App-V Client?

AppV logo

App-V FAQ: Does App-V allow me to run applications on Linux or Mac OS X?

AppV logo

Display corruption with Mobile Intel GM45 Chipset

I have a Dell Latitude XT2, which includes the Mobile Intel GM45 Chipset (and the Mobile Intel Graphics Media Accelerator 4500MHD). On occasion I’ve experienced display corruptions issues that make working with the laptop somewhat difficult.

App-V FAQ: Can App-V be used to run 16-bit applications on Windows x64?

AppV logo

App-V FAQ: Can I use Application Compatibility Shims with App-V?

AppV logo

Someone on the Internet is wrong about Hyper-V and I must correct them

VirtualizationAdmin.com has a new article by David Davis titled: 5 things Microsoft must do to stay in the virtualization game. I think the article has some fairly weak arguments and certainly a couple of claims that are just wrong. VirtualizationAdmin doesn’t provide a way to comment on articles, so I’ll break this down in an article of my own.

App-V FAQ: Is App-V an Application Compatibility solution?

AppV logo

App-V FAQ: What are the system requirements for App-V?

AppV logo

Windows Server 2008 R2 SP1: What’s in it for Remote Desktop Session Host?

The document Hotfixes and Security Updates included in Windows 7 and Windows Server 2008 R2 Service Pack 1 Beta has the complete list of what’s fixed in SP1. RemoteFX might steal the show, however I’m specifically interested in what fixes there are for Terminal Server or Remote Desktop Session Host as it’s now called.

App-V FAQ: What are the current versions of App-V 4.x?

There are currently several versions of App-V 4.x available for deployment, although it is highly recommended that you deploy or migrate to 4.6 SP2. For the full list of available versions and hotfixes for all App-V components see the spread sheet at the end of this post.

Specify a licensing server for Remote Desktop Virtualization Host and RemoteFX with PowerShell

If you’re configuring the Remote Desktop Virtualization Host (RDVH) and RemoteFX roles on a Hyper-V box, you may see the following message and will need to configure a license server:

App-V FAQ: Where can I download App-V?

AppV logoDepending on how you license App-V, you may need to download the ISO from different sources:

App-V FAQ: How is App-V licensed?

Microsoft App-V is available in two flavours: for desktops (this includes laptops and virtual desktops – essentially anything that will run Windows XP, Windows Vista or Windows 7) and for Remote Desktop Services (RDS).

App-V FAQ: What is Microsoft Application Virtualization

AppV-FAQ-Logo](http://www.microsoft.com/windows/enterprise/products/mdop/app-v.aspx)

App-V FAQ: What is Application Virtualisation?

<img class=”wlDisabledImage” style=”margin: 0px 0px 5px 10px; display: inline; border-width: 0px;” title=”AppV-FAQ-Logo” src=”/media/2010/06/AppVFAQLogo.png alt=”AppV-FAQ-Logo](http://en.wikipedia.org/wiki/Application_virtualization) as:

App-V Frequently Asked Question Series

AppV logo Starting tomorrow, I have a new blog post series - Microsoft App-V FAQs. There has been a SoftGrid FAQ blog on Microsoft TechNet in the past, but it’s now very  out of date. You can find official FAQs such as the App-V 4.6 on TechNet and an App-V 4.5 SP2 FAQ document, but these are a bit limited in scope.

Event ID 11708 logged when installing Application Error Reporting

When installing Microsoft Application Error Reporting, for example as a part of deploying the App-V Client, you may see an event with ID 11708 logged in the Application log. The error logged will be something along the lines of this:

Virtualising Apple Safari 5

AppV-Safari Safari 5.x with Microsoft Application Virtualization; however the same basic steps should apply to any application virtualisation product.

Virtualising Paint.NET 3.x

Virtualising Paint.NET is a simple two step process:

Customising Office 2010 before deployment

The Office 2010 planning, deployment and configuration documentation is far better than what was available for Office 2007 at launch, however it’s worth updating my Office 2007 deployment notes for the changes in Office 2007.

Managing product activation with a TechNet subscription (and MSDN too)

ComputerTick I’ve been avoiding activating Windows installations in my home test environment with the product keys from my TechNet subscription because I’ve been afraid of running out of keys. Fortunately that fear has been mostly unfounded. I won’t go into what I really think about product activation but if you’re interested in how to manage your TechNet or MSDN keys, I have discussed how I’m doing that here.

Application Virtualisation Sequencing SuperFlow available

Microsoft have made available what looks to be an excellent resource for walking through the complete sequencing process:

Setting App-V client permissions during install

However, I generally recommend configuring as many settings as you can during install so that you don’t have to rely on external tools (e.g. Group Policy) that may not apply in a timely manner.

Dynamic Suite Composition and short names

This is a guest post from Nicke Källén, an App-V MVP from Sweden. He posts as Znack on the TechNet Forums, where he’s consistently the  most active answerer in App-V topics. You can find his blog here.

Reduce logon times by excluding the bloat

Profile bloat – we’ve all seen it. Many applications, and even Windows itself, can store files in the most inappropriate places within the user profile. For example, here’s just part of what the Vodafone Mobile Connect application stores within the roaming portion of my profile:

Virtualising OpenOffice.org 3.x

This post details virtualising OpenOffice.org 3.x with Microsoft Application Virtualization; however the same basic steps should apply to any application virtualisation product.

Virtualising Firefox? Don't forget to disable Updates

If you are virtualising Mozilla Firefox, you should probably consider disabling the update functionality within the browser, to ensure consistency of the virtual package. There are several items that need to be configured or removed:

Deploy and update Adobe Reader with GFI LANguard

This post has been sitting in my drafts since June 2009 and for whatever reason I haven’t gotten around to posting it. So rather than delete it, I’m posting it as is - apologies in advance for quality of this post

Disable the EU Browser Choice screen

You’re probably aware of the Browser Choice screen coming to Windows users in the EU, the update that forced on users because of a company that can’t do something a bunch of volunteers have done quite admirably. This update will actually unpin Internet Explorer from the taskbar even if you’ve already made IE your default browser.

KB Article: Sequencing Office 2010 beta in App-V 4.6

A new knowledge-base article, released on the 22nd, is available from Microsoft for sequencing Office 2010 (32-bit and 64-bit) with App-V 4.6:

App-V 4.6 Released

Microsoft Application Virtualisation 4.6 (RTM) has been made available, which you can download from the Microsoft Download Centre, including some new and updated support tools:

RemoteApp for Windows XP and Windows Vista, the missing pieces

You may recall from my last post on RemoteApp, that we can get RemoteApp for Hyper-V works on other platforms too. While it was straight-forward publishing applications from a Windows 7 host, the client would report this error when connecting to Windows XP and Windows Vista hosts:
RemoteAppNotSupported

App-V Video Series available from Microsoft

SoftGrid Closed Box

App-V Errors 00000006 and 000D3002 When Adding Packages

I’m unsure if this is a bug or by design, but if you are using SFTMIME to add packages to an App-V client, you may receive the following error:

How I'm using FeedDemon 3.1 to make sense of the Citrix Community Blog feed

I’ve been a fan of FeedDemon for several years now and was even a paying customer of the 2.x version, so this post is a little biased – you may be able to do something similar in other feed readers.

RemoteApp for Hyper-V. Hyper what?

Microsoft posted about RemoteApp for Hyper-V yesterday, which was essentially highlighting the application publishing capabilities available in Windows XP mode and Windows Virtual PC; however this particular blog post calls out the use of RemoteApp to publish applications on Windows XP and Vista guests running under Hyper-V.

Roaming User Customisations in Office 2010

Note: for a more complete article on customising your Office 2010 deployment see this article: Customising Office 2010 before deployment

Dell owners - avoid the IDT 92HDxxx HD Audio driver

I’ve been mucking around with MDT 2010 lately, which has made it pretty simple to create an unattended install routine for my Dell Latitude XT2 (hopefully more on that soon) and to inject drivers into the build; however in doing so I’ve found a nasty bug in the IDT 92HDxxx HD Audio drivers from Dell (version 6.10.0.6217, A09).

Use a PAC file to make proxy settings dynamic

ProxySettings

Windows Server 2008 SP2: What's in it for Terminal Servers?

As you’re most likely aware, Microsoft has recently made available Windows Vista and Windows Server 2008 Service Pack 2. If you would like to know the details of every single fix and feature in the service pack, download this spreadsheet: Hotfix and Security Update List: Windows Server 2008 SP2 and Windows Vista SP2.

Windows 7 on a Dell Latitiude XT2

delllatitudext21

My Windows box has insomnia

When Windows just won’t stay in sleep mode there’s a simple fix. First you need to identify which component keeps bringing Windows out of sleep mode.

MSI Live Update disables User Account Control

I thought I’d seen just about every dumb thing that a developer could do, but this latest one from MSI is a whopper..

Some More Windows Virtual PC Screens

Of course, Windows Virtual PC has been covered in detail already, but I got a chance to play with the product and there’s some neat UI experiences that I hadn’t seen covered yet. Here’s a quick overview of interacting with Windows Virtual PC.

Did you know that App-V 4.5 CU1 is not beta?

I’m a little slow off the mark here (I’ve got my head buried in something unrelated), but I’ve just found out today that the App-V 4.5 Cumulative Update 1, although only available on Connect, is not actually a beta, it is the final code that you can start deploying.

Pismo File Mount for using ISOs in Windows 7

My old favourite Daemon Tools just hasn’t been working in Windows 7, so I’ve been on the look out for another tool for mounting ISOs. I haven’t really liked other tools like CloneDrive or PowerISO, but I’ve come across Psimo File Mount (via My Digital Life, I think) which so far has been working a treat.

Start Menu in Windows 7 7057

In addition to the new Start Menu customisation options available in build 7048, build 7057 introduces a very subtle change when using the Windows 7 Basic theme. The links on the right-hand side of the Start Menu gain a faux glass look, which gives the Start Menu a little more consistency across the Basic and Aero themes.

Remote Desktop Connection in Windows 7 7048

The Remote Desktop Connection client gets a facelift in build 7048 as well as Jump List integration, which is has been making life much simpler indeed:

Command Prompt in Windows 7 7048

I like the Command Prompt, it’s a little like those old worn out pair of shoes that you just don’t want to get rid of. I’m also a fan of the Consolas font, so when I can mix it with Command Prompt, those old shoes get a new lease on life.

Start Menu in Windows 7 7048

For those looking to fit just about every link possible on their Start Menu, Windows 7 build 7048 and above are aiming to please. In addition to the options seen in earlier builds, 7048 adds Downloads, Homegroup and the ability to edit the number of recent items in Jump Lists:

What's removable in Windows 7 7048

A little more than just Internet Explorer 8 is removable in Windows 7 build 7048. This build allow you to remove Internet Explorer 8, Windows DVD Maker, Windows Media Center, Windows Media Player (no more N editions, I presume) and even Windows Search:

ACDC vs. SoftBar – Fight!

Two great tools for managing App-V applications have appeared in the last few weeks - SoftBar and the App-V 4.5 Client Diagnostic and Configuration tool (ACDC). Thanks to the efforts of Greg Brownstein and Ment van der Plas, we have some excellent choices for improving the way we can manage and troubleshoot virtual applications on the client. 

Microsoft issues update to fix disabling Autorun

registry key from functioning as expected.

You need this - App-V Client Client Diag and Config tool

Ment van der Plas, of Login Consultants, has gone and created the most awesome App-V client tool - the App-V 4.5 Client Diagnostic and Configuration tool:

Sunday Link Love

Sunday Link Love

Flex Profiles 6 is available

A press release from Immidio landed in by inbox today - Flex Profiles, formerly by Login Consultants, has been updated to version 6. It comes as a free Express version and from what I can tell, you can pay for support.

Google Chrome on Windows 7 x64

I’ve had some issues with Google Chrome (1.0.154.48) running on Windows 7 x64, but thanks to these two links, it’s now working great.

Go Deep with AppVirt

Here’s an interesting video on the Channel 9 site about the architecture of Microsoft Application Virtualization:

User Based and Machine Based App-V deployment in SCCM 2007 R2

Ment van der Plas has a great article on virtual application deployment in SCCM 2007 R2

"Fixing" Windows Briefcase

For the 10 people who use Windows Briefcase, this one is not for you. If you’re like me and can’t stand the rough edges in Windows that have yet to be cleaned up, the Windows Briefcase icon is a bit of an eye sore because it still uses a Windows XP style icon:

Eliminate the Windows Start Navigation sound

What’s the most annoying sound in Windows? For me it’s got to be the Start Navigation sound – that click that Windows plays whenever you navigate your way around Windows Explorer or Internet Explorer.

Hiding the vmware_user account in Windows 7

Installing VMware Server or Workstation on Windows 7 will leave the __vmware_user\__ account showing on the logon screen, which does not happen in earlier versions of Windows.

No App-V on Windows 7 (for now)

I was testing this myself yesterday without luck, but it looks like App-V does not currently run on Windows 7.

Santa Claus is watching you

It’s been a busy December, so it’s been a bit quiet around here and by the time you read this I’ll be on the slopes somewhere around Arinsal, so here’s my final post for the year. Merry Christmas, Happy Hanukkah, Saturnalia or Yule or whatever it is you do or don’t celebrate at this time of year.

App-V Sequencer fails to install

Attempting to install the App-V Sequencer may not be successful and result the message “The wizard was interrupted before Microsoft Application Virtualization Sequencer could be completely installed”. Of course the message in the dialog isn’t particularly helpful, so what’s going on?

Adobe CS3, App-V 4.5 and 0xc0150002

If you are deploying any of the Adobe CS3 application (such as Photoshop, Illustrator or InDesign) suite in App-V 4.5, this knowledgebase article may come in handy: When launching applications from the Adobe CS3 suite using Application Virtualization 4.5 clients, you may encounter an error: 0xc0150002

Sometimes it pays to RTFM..

A reader e-mailed me the other day about the KEEPCURRENTSETTINGS property of the App-V 4.5 client setup and how when used on the command line, other properties are ignored. I hadn’t seen this behaviour – or so I thought until I found that my client install script was not setting the right virtual driver letter or enabling streaming from file.

Workaround for crashing App-V Management Console

If you are managing a large number of applications with App-V you may experience a crash in the Microsoft Management Console when drilling down into the Application node.

Unable to set security descriptor on global package files on App-V client upgrade

If you are deploying the App-V ADM Template to manage your App-V 4.5 clients you may need to consider the timing of deploying of Group Policy settings versus deployment of the client. The App-V ADM Template whitepaper recommends deploying the template after you have deployed the client.

Learning to live in harmony with the SCCM and App-V Clients

Ment van der Plas posted yesterday at the SoftGridBlog about what happens when the SCCM and the App-V client co-exist. Given that the SoftGridBlog doesn’t accept comments, here’s an extended reply to Ment’s post.

CLI09-IS: Microsoft Application Virtualization discussion

TechEd EMEA 2008 Wrap-up

Well TechEd EMEA 2008 is done and I still have some notes to post from a few more noteworthy sessions, so until then here’s a few more observations about the conference:

CLI02-PD: New features in App-V 4.5

This was a session to demo the new features in App-V 4.5, mainly aimed at those people already familiar with App-V. It was presented by Gene Ferioli, a senior program manager on the App-V team. Gene worked with the SCCM team on the App-V integration for SCCM 2007 R2.

SVR203: Windows Server 2008 R2: Work Anywhere Infrastructure

</p>

TechEd EMEA 2008 - First Impressions

teched-2008-logoAfter experiencing some initial troubles with Internet access from my hotel room, I might be able to start posting some pieces from Tech∙Ed here in Barcelona. Some of these might be out of chronological order, but first up here’s a general odds and ends from my first few days here:

Issues Sequencing Adobe Reader 7 or 8 in App-V 4.5

Microsoft posted a knowledgebase article yesterday titled: With Microsoft Application Virtualization 4.5 you are unable to Sequence Adobe Reader 7.x or 8.x due to NETOP FEAD Installer error. Essentially the NETOP FEAD installer is not compatible with the 4.5 Sequencer (or perhaps that’s the other way around).

App-V Resource Kit Tools Available

A number of useful App-V (resource kit) tools have been released which look very useful:

Juggling Sun Java Runtimes in App-V

<img class=”alignleft size-medium wp-image-775” style=”border: 0px;” title=”softgridcube-java” src=”/media/2008/10/softgridcube-java.png” border=”0” alt=” before, but it’s not because I like Java… So before I get into a tirade about it, here’s yet another post on the subject..

Flash Player 10 Available, Still No x64 Support

Adobe have made Flash Player 10 available, but unfortunately there’s still no support for 64-bit browsers, but then Silverlight 2 doesn’t have 64-bit support either.

Troubleshooting an Extraneous UAC Prompt

Even though I log onto my domain machine with a standard user account, I’ve been prompted by UAC to elevate when running Registry Editor. After putting up with it for a couple of months, I finally got around to doing something to fix it today.

Tomorrow: Developing and Running As Non-Admin

At the next Vista Squad meeting tomorrow night (Wednesday 15th October), along with Ray Booysen, I’ll be presenting on User Account Control and developing & running as non-admin. There’s a few things we’ll cover, including:

App-V Management Pack for OpsMgr 2007

Now this looks good: Microsoft Application Virtualization Management Pack for Systems Center Operations Manager 2007. If you’re deploying applications via any virtualisation/streaming solution, monitoring is essential.

Windows Vista Application Compatibility Downloadable List

Here’s a download that’s quite timely as I’m looking at application compatibility as a component of my Windows Vista deployment project: Windows Vista Application Compatibility Downloadable List for IT Professionals

TechEd EMEA 2008

<img style=”display: inline; margin-left: 0px; margin-right: 0px” title=”TechEd” src=”/media/2008/10/teched.png” border=”0” alt=”TechEd](http://emea.msteched.com/itpro/sessionpreferencesurvey.aspx) has been posted (you’ll have to be attending to see it). There’s plenty of excellent sessions to choose from and for me it’s going to be lots of App-V and Windows Vista content.

Information about Windows Server 2008 SP2 and Windows Vista SP2

Well actually, there’s none at the moment, but a there is a knowledgebase article available on SP2 as a place holder for future information:

Microsoft Application Virtualization 4.5 Security Configuration Roles

Security configuration roles for Application Virtualisation 4.5, which makes the Security Configuration Wizard in Windows Server 2003 and Windows Server 2008 App-V aware, have been released to the Downloads Centre.

Microsoft Application Virtualization Best Practices Analyzer

This came out of the blue (or perhaps I haven’t been paying attention). Here’s the Microsoft Application Virtualization Best Practices Analyzer:

Keeping The Windows Vista User Folder Clean

Because I’m a stickler for clean UI, I want to ensure users don’t see extra files or folders in their User folder on Windows Vista. I’m trying to avoid something similar to what you can see in the screenshot below, which looks a little out of place:

Application Virtualization 4.5 Podcast

A podcast that gives you can overview of Microsoft Application Virtualisation 4.5 has been posted that is worth checking out if you’re new to App-V or want to find out what version 4.5 is all about: Windows Springboard Series: AppV™ Application Virtualization

App-V and SCCM 2007 R2: Are Virtualised Applications Delivered The Same Way?

This was a great question, at this evenings talk,  about deploying virtualised applications via ConfigMgr 2007 R2 - are virtualised applications delivered to clients in the same manner as installed applications?

App-V Talk Slide Deck

The WMUG meeting was well attended tonight and my talk went better than expected considering that most of what I plan to say goes out the window as soon as I stand at the front of the room (I’m still new to this speaking malarkey).

App-V Talk At WMUG This Thursday

I’m going to be presenting a session on Microsoft Application Virtualisation 4.5 at the Windows Management User Group this coming Thursday (11th of September) at Microsoft’s offices in Victoria here in London:

Get Ready Now To Deploy Internet Explorer 8

Unless you’re hell bent on deploying Firefox in your corporate environment (and managing it with Group Policy), here are some reasons why you should plan for Internet Explorer 8 now and deploy it when the final version is released:

My Product Code Is Bigger Than Yours..

I thought 25 character product keys where a pain in the proverbial, but this one takes the cake. I won’t tell you which application this authorisation code is for, but it’s a whopping 93 characters long..

WSUS Update for Server Manager in Windows 2008

Microsoft have made available an update for Windows Server 2008 that integrates the WSUS 3.0 console into Server Manager.

Managing Control Panel in Windows Vista

At some point in your migration from Windows XP to Windows Vista you’ll no doubt be looking to manage which Control Panel applets are available to users. Controlling access to applets is no different than earlier version of Windows, but given that there are approximately 48 default applets in Windows Vista compared to 29 in Windows XP, more consideration will need to be given to those which you make available.

Disable Office User Interface Elements

Group Policy allows you to disable certain UI elements within Office applications, which you might want to do in the case of the Information Rights Management feature built into Office 2003 and 2007.

Adobe Customisation Wizard 9 Available

Adobe have made the Adobe Customisation Wizard 9 available for download for use with deploying Acrobat and Reader 9 applications.

What happened here today was a miracle

“and I want you to f**king acknowledge it!”

Free MSI Editor: InstEd

I haven’t used Orca to edit MSI files since I found Camwood appEditor around November last year. Since then though, appEditor has become has become InstEd and it’s even better than its’ predecessor.

Customise the Windows Vista Default User Profile

There are numerous ways to customise the default user profile in earlier versions of Windows, including:

WAIK Documentation Updates

An update to the documentation included in the Windows Automated Installation Kit are available:

Windows Update 80092026 plus Certificate Crypto Operation Failed

Ok, two separate issues but here, but fixed the same way. First up is Windows Update reporting:

Better Screen Shots For Documentation And Blogging

There are three tools that I use for creating and managing screen shots for documentation and posting here on my blog:

Deploying Adobe Reader 9 for Windows

First Impressions

App-V 4.5 Putting It's Best Face Forward

What’s the best new feature of Microsoft Application Virtualisation 4.5? There’s plenty to pick from, but I’m digging the new Vista style icons:

Remote Desktop Connection 6.1 for Windows XP SP2

Want the Remote Desktop Connection 6.1 client for Windows XP but can’t update to Service Pack 3 or Windows Vista? No need to hack files from SP3, just grab the update from here:

Fixing Windows Explorer security warning prompts

Last week I wrote about avoiding Explorer’s Security Warning prompts, this time around I want to document a related fix that I’ve had to implement because Explorer’s expected behaviour was not just not working.

Avoiding Explorer&rsquo;s Security Warning Prompts

Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 made some changes to the way Windows handles specific file types opened or downloaded from certain locations, which results in Open File – Security Warning prompts like these:

Sun JRE Install Script Update

I’ve updated my Sun Java Runtime Environment 1.6 Update X script, again. Updating this script seems to be a never ending task, usually because I find mistakes but this time around I’ve made a couple of changes including Windows x64 support. The script will now supports installing the 32-bit version of the JRE on x86 and x64 Windows and configures the environment accordingly.

Intel vPro and Network Access Protection

Here’s something I found interesting about Intel’s vPro management tool - Network Access Protection interaction is supported in hardware - even before the operating system has loaded. This isn’t mean to replace the agent in the OS, but it great stuff from a management perspective. Here’s the details:

Update On Running Adobe CS3 Applications In SoftGrid

I have previously detailed some efforts on sequencing some of the Adobe CS3 applications (Photoshop, Illustrator and InDesign) and some challenges related to the FLEXnet licensing component that comes with each application. It’s only recently that we’ve been able to do some user acceptance testing and we’ve found that the applications have failed.

Setting Visio Viewer As Default

Got both Visio Viewer 2007 and Visio 2007 on the same machine but want to set Visio Viewer as the default for some users? Here’s what you’ll need to do.

Disk Usage Display Improvement In Windows Vista

I’ve stumbled across a nice usability improvement in Windows Vista that had escaped me until today - the display of free disk space. Of course this feature has been in Windows Explorer since Windows 95, but the improvement in Windows Vista and Windows Server 2008 is the reporting of disk space when a drive is mapped to a remote share with disk quotas enabled.

Update To Fix Flash Handling on Presentation Server

Yay, great news - Citrix has released an update to fix the handling of Adobe Flash versions for Presentation Server 4.0. This has currently been released as part of the latest hotfix rollup for Presentation Server 4.0.

Citrix Enters The Profile Management Space

As you’re probably aware, because all the major blogs have covered it already, Citrix has purchased sepagoProfile from sepago with an agreement for sepago to continue development over the next 18 months. The product will become Citrix User Profile Manager.

Troubleshooting Windows Vista Performance KBs

To get the best out of Windows requires the wipe and load approach when confronted with a slow performing OEM install. I’m working on a post to that effect and Ed Bott has some great articles on Windows Vista performance lately (not that I think I’m in Ed Bott’s league).

No Redirected Folders? Just Wait Longer

No, Ace Ventura hasn’t started writing knowledgebase articles, it’s the advice given about an issue with redirected folders in Windows Vista and Windows Server 2008. I haven’t seen this myself, but fortunately there’s a better workaround than waiting 12 minutes.

CutePDF: F A I L

This:

Citrix Drops The Icon Ball

Instead of waiting for Citrix to support Windows Vista icon sizes in their new beta client, I’ve updated it myself. I’ll bet the Mac OS X client gets a full size icon (Leopard supports 512 x 512 pixels). Why does Vista have to be a second class citizen?

Free Microsoft Visio Resources

I’ve seen some Visio resources popup around the place recently and though that these were worth sharing.

SoftGrid Applications Keep Coming Back

I’m currently seeing this in my own lab environment - SoftGrid application shortcuts are created even though the application has been disabled, deleted or the user account has been removed from the application group.

May User Group Presentations

SoftGridPresentation I’ve got two user group presentations coming up next month where I’ll be presenting on Microsoft SoftGrid and why I think application virtualisation is great stuff. Hopefully I’ll be able to fit in a bit about some other appvirt products in there too.

Comparing eSATA To USB For External Drives

I’ve just purchased a new SATA-based external hard drive to use with demos and I thought I would share some details about the performance gain over my older ATA-based hard disk.

Getting Rid Of That Unblock Button

I actually don’t mind UAC at all, but this button is really annoying:

Delay On Windows Vista With Redirected Desktop

If you are redirecting the Desktop folder for users on Windows Vista laptops, a knowledgebase article just been published that might be useful to you. Here’s details of what this article addresses:

PowerShell on Server Core

PowerShell running on Server Core

Providing Redirected Start Menus To Laptops

Sounds like a great blog post (and it gives my an excuse to avoid my eight other draft posts), so here’s my answer:

Building Dynamic Start Menus With Access-Based Enumeration

I hinted at creating dynamic Start Menus using Access-Based Enumeration (ABE) in Windows Server 2003 SP1 and above. I have read an article on this subject previously on the Internets, but the tubes must be clogged up as I can’t find it anymore. If anyone has a link please let me know, because I would like to link to it.

Access-Based Enumeration in Windows Server

You remember Access Based Enumeration right? I’m often surprised by people who didn’t know this features exists, so here’s refresher.

Changes To DACL Settings In Windows Vista

A new knowledge base article was published a couple of days ago, that details the NTFS DACL changes in Windows Vista (and Windows Server 2008): Changes to the default NTFS Discretionary Access Control List (DACL) settings in Windows Vista

In Defence Of The Windows Server 2008 Step-by-Step Guides

and I’m left scratching my head. His beef with the guides is that they haven’t yet been updated for RTM and still include some older terminology:

Remote Server Administration Tools Available

The wait is finally over - the Microsoft Remote Server Administration Tools are available. The RSAT also includes a the command line version of the tools as well. There is a knowledge base article, KB941314, but it’s not yet available.

Blog Plug: Vista Vitals

Gordon Martin from Canada writes a great blog on his experiences deploying Windows Vista. It’s a good read and there’s a fair number of little gems in there. I’ve been meaning to post some links to his site for some time, but I’ve just been slack and haven’t gotten around to it. Who is Gordon? Here’s what he says:

Application Compatibility And The Benefits Of Virtualisation

SoftGridAppCompatIf there’s ever a great example of the benefits of application virtualisation it can often be found in the little things.

Placing The SoftGrid User Data Directory

SoftGridUserData If you’re in the process of rolling out SoftGrid Application Virtualisation, you’ve most likely considered placement of the User Data Directory. The User Data Directory (or user cache) holds application configuration that would normally be stored in the user profile.

Windows Command Line Reference Documentation

for Windows Server 2003, Windows Vista and Windows Server 2008, which curiously doesn’t include every command line tool in Windows.

The Short NAP: Thursday March 13 2008

Network Access Protection is a great new feature of Windows Server 2008 that will help you understand the health of your client machines (Windows Vista and Windows XP Service Pack 3) and increase the trust in your network.

IIS 7.0 Manager Released, RSAT Soon Too?

IISManager128

Export Your Product Keys Before Your TechNet Subscription Expires

With Windows Vista and Windows Server 2008 requiring activation for all versions, the days of grabbing the corporate key for home use have gone. 

New Java Runtime Coming. Set Phasers To Yawn

for release later this year and there’s a couple of changes to this version that have some bearing on deployment. I can’t imagine there is an enterprise out there that doesn’t have to deal with Java applications.

Group Policy Preference Client Side Extensions Available

Microsoft have made available the Group Policy Preferences Client Side Extensions for download and deployment. You’ll need Windows Server 2008 or Windows Vista SP1 with the Remote Server Administration Tools (not yet available) to manage these. You do not need to upgrade to a Windows Server 2008 domain to use Group Policy Extensions which is fantastic.

SoftGrid Tip: What's On That Q: Drive?

Here’s a nice SoftGrid tip from one of the guys in the team here.

Planning and Deploying Group Policy? This Is For You

servertools.pngHere’s a great document from the Microsoft writing team on planning and deploying Group Policy for Windows Server 2008. Many of the details in this document do apply to Windows Server 2003 and Windows 2000 Server as well. This document is the place to start for anyone dealing with Group Policy, no matter what your experience is.

The Short NAP: Tuesday February 19 2008

Network Access Protection is a great new feature of Windows Server 2008 that will help you understand the health of your client machines (Windows Vista and Windows XP Service Pack 3) and increase the trust in your network.

Server Manager's Power Is In The Command Line

Like most IT Pros deploying and managing Windows Server, I’ve avoided the wizard interfaces, like Manage Your Server, in previous versions of Windows. However with Windows Server 2008, Microsoft have actually succeeded in creating a tool that I think people will find indispensable.

Update Adobe Reader Now, PDF Exploits In The Wild

![updateadobereader]/media/2008/02/updateadobereader.png)

Citrix Hotfix Turns Oracle JInitiator Pink

A workaround has been posted in the forums. Run the following command to exclude Internet Explorer from the multiple montior hooks that Presentation Server provides:

REG ADD "HKLM\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Multiple Monitor Hook" /v Exclude /d "iexplore.exe" /t REG_SZ /f

The Short NAP: Thursday February 7 2008

Network Access Protection is a great new feature of Windows Server 2008 that will help you understand the health of your client machines (Windows Vista and Windows XP Service Pack 3) and increase the trust in your network.

Virtualising Apple QuickTime 7.x

Here’s how to create a custom Apple QuickTime 7.x installation for virtualisation. This post specifically deals with virtualising QuickTime with Microsoft App-V, but the general process should be similar for any application virtualisation product.

Download: Microsoft Consulting Services Sequencing Guide

Microsoft have posted a guide from Microsoft Consulting Services that details their best practises when sequencing applications.

Book: Windows Server 2008 Networking and Network Access Protection

MSPress has turned up from Amazon today. This is a hefty book - at 816 pages it weighs a ton but there’s plenty of detail.

Bypass Windows Live Installer With Direct Install Downloads

windowslive.pngLooking to bypass the Windows Live Installer and want direct access to the Live suite application installers? Here’s where to find them. Credits go to the Vistax64 forums and Snakodus.

Disable Adobe Updater When Sequencing CS3 Apps

Like all of the current Adobe applications, the CS3 suite comes bundled with Adobe Updater 5. When you are sequencing any of these applications you should ensure that Updater is disabled or not installed.

Addressing Apple Bonjour With Adobe CS3 Apps On SoftGrid

bonjour-softgridbox.pngThe Adobe CS3 products include the Apple Bonjour service for use with the Adobe Version Cue server. You can view information on this implementation here: Adobe Creative Suite 3 and Creative Suite 3 components install Bonjour (Windows)

Addressing Licensing Issues With Adobe CS3 Apps On SoftGrid

Adobe uses Macrovision FLEXnet to enforce licensing for their applications. This is a service that is installed when you install any of the CS3 applications and will start when you launch a CS3 application. This licensing tool is installed even if you are using volume license media.

Updating Flash On Presentation Server? Consider SpeedFlash First

adobeflash.pngLike any good IT pro you’re probably keeping an eye on the latest software releases and updating to keep on top of security updates. When it comes to Adobe Flash under Citrix Presentation Server, you’ll want to ensure that the latest update is supported by SpeedFlash/SpeedScreen.

Should We Need To Inform The User They're Running With Limited Rights?

Expecting an application to execute correctly when run with limited user privileges should be something that we take for granted. Alas in the real world this is not the case, but things are getting better, if slowly.

Windows Server 2003 SP2 Administration Tools Pack Available

The Service Pack 2 Administration Tools pack has been released as a stand alone package. I’m fairly certain this is new - I don’t recall seeing this download before and the knowledgebase article was updated just yesterday.

SoftGrid, Presentation Server And Internet Explorer As A Help System

internetexplorer-softgridbox If you’re deploying applications on Citrix Presentation Server via Application Virtualisation/SoftGrid, you may run into issues with applications that utilise a local HTML based help system. These applications will generally launch Internet Explorer as the viewer and in our case, we’ve found that IE is launched outside of the protected environment and thus never sees the help content located inside the environment.

The Short NAP: Thursday January 10 2008

The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Thursday the 10th of January 2008:

Loading Local AppVirt/SoftGrid Packages on Windows Vista

windowsvista-softgridbox.pngTesting applications inside the Microsoft Application Virtualisation (SoftGrid) bubble, from local packages (i.e. not streamed from the server) on Windows Vista requires a configuration change due to User Account Control. If you attempt to load an application from a local OSD file, you will receive the following error:

Remote Access Makes Users Happy

HP and the Chief Happiness Officer have teamed up to make the UK happy at work. It’s all about giving users choice and remote access looks to be a big part of that. 800 employees across different companies were ‘experimented’ on and the results speak for themselves:

Tip Of The Day - Ain't Got No Tips

It’s been a while since an entrant in the Hall of Shame, so today I’m pleased to bring you a bit of a chuckle courtesy of ACDSee Standard 5.0. It seems that the Tips dialog in this old version, doesn’t like it if you’ve installed the application to a non-default location (think sequencing in SoftGrid). Perhaps this dialog has a case of what my wife would call “Man eyes” - very similar to inattentional blindness.

Set Default Formats for New Office Documents from Windows Explorer

If you’re deploying Office 2007 and haven’t yet standardised on the new file formats, you’re probably already aware of how to set the default file formats via Group Policy, or using the Office Customization Tool to set the defaults before installing Office.

MSI Utility for Microsoft Application Virtualization Available

No official word from the SoftGrid/Application Virtualisation blog yet, but Microsoft have released the MSI Utility for Microsoft Application Virtualization for converting your sequenced application to MSI installs.

Windows Vista SP1 - Streamlining UAC Interaction

Here’s a great example of the improvements to interaction with User Account Control in Windows Vista Service Pack -creating folders in system locations (e.g. the Start Menu, Program Files etc.). This is probably the most ‘in your face’ UAC interaction, and beyond this I’ve personally found UAC to be quite usable.

The Short NAP: Monday December 17 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Monday the 17th of December 2007:

Running the latest Oracle JInitiator

Here’s a really simple method for using running the latest version of the Oracle JInitiator even though your application may require a specific version. DISCLAIMER: This is most likely unsupported by Oracle but it thus far it’s worked for me. If you’re worried about your applications breaking don’t implement this hack.

Sequencing Adobe InDesign CS3

indesign-softgridbox.pngAdobe InDesign should be the last of the Adobe CS3 applications that I’ll have to sequence and like Illustrator, Photoshop and Acrobat, I had the same issues with sequencing and running the application on the client. So I don’t have to repeat myself, check out those posts first and here are the basics for sequencing InDesign CS3.

Sequencing Adobe Illustrator CS3

illustrator-softgridbox.pngAs with my earlier posts on sequencing Adobe Acrobat 8 and Adobe Photoshop CS3, I’ve struck the same manifest issues with Illustrator CS3. Here’s a quick breakdown on what I needed to do to get this application working:

Sequencing Adobe Photoshop CS3

photoshop-softgridbox.pngDeploying Adobe applications with SoftGrid/Microsoft Application Virtualisation certainly takes a lot of patience, because like Adobe Acrobat, Photoshop took quite a long time to sequence and troubleshoot. Sequencing the application alone will take around 6 hours, but your mileage may vary.

More on SoftGrid and Adobe Acrobat

adobeacrobat-softgridbox.pngAfter working on sequencing Adobe Acrobat 8 Professional for the better part of four days, I’ve come to the conclusion that this application is just not going to work well from within SoftGrid. Here’s my reasoning:

SoftGrid: Sequencing Adobe Acrobat 8 - The Story So Far

adobeacrobat-softgridbox.pngI’m not completely convinced that Adobe Acrobat (not Reader) is the best candidate for deploying via application virtualisation techniques, but if you’re looking to do it you’re in for a bit of a ride.

The Short NAP: Friday November 22 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Friday the 22nd of November 2007:

SoftGrid Infrastructure Planning and Design documents available

Microsoft have just made available a new series of Infrastructure Planning and Design (IPD) documents. The IPD documents are essentially the new version of the Windows Server System Reference Architecture:

Enable Streaming from File in SoftGrid 4.5

The default behaviour of the SoftGrid Application Virtualisation 4.5 client is to not allow applications to be streamed from a file, i.e. streaming an application from a local OSD file rather than from the server. If you attempt to load from a local package, you may see an error similar to this:

SoftGrid Client Error: 411136-0E80A704-00001213

If you’ve ever added regsitry entries to your SoftGrid OSD file, you may receive an error like this, even though the entries are completely valid:

New Group Policy White Papers Up For Grabs

Here’s a couple of new Group Policy white papers released to the Microsoft Download Centre. They detail some great Group Policy additions coming with Windows Server 2008 and the Microsoft Desktop Optimisation Pack. The Advanced Group Policy Management tool came out of what was DesktopStandard GPOVault and Group Policy Preferences is what used to be PolicyMaker.

SoftGrid: Launch Windows Explorer inside the bubble

If you’ve attempted to launch Windows Explorer as a component of your SoftGrid sequenced applications, you may find that you are not able to view folders within the SoftGrid protected environment (i.e. inside the bubble). When you attempt to view a folder that lies within the bubble or your SoftGrid drive letter, you will receive an ‘Access Denied’ error. The reason for this is that the Explorer process is not running within the bubble and thus you won’t have access to those folder locations.

Windows Vista components available for Windows XP

Here’s a list of components developed for Windows Vista or during the same development time frame and included in Windows Vista, that have also been made available for installation on Windows XP:

Microsoft Deployment Available on Download Centre

Microsoft Deployment looks to have made it’s way to version 1.0 and is available on Microsoft’s Download Centre. There’s no real confirmation that this is the RTM/RTW release but it’s just been posted so I can only assume.

Sun Java 6 Update 3 Deployment Script

I’ve just updated my Java Runtime Environment install script for Sun Java 6 Update 3. Apart from supporting the latest JRE update, this version of the script fixes some registry changes that I hadn’t got quite right previously. If you’ve not seen this script before here’s a breakdown of what it does:

CD/DVD Writing via Script with IMAPIv2

Looking to write to CD or DVD media via a script? Did you know that Windows includes an API to do just that? Version 2.0 of this API that is included in Windows Vista has also been made available for Windows XP and Windows Server 2003: Image Mastering API v2.0

My Samsung P2 Review: great device with room for improvement

Any review of a touch screen digital audio player or phone is going to inevitably compare to the iPhone/iPod touch, but touch interfaces are the way forward because they just make sense. So here’s my quick and dirty review of the Samsung P2 which turned up this morning.

Hey Look! A Developer Who Gets It!

Well they came close, really close, but full marks goes to Axialis for first making the command line options for their installer and then making them nice and easy to see too. I got a nice surprise when installing the latest version of Axialis IconWorkshop, which has a link to the command line options right on the setup wizard. Now if only the setup programme was based on Windows Installer I’d be even more impressed.

Adobe Reader 8.1.1 Available

This is a about a week old (I’ve been away in Italy so I’m a bit behind), but Adobe have released Reader 8.1.1. Currently only available in English with quite a few languages still only receiving 8.0. You can download the full installer here and find what’s been updated here. Good news is that my deployment instructions and transform for 8.1 are still valid for this version.

One Click Citrix Access Management Console Uninstall

Citrix provide a nice installer for the Access Management Console that you can automate to script the installation of the AMC. However, if you’ve ever needed to remove the AMC you’ll find that you need to remove each component one at a time. Because there are 9 components, this can become a little tedious.

"Page Cannot Be Displayed" in McAfee ePO?

Don’t get me started on the ridiculousness of wrapping an MMC console around a web application served by Apache Tomcat to administer McAfee’s ePolicy Orchestrator (surely one or the other, not both), but you may see this error after you log into the console instead of seeing the expected settings window:

Prevent Terminal Server Help From Displaying At Logon

terminalserverhelp.png

The Short NAP: Friday September 28 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are the links for Friday the 28th of September 2007:

Adobe Flash and Shockware Players direct download links

Flash logo

The Short NAP: Wednesday September 12 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. This one is a little too semi-regular, so this is almost three months worth of links. Here are the links for Wednesday the 12th of September 2007:

ISA Server 2006 Supportability Update

Don’t call it a service pack, but what’s a service pack by any other name? Seems it’s a “Supportability Update”. Microsoft have released an update for ISA Server 2006 that brings the features that ISA Server 2004 got with Service Pack 3. Here’s the breakdown of what’s included:

Script: Update Published Application Icons

In a previous post I detailed updating your Citrix Presentation Server 4.5 environment to support true/high colour icons for published applications. One of the steps mentioned in the post is that you need to delete and re-publish each of your published applications to get a high colour icon, which detailed in the release notes for PSE450W2K3R01.

Unattended Citrix Access Management Console

If you’re looking at deploying the updated Access Management Console you might be interested in how to perform an unattended install. There are really two ways to do this:

Group Policy Diagnostic Best Practice Analyzer

Here’s an interesting tool that Microsoft have just released - the Group Policy Diagnostic Best Practice Analyzer:

High Colour icons for Citrix Presentation Server applications

Citrix have released (and even re-released) whole slew of updates in the past few weeks that finally get’s a feature of Presentation Server working that’s close to my heart - high colour icons. Yes, high colour icons - the single most important feature that Citrix could add to Presentation Server! Forget application streaming, the new killer feautre is high colour icons!

Creating Custom MetaFrame Admins with VBscript: Part 2

Creating the Administrator
Now that we can read the privileges from an existing administrator object we can determine which privileges to write to a new administrator. In this post I have listed a script that you can use to create the custom administrator account.

Creating Custom MetaFrame Admins with VBscript: Part 1

Overview
Setting privileges on a custom administrator account in Presentation Server is not quite as simple as I thought when I set out to create a script to do so - there’s not much information on the CDN forums, so this was a bit of trial and error.

Windows Script 5.7 Available for Download

We all know that PowerShell is the future, but Microsoft have released an updated version of Windows Script for Windows 2000/XP and 2003 (to match the version included with Windows Vista). You can read the release notes here.

Quering Domino via LDAP with VBscript

I don’t really want to admit to interacting with Lotus Notes but that’s a part of what I’m doing currently. More specificially I’m attempting to query Domino via LDAP with a VBS script. It turns out that this is a fairly simple process and you can use the Active Directory Provider built into Windows.

NAP Component Diagram

Following on from the Windows Server 2008 Component Posters, I’ve made a nice PNG of just the NAP component. This does a great job at giving you an overview of how the NAP components work, much easier than trawling though a document. Click on the picture below for a larger view and enjoy:

Windows Server 2008 Component Posters

( Via Aaron Tiensivu and Bink, this might be old news)

The Short NAP: Thursday July 12 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Thursday the 12th of July 2007:

Malware Removal Starter Kit

Here’s something that’s caught my eye up on the Microsoft Download Centre which I thought might be useful to someone:

The Short NAP: Thursday June 14 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Thursday the 14th of June 2007:

Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

Adobe Reader 8.1 Direct Download Links

For anyone deploying Adobe Reader, the direct download links for Adobe Reader are far more useful than the standard download that attempts sell you on how great Adobe Photoshop Album Starter Edition and the Google Toolbar are.

Deploying Adobe Reader 8

Deployment of Adobe Reader in an enterprise environment has been much simplified since version 6, however there is still some important preparation before you think about deploying version 8. Adobe have compiled information on enterprise deployment which are available on the following pages - I prefer the developer page over the page aimed at IT professionals because it has more information and is a little easier to read:

Adobe Reader 8.1 Released

Adobe have released version 8.1 of Reader that includes updates for Office 2007 and Windows Vista, including preview in Outlook 2007. I’ll update my Adobe Reader deployment tools as soon as I can, however I don’t see any reason why ~~[my existing transform files](/deployment/disable-adobe-updater-with-adobe-customization-wizard-8) won’t work with this version~~ my existing transform files won’t work with this version, so expect updates soon. If you are looking to download the latest version here is the direct download link:

Diary of an Exchange 2007 Upgrade: Part 5

Dear Diary,

The Short NAP: Thursday May 31 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Thursday the 31st of May 2007:

How to Move a Storage Group in a Cluster Continuous Replication Environment

TechNet has an article on moving the database and log file paths for a Storage Group in an Exchange cluster running in a Cluster Continuous Replication environment, however it’s missing a couple of steps which are fairly important to the process.

Diary of an Exchange 2007 Upgrade: Part 4

Dear Diary,

Diary of an Exchange 2007 Upgrade: Part 3

Dear Diary,

The Short NAP: Wednesday May 23 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Wednesday the 23rd of May 2007:

Diary of an Exchange 2007 Upgrade: Part 2

Dear Diary,

Diary of an Exchange 2007 Upgrade: Part 1

Dear Diary,

Service Pack integration issues? It's probably something simple

I was having some issues integrating Windows Server 2003 Service Pack 2 into a copy of Windows Server 2003 Enterprise R2 x64. The updater would keep reporting this error and bomb out:

Repost: Microsoft Australia TechNet Updates, June

Via the Microsoft IT Professional Blog Downunder, some very technical presentations are heading our way. These look great, if you’ve got the time and are local I recommend checking these out. You can register at the Australian TechNet site.

VMware ESX Server and Security Update MS07-22

We’ve had some issues with 32bit Windows on VMware ESX 3.0 which has been causing servers that have been patched with the MS07-22 security update to freeze on boot. The severity rating for this patch is Important and it fixes a vulnerability in the Windows kernel, you can read more information about this patch here:

Exchange Server 2007 and Public Folder Replicas

During a migration from Exchange Server 2003 to Exchange Server 2007 you need to add the Exchange 2007 server to replicas for each of the Public Folders (as you would need with any Exchange server migration) and this includes the System folders as well.

Access Gateway Advanced and Outlook Web Access 2007

If you are looking at implementing remote access to Outlook Web Access 2007 through Citrix Access Gateway Advanced you’ll find that things aren’t going to work as expect and currently this configuration is not supported by Citrix.

The Short NAP: Monday May 7 2007

The Short NAP is a (semi-regular) quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Monday the 7th of May 2007:

Installing Office 2007 on Terminal Server

When install Office 2007 on your Terminal Servers there are a few things you’ll need to be aware of. The first of which is that you will need an Enterprise or Volume License key, i.e. those keys that use Volume Activation 1.0 and do not require activation. There is also some configuration and installation options that I recommend you set before and after installation.

Deploying Office 2007 with Group Policy Startup Scripts

In a previous post I discussed what you need to do to start deploying Office 2007. In that post I referenced a page that Microsoft linked to, but have not actually posted (Use Group Policy to Assign Startup Scripts for 2007 Office Deployment). So in this article I’ll go through a couple of ways you can use Group Policy startup scripts to deploy Office.

Group Policy Application Deployment Done Right

In this article I’ve outlined what I recommend for best utilising Group Policy to deploy applications. Deploying applications via Group Policy is a fairly straight-forward process, if a little limiting, however if you don’t do it right you could be setting yourself up for some pain down the track.

ISA Server 2004 Service Pack 3

Microsoft have released ISA Server 2004 Service Pack 3, which includes support for Exchange Server 2007 and updated log viewer functionality:

Firefox on Vista doesn't have to be so ugly

Because non-native UI sucks, here’s a couple of extensions that help to make Firefox look much better on Windows Vista. These extensions mimic the Internet Explorer 7 interface, including the Windows Vista menus, making Firefox feel far more at home.

The Short NAP: Wednesday 25th April 2007

The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Wednesday the 25th of April 2007:

Unattended VMware Tools

Here’s how to create an unattended installation of VMware Tools which I’ve aimed specifically at Terminal Servers, however you can apply the same concepts for any Windows server installed under any of the VMware virtualisation products.

Files Not Moved to the Recycle Bin?

On our internal Terminal Servers the CEO has been having an issue whereby files or folders are not sent to the Recycle Bin, rather they are immediately deleted. If you logon with administrative rights on the machine, you can send files to the Recycle Bin. To date, he’d been told that this would be fixed once we move to some new boxes (which I did last week). Unfortunately the problem also exists on the new Terminal Servers which I only found out after the CEO pointed the problem out to me (luckily he’s a pretty understanding guy).

The Short NAP: Sunday 22nd April 2007

The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation related links from around the web. Here are links for Sunday the 22nd of April 2007:

Unattended Presentation Server 4.5

While things haven’t changed much since Presentation Server 4.0, I’ve put together what you’ll need to create an unattended install for Presentation Server 4.5. First up I’ve made a copy of the installation files from the CD and added them to a single folder. This includes a copy of the administration tools in the same folder:

PolicyMaker and Internet Explorer 7

If you are working with PolicyMaker Registry Extension, or any of the other PolicyMaker products, you will find the Microsoft Management Console will crash when you select the User Settings / Registry node when editing the Group Policy on machine that also has Internet Explorer 7 installed. If you look at the crash details you will see that the fault is with MSHTML.DLL.

Error with OUTLK12.ADM

The ADM/ADMX templates have been updated and include the fix for the Outlook template. See the download link below to update your templates.

Changing Icons and Labels for Mapped Drives

I had a need on a Terminal Server project last year to change the icon and label for client-mapped drives in use by Citrix Presentation Server clients. This proved to be quite easy to implement and actually worked well for users as they could more easily identify the drive mapped to their local C: drive.

An Exchange 2007 Upgrade Is Like a Poke in the Eye

I’ve upgraded our internal Exchange organisation over the last week and I’ve got to say Exchange 2007 is a completely different ball game. Now for seasoned Exchange architects and administrators a lot of the Exchange 2007 upgrade process is probably not new, but for those of us who don’t look after Exchange full time it’s a steep learning curve. The biggest challenges for me have been around the new Exchange Management Shell. I think the implementation of PowerShell as the basis for all Exchange management is a good thing - there’s nothing like being able to paste the exact command line into your change log. However there’s been a couple of issue that I’ve got with Exchange 2007:

Office 2007 Deployment via Group Policy

If you are looking at deploying Office 2007 via Group Policy you may have noticed that Microsoft have changed the game. Office 2007 is no longer deployed using transform files; it now uses Windows Installer patches (.MSP) or CONFIG.XML to customise the Office installation.

Windows 2003 R2 and Integrated Service Pack 2

I recently ran into a spot of trouble with integrating Windows Server 2003 Service Pack 2 into Windows Server 2003 R2. After successfully installing Windows Server 2003 with integrated Service Pack 2 on a server I ran the R2 installer (SETUP2.EXE) and was greeted with this message:

A Quick Look at the Windows Vista MMC Consoles

There’s got to be a quicker way of getting to the management tools in Windows right? Well here’s a quick look at the MMC files included in the base install of Windows Vista. I’ve put together a list of those files and whether you need to elevate to run them. If you do need to elevate you will have to do so by running them from an elevated command prompt. Note that you can run these without having to add the .MSC extension. The exception to this is SERVICES.MSC.

The Joy of a New Laptop

A couple of months back my old Toshiba TE2100 laptop that my wife has been using packed it in and it was time to look at a new one. I settled on a Dell and took delivery of a Dell XPS M1210 laptop last week. So far I’m pretty impressed. Here’s a breakdown of the features that I picked up for AU $2840:

The Short NAP: Wednesday 4th April 2007

The Short NAP is a quick list of NAP and Server/Domain Isolation links from around the web. Here are links for Wednesday the 4th of April 2007:

Group Policy Scripts can fail due to UAC

If you are starting to deploy Windows Vista you may have noticed that any user who has administrative access to their workstation will not receive mapped drives or printers. This is due to the new privilege model introduced in Windows Vista with User Account Control.

Adventures in Access Gateway 4.5 Upgrade

Upgrading our Access Gateway last night proved to be a bit of a challenge where perhaps it should not have been. The problem was not with the product, more due to the time between installs. Access Gateway is generally requires little administration after deployment and it’s certainly not a product I get to work with every day. So what problems did I run into? Well, things that should have been quite obvious from the start, so here’s how I got there and fixed them and how I won’t make the same mistakes twice.

Why Are You Still Writing ADM Templates?

Microsoft have pulled the PolicyMaker Regsitry Extension download. This product is part of what is now known as Group Policy Preferences, a new feature of Windows Server 2008 and 2008 R2.

Citrix Access Gateway and Scans for Domain Membership

The Endpoint Analysis feature of Citrix Access Gateway Advanced allows you to scan the client machine for specific criteria before the user is allowed access to internal network resources. One of these scans is machine membership of your internal domain. When configuring this scan you specify the NetBIOS name of your domain and apply this scan to a logon point or filter.

Recent Documents Sidebar Gadget

I came across a Windows Sidebar gadget the other day which is actually proving to be useful - the Microsoft Office 2007 Recently Used Documents gadget. It’s quite handy having a list of your recent documents available without having to go through the Start Menu. I recommend checking this one out.

Unattended Citrix Advanced Access Control Part 1

I’ve spent some time in the past couple of days working out how to do an unattended install of Web Interface and Advanced Access Control and certainly been a challenge. Whilst I haven’t worked everything out, I thought that I would outline what I’ve found out thus far. Why would we want to automate the installation of AAC? Just like your Terminal Servers, the servers running AAC should be stateless, so an unattended installation will provide a method for replicating servers and for disaster recovery.

The Short NAP: Tuesday March 20th 2007

I’ve been speedlinking some interesting Network Access Protection links in the past (which you can find here, here, here and here) and as speedlinking is so very 2006, I thought that I would rebrand these types of posts to ‘The Short NAP’. So here’s The Short NAP for Tuesday 20 March 2007.

Customising the Presentation Server Client Installation Part 2

In my previous article on customising the Presentation Server Client, I outlined the steps required to make a custom package for deployment to your client machines. That just article covers creating the custom package using the packager, but there a few other customisations you might be interested in:

Crash the ISA Server Firewall Service - Open All Inbound Ports

Here’s an easy way to crash the Microsoft Firewall service in ISA Server - create a server publishing rule that allows all high ports inbound to an internal NATed IP address.

Windows Server 2003 SP2: What's in it for Terminal Servers?

Now that Service Pack 2 for Windows Server 2003 has been released, I thought that I would take a brief look at what’s new for Terminal Servers:

Uninstalling Adobe Reader

If for whatever reason you are looking to remove Adobe Reader from your computers, here’s how to remove these applications via a script or some other unattended means. I have tested this with Adobe Reader 6.0.1, 7.0.9 and 8.0 which are all readily available from the Adobe web site and all use Windows Installer. I was also able to test Adobe Reader 5.1 which utilises a standard setup application from InstallShield.

Presentation Server Client 10 still uses Windows Help

Gee, I expected a little more than this from Citrix - the new Presentation Server Client version 10 is still using the old 16-bit Windows Help format (.HLP). What’s the problem with this you say? Well, Windows Help is no longer included with Windows Vista and Microsoft have been discouraging its’ use for some time now. Yes you can now download a version of Windows Help for Vista from Microsoft, but it’s not guaranteed to work with all .HLP files.

Customising the Presentation Server Client Installation Part 1

The Citrix Presentation Server Client provides the ability to customise the client before you deploy it to your workstations. Customisation of the client is an important step to ensure the best possible experience for your users and it is yet very simple to achieve:

TweakVI encourages users to turn off UAC

TweakVI is a tweaking and “optimisation” application from Totalidea that is essentially a front end for a large number of registry settings that you can enable or disable to change the behaviour of features in Windows Vista. The application is mainly aimed at power users but I would assume that some slightly less power users would be interested in this application as well.

Safely Remove Hardware, gets a facelift, almost

There are quite a few design choices in Windows Vista that have me baffled, especially where an interface change to me seems quite logical but Microsoft have not implemented one. The Safely Remove Hardware feature is one such change.

Windows Vista Previous Versions, System Restore and Disk Space

While checking out where my disk space was being consumed on my Windows Vista machines, I found that System Restore was the main culprit. So to reclaim my lost space I disabled it. Here you can see the before and after impact on the system drive of my desktop - close to 3GB was freed:

Print Migrator utility included in Windows Vista/Longhorn Server

Microsoft’s Windows Server 2003 Print Migrator 3.1 has now been rolled into the operating system with Windows Vista and Longhorn Server in the form of the Printer Migration Wizard. This new version is very simplified and comes as a UI, as you can see in the screenshot below, and a command line version.

SafeWord RemoteAccess Keeps You Waiting

If you are ever installing SafeWord RemoteAccess, don’t be in a hurry. Be prepared to wait while the Setup application downloads the application updates from the SafeWord site, you could be there a while. It’s clocked just over an hour now and it’s not my end:

The Short NAP: Friday 2nd March 2007

Here’s a few interesting NAP links from the past several weeks:

Configure Vista KMS on Windows Server 2003

Unfortunately life with Windows Vista means living with Microsoft’s Volume Activation 2.0. For complete information on Volume Activation 2.0 see this TechNet page:

Install the Windows Deployment Services Console on Vista

Installing the Windows Deployment Services MMC on Windows Vista is a simple process:

Citrix Client and Hotfix Updates

Citrix have released version 10 of the Presentation Server Client and the new Citrix Streaming Client as well as Hotfix Rollup 3 for Presentation Server 4.0:

Support Tips for Administrators

Being a project engineer for an outsourcing company, much of my time is spent working with system administrators rather than users but like users system administrators, need help from time to time. So here are a couple of tips related to support that I think are worth sharing (or re-sharing for those already in the know):

Intel Graphics and the Dynamically Generated DLL

I’ve recently noticed a DLL file from Intel that keep reappearing on my system drive and I’ve tracked this down to the display software on my laptop - I’ve recently moved to a Dell laptop that has an Intel 945GM display adapter. Here’s the DLL in question:

Changing the Citrix Web Interface Font Face

I’ve never previously had to change the font face in Web Interface, but I’ve had to it today for the first time ever. Now one would think that this would be in a custom style sheet, but the CSS is actually inline in the Web Interface web pages.

You cannot share the Normal.dot file among multiple users in Word

On a semi-regular basis I see an issue on customer networks whereby users receive errors in Microsoft Word similar to the following:

Tech Support in the Middle Ages

UPDATE: Unfortunately the video has been pulled. Hopefully someone can track down another link.

Software Quality? What's that?

I’ve seen some dumb software in my travels and Mercury Quality Center is no exception; however this one has got me scratching my head.

Fatal Error during Windows Setup

I received the following error (in a dialog box) from Windows Setup on a Terminal Server running Windows Server 2003 not long after GUI-mode setup started:

Link: Microsoft Cluster Configuration Validation Wizard

Microsoft have release a new tool, ClusPrep, for testing your servers readiness before you create a cluster to run things like Exchange and SQL:

Sophos Anti-Virus: Hide the Tray Icon

During my quest to disable as many tray icons as I possibly can, I’ve had to track down how to disable the tray icon for Sophos Anti-Virus in a Terminal Server environment. This one is pretty easy, it’s just a single DWORD registry value:

Objective 7 Error Logging: Access Denied

Objective is an Enterprise Content Management system from Objective that uses a Win32 client that plugs into Office and can also be used as a stand-alone application for access to documents. I’m not a user of the application so I don’t really have an opinion on its effectiveness but organisations buy it so it must do the job.

The Short NAP: Saturday 3rd February 2007

Lot’s of NAP in the news over the past week or two, now if only I had the time and resources at the moment to do some more NAP testing.

Installing Microsoft Update Standalone Packages Silently

I can find very little information on the Update Standalone Packages on the Microsoft site, with this knowledgebase article being it. What I do know about them is that they use a .MSU file extenstion and they display a dialog box similar to the Windows Update install dialog when installing.

PowerShell 1.0 released for Windows Vista

Yay! (it is so very geeky to get excited over a scripting tool isn’t it?) Microsoft have released PowerShell 1.0 for Windows Vista today. It comes as a Microsoft Update Standalone Package.

Unattended Windows Vista tech. on Windows XP/2003

UPDATE (09/12/2007): Updated with the list of applications and components listed here: Windows Vista components available for Windows XP.

Bomberman Evolved

This tickled my fancy too much so I had to post it: Bomberman Evolved

Shameless Self Promotion: Unattended Install Scripts

In case you were’nt aware, I have a number of install scripts for various applications that might be helpful for you if you are involved in any aspect of application deployment. A couple of these I have modified from an original script gleamed from AppDeploy.com. Hopefully you may find these useful:

The Short NAP: Tuesday 23rd January 2007

Here’s a few NAP links worth checking out:

Adobe Reader/Acrobat 8, Citrix Presentation Server and Seamless Windows

During testing of Adobe Reader 8 on a new Presentation Server 4.0 farm, I tested Adobe Reader 8 as a published application in a seamless window, using the ICA Client 9.230.50211. When using the toolbars in the published application (right clicking on the toolbars or clicking any of the drop down items) the application would exit completely without any errors logged on the server.

TS Logon Issues? It's Not What You Think

Every six to eight months or so, I have an issue logging onto a Terminal Server and then have to research the issue each time from scratch because I can’t remember how I fixed it. Here’s how it starts - after logging onto a Terminal Server I receive the following helpful error message:

Disabling "Check for WinZip Update"

Some bright spark over at WinZip thought that it would be a great idea to build in an auto-update utility into WinZip so that users would be prompted to download the lastest version of WinZip as they are released. Unfortunately, this updater prompts users when they first run WinZip even if they don’t have administrative access to their machine (I think the guy from WinZip and the guy from Adobe must know each other). Here’s the dialog that users see when they first run WinZip, not ideal in a corporate environment:

Link: Access Gateway 4.5.1 Hotfix

Last week Citrix released a hotfix for the Access Gateway 4.5. This hotfix fixes a number of issues, two of which are very interesting to me:

Link: Update for Publishing Exchange Server 2007 for ISA Server 2006

Microsoft have released an update for ISA Server 2006 to support publishing Exchange Server 2007. You will also need to install this patch on any machines running the ISA Server 2006 management console:

Link: Using ISA Server to Extend Server and Domain Isolation Interoperability

Microsoft have posted a whitepaper on utilising ISA Server as an IPSec gateway/proxy in a domain or server isolation environment to extend IPSSec protecttion to machines that do not support IPSec. This essentially involves ISA Server terminating the IPSec connection and passing traffic into a NAT’d network. It’s a 23 page document and applies to both ISA Server 2004 and 2006:

Disable Adobe Updater with Adobe Customization Wizard 8

Adobe have released the Adobe Customization Wizard 8 to provide a method for customising the deployment of version 8 of the Acrobat products. This tool allows you to disable all of the most useless features included in the new release including Digital Editions, Adobe Online Services and even Adobe Updater 5. This means that you can get rid of the Updater5 folder that keeps appearing in your Documents folder.

The Short NAP: Friday 5th Janurary 2007

Microsoft have posted some updated NAP documents on microsoft.com/downloads today:

Link: An Introduction to Network Access Protection

WindowsNetworking.com has posted an article about Network Access Protection: An Introduction to Network Access Protection (Part 1) by Brien Posey.This is a good overview and introduction to NAP. The next article will go into configuration details.

DELPROF: What The?

We all know that Windows is not case sensitive when it comes to the command line. Someone forgot to tell DELPROF though - you can use DELPROF in a script to automatically and silently delete user profiles. However it seems that you need to run the command in lower case, if you use upper case it just ignores the silent switch completely and prompts you to delete profiles. Check it out in this screenshot - What The?:

Windows PE 2.0 and VMware Workstation

I’m working on a Presentation Server deployment project at the moment, and am deploying the servers with Windows PE 2.0 via Windows Deployment Services (WDS). I need to launch Windows Setup via WINNT32.EXE because the servers have two RAID sets and the client wants the user profiles on the second disk set. So before deploying the unattended setup to hardware, I’m testing the deployment in VMware Workstation. Unfortunately Windows PE 2.0 does not recognise the VMware network card out of the box, so I’ve had to create a custom WinPE image with the drivers in it. This is the first time I’ve done this with Windows PE 2.0 so there was a little trial and error. Here are the steps I completed to create my custom image:

Link: Introduction to Server &#038; Domain Isolation with Windows

Microsoft has posted what appears to be an updated document (version 1.1) from August 2005, Introduction to Server and Domain Isolation with Microsoft Windows. Server and Domain Isolation using IPSec is a great method for creating isolated networks to protect those networks from unwanted traffic. Domain isolation solves the problem where access to domain resources should only be from domain member computers. If you are considering implementing NAP with Windows Server “Longhorn”, you should be planning your domain isolation strategies now.

Deploying WinZip 11.0

Did you know that WinZip have an MSI installer available for WinZip 10.0 and 11.0? Neither did I until I was reading through their FAQ pages today. What I don’t get though is it’s not the default download you get for the product, you have to go looking for it on this FAQ page: Download WinZip with 64-bit Shell Extension Support. I’d like to welcome WinZip to the 21st century - Windows Installer’s only been around since 1999..

Web Interface for Resource Manager 2.1 Available

Jason Conger has released Web Interface for Resource Manager 2.1. This couldn’t be more timely for me as I’m in the middle of a Presentation Server 4.0 implementation using Oracle 10g to host the data store and Resource Manager databases. Here’s what’s new in this release:

World of Network Access Protection Chat Transcript Available

The November 13, World of NAP chat transcript is finally available on the TechNet site. Unfortunately I’m usually asleep when these chats and webcasts are live, so I missed out on taking part, but here are some highlight questions from the chat (edited slightly for readability):

SafeWord RemoteAccess vs. Security Configuration Wizard

If you implement SafeWord RemoteAccess with the agent software on a machine running Citrix Web Interface and use the Security Configuration Wizard (SCW) to lockdown the operating system, you may run into authentication issues.

Access Gateway vs. Secure Gateway Part 2: It's In The Details

In part 1 I discussed how I believe that proving identity should be your most important consideration when deciding to implement the Citrix Access Gateway or Secure Gateway for remote access. In this second part I want to discuss some of the features of both the Access Gateway (CAG) and the Secure Gateway (CSG) and how they compare.

Citrix Presentation Server Client Package 9.230 Released

Citrix have updated the Win32 Presentation Server Client Package to version 9.230. Here’s what I can find new or fixed specific to this version:

Deploying Adobe Reader 8.0

For an Adobe Reader 9 version of this post, go here. For an Adobe Reader 8.x version of this post, go here.

Publishing Outlook Web Access on an Alternate Port

We recently had client with a requirement to provide Outlook Web Access and Exchange over the Internet/Outlook Anywhere (RPC over HTTPS) access using a single IP address on ISA Server. The problem with making both of these services available on a single IP address is that both utilise HTTPS which by default is TCP 443. RPC over HTTPS with Outlook can’t use an alternate port - if you attempt to specify and alternate port Outlook UI you receive the following error:

HP and VMware team to reinvent the wheel

I’m a bit slow, it’s about a month old now, but I spotted this article in CRN Australia magazine about how HP and VMware are teaming to bring VDI to the masses. Here’s an intro from the article:

NAP podcast with The Converging Network

Mitchell Ashley over at The Converging Network, has a podcast with a discussion with Amith Krishnan from Microsoft about NAP:

Swivel PINsafe and Citrix Access Gateway Installation Notes

The good guys over at Swivel have let me post a document that Graham Field (from Swivel) has created for integrating Swivel PINsafe into Access Gateway Advanced Edition 4.5. The document covers everything you’ll need to get PINsafe authentication working with Advanced Access Control, including setting up Turing or Single Channel authentication (use to stop bots not humans). You get a copy of the document in Word format here and the LOGIN.ASCX with the code for setting up the Turing authentication here.

Windows Vista Product Guide

Microsoft have posted the Windows Vista Product Guide on their Downloads Centre. At 61Mb and 316 pages this document is huge, but it’s go some great detail about what Windows Vista is all about. If you’re one of those people who thinks that Windows Vista is Windows XP Service Pack 3, then this document is for you, if you’re not, then this document is still for you too. This is the document to give to your sales team (you may have to read it to them - could take a while and you might need a little bell handy to let them know when to turn the page..). Here’s a break down of what the document covers:

No Preview For You!

I think that the attachment preview feature (see number 10) of Outlook 2007 is one of its best new features, however I’ve noticed that Outlook can’t preview calendar appointments sent as an attachment. So essentially, Outlook can’t preview it’s own files, do’h! Check out the screenshot:

Windows XP, Internet Explorer 7 and SharePoint

Internally we have deployed SharePoint Portal Server 2003 as our intranet. To ensure that the Citrix Web Interface for SharePoint (WISP) web part works correctly, we need to ensure that there is only authenticated access to SharePoint (WISP fails if anonymous access is enabled). What I have found on Windows XP machines that have been upgraded to IE7, is that users are prompted for authentication when accessing SharePoint (IE presents the standard Windows authentication dialog) instead of the browser passing authentication through to IIS as it should.

Hotfix 5 for Advanced Access Control 4.2

Hotfix 5 (AAC420W005) is available for Advanced Access Control 4.2. The fix list is quite large - 50 fixes are listed in the readme file. One of the most important updates that you will need to be aware of, are changes to the Endpoint Analysis scans. This means that scans that you have installed into AAC will require updating to work with the new hotfix. From the Citrix readme:

Daemon Tools: You must reboot after a previous operation

Daemon Tools was giving me some grief after upgrading to Windows Vista RTM and I had to update to version 4.08 which includes an updated SPTD driver for the virtual CDROM drive. When running the 4.08 installer for the first time, I had to uninstall the old version and reboot. After the reboot, I ran the installer again and the following error message would be displayed: “You must reboot after a previous operation”

Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab

No, I haven’t written a step by step guide, but Microsoft has and they have released a document detailing 802.1X NAP enforcement for demonstration purposes. This is a very detailed resource that will require some time and effort to setup, but if you are interested in NAP and 801.2X then this document is for you. Here’s a view of the test lab configuration to give you an idea of what’s involved:

Access Gateway and HTTP Error 500

We are testing a private hotfix from Citrix that addresses a HTTP Error 500 on the Access Gateway Advanced Edition 4.2. You may have seen this error in your Access Gateway implementations where access to a Logon Point on the Access Gateway produces the error and a reboot of the appliance temporarily fixes the issue. The hotfix brings the Access Gateway version to Access Gateway 4.2.3 Build 81.31; Build Date: 2006-11-03. I’m unsure if this hotfix is generally available, but if you are experiencing the issue give the good looking guys at Citrix Support a call to obtain a copy of the fix, or wait until a general hotfix is available from the Citrix support web site.

Forefront Client Security Beta Available

Microsoft has made available a general beta for the Forefront Client Security product. Here’s a quote from the download to give you an idea of what Client Security is about:

The Short NAP: November 14th 2006

Here’s a quick list of interesting NAP and Domain/Server Isolation related links for November:

ISA Server 2006 and LDAP Authentication

ISAServer.org has an excellent four part tutorial on using LDAP to pre-authenticate Outlook Web Access. You can find them here:

Now That's Not What I Expected

I’ve been checking out the excellent UltraMon on Windows Vista, which provides some cool hacks for multiple displays under Windows. One of the excellent hacks is the ability to assign a hotkey that moves an application between screens - when you hit the hotkey the application or window appears on the next screen, very handy. However, this appears to work on the Start Menu too. I’m not sure if this happens on Windows XP but here’s what you get with the Start Menu open and then hit the hotkey:

Access Gateway vs. Secure Gateway Part 1: A Case of Mistaken Identity

Before I go into what I actually want to talk about, here’s a high level overview of the differences (and similarities) between the Access Gateway and Secure Gateway:

Better Together: Networking Scenarios with Vista and Longhorn Server

Ian Hameroff has put together a great webcast on the networking features of Windows Vista and Longhorn Server, and as you might expect from the title, how they work when the Longhorn client and server versions are teamed together. The webcast includes an overview of Network Access Protection and Windows Firewall with Advanced Security as well as Server and Domain Isolation and IPSec. The whole webcast is worth watching, however if you’re only interested in NAP and the Windows Firewall skip to about the 19 minute mark.

Access Gateway 4.5 / Access Gateway Advanced 4.5 Released

According to Sam Johnston, Access Gateway and Access Gateway Advanced Edition (Access Gateway with Advanced Access Control) 4.5 have been released as of last Friday 13th October. Check out Sam's post for an excellent description of what to expect of the new version.

Access Gateway Hangs When Changes Made to AAC Logon Point

Citrix have a private hotfix to address issues with the Access Gateway 4.2.3 experiencing a hang when changes are made to a Logon Point in Advanced Access Control. If you are experiencing the issue, give the good looking guys at Citrix Support a call. You will have to give them information about your setup and they should be able to give you the hotfix to test out. If you are experiencing the issue, why not share your experiences over at the Brian Madden forums.

Podcasting with Citrix France

Three months before Jay Tomlin started blogging and well before Citrite.org and CitrixCommunity.com popped up, Citrix France has been podcasting and blogging over at http://podcast.citrix.fr. It appears to be very much a marketing exercise rather than employees blogging about Citrix technologies and their experiences, but it’s interesting none the less. If you are like me and your French is limited to “Parlez-vous anglais?” you can view a Google translated version here.

Webcast: Enabling Trusted Communications and Health Policy Enforcement with NAP

Gene Ferioli, a Program Manager with the Customer Connection Team at Microsoft did a webcast back in September on NAP, which is available for download. I’ve just gotten around watching this webcast and it weighs in at 1h 8m. Here’s my rough notes on what it covers:

Windows and Exchange TechNet Sessions Australia

Microsoft Australia are hosting a TechNet session on Windows Server “Longhorn” and Exchange Server 2007 in Melbourne, Canberra, Brisbane and Sydney. The second part of the session is all about Network Access Protection:

AAC 4.2 and Swivel PINsafe

If you are looking to integrate the Swivel PINsafe one time password (OTP) authentication system into Advanced Access Control 4.2 you’ll find that it’s not going to work out of the box. You will see the following authentication packet sequence once you have configured PINsafe as a RADIUS profile within AAC and attempt to authenticate:

Windows Vista 101: Multiple Local Group Policy

Here’s an interesting new feature of Windows Vista that will be a help to shared computing environments such as public libraries or those still inflicted with Windows NT 4.0 domains - Multiple Local Group Policy.

Network Access Protection TechNet Forum

In case you weren’t aware, Microsoft have a web forum for support and discussion around NAP. It’s a little sparse at the moment with only 13 topics but once Longhorn Server is released this forum should become more widely used.

NAP MVP Webcast Available To All

Jeff Sigman, the NAP Release Manager at Microsoft, has posted a link to a webcast he did recently for MVPs, which is now available for general viewing. This is quite a long webcast (1h 40m) but it goes into detail about NAP and demonstrates using DHCP or IPSec as an enforcement tool for NAP. It’s well worth checking out if you have the time, but if you don’t, here’s my (really) rough notes to give you an overview of the content:

NAP to be removed from Windows Vista?

Via Steve Riley and from the Today Tonight school of journalism comes NAP to be ‘kicked out’ of Vista. Here’s a couple of snippets:

Strengthening OWA Authentication with ISA 2006 and RSA SecurID

Now that Microsoft have released ISA Server 2006, we have more authentication options available to us. This includes the ability to add two-factor authentication solutions to the existing forms based authentication, traditionally used to authentication against Active Directory only. I have a previous post on how to protect Outlook Web Access with RSA SecurID, which discusses using the RSA Web Agent with IIS and RSA SecurID authentication with ISA Server 2004, however both of those options are a little clunky. Now with ISA Server 2006, we have a more elegant solution that allows us to integrate RSA SecurID directly into the forms authentication method. Assuming ISA Server is a domain member, here’s how to do it.

How To: Add Office 2007 HTML Rendering Support in AAC

With the release of Office 2007 not that far away, the new Open XML file formats should be starting to make an appearance in enterprises. By installing the Microsoft Office applications on your Advanced Access Control server you can provide HTML rendering of Word, Excel and PowerPoint documents to your users (You can also provide access to Visio documents too, but I won’t cover that here). At this stage, this will only cover the current .DOC, .XLS and .PPT file types. By installing the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats you can provide users with access to the new .DOCX, .XLSX and .PPTX. This is a simple process, here’s how to do it:

ISA Server 2004 to 2006 Upgrade

I upgraded our firewall a couple of days ago from ISA Server 2004 to ISA Server 2006, which went fairly smoothly with the actual setup routine only taking about 5 minutes to complete. However, after the upgrade there were a couple of items required some configuration changes:

0xc0040357: The Server referenced by Array SERVERNAME does not exist

Just in the process of upgrading our firewall from ISA Server 2004 to ISA Server 2006. Before I did this, though, I wanted to grab an export of my current config. However toward the end of the export, the management console would report this error:

Windows Vista Tips

Here’s a couple of nifty tips for Windows Vista that I’ve learnt this week and wanted to share:

The Short NAP: September 25th 2006

Here’s a quick list of interesting NAP and Domain/Server Isolation related links from Microsoft for September:

Windows Vista and Font Inconsistency

I’m not alone in my frustration with Windows Vista (or Windows XP) and the inconsistency in font usage. Fonts are definitely in your face and consistent font usage helps the user distinguish between a UI element and content. David Vronay, Research Manager for Windows User Experience Compliance, has posted a response to a thread that I started on font inconsistency at shell: revealed. Here’s what he had to say on the topic:

IIS6, .ICA and 404 Not Found

I’m sure the use of adding .ICA files to web servers to launch published applications from Presentation Server doesn’t happen as often as it used to, but it’s still useful for adding a link to an application on an intranet site. After adding a .ICA file to IIS6, however, users may receive a file not found error:

Blogging with Word 2007

Having issues getting Word 2007 to register your blog provider? You may receive the following error message when attempting to add a blog account to Word:

Access Gateway Traffic Flow Diagram

I’ve put together a diagram detailing the flow of IP traffic between the different components of an Access Gateway with Advanced Access Control implementation. This is designed to give everyone involved in implementation of the Access Gateway an understanding of each component and the communication required between each host. This diagram details these components:

Windows Vista 101: How to leave UAC on

This one is in reply to Long’s post, but to be fair I know he’s all for UAC. Windows Vista finally introduces some real security improvements to the Windows operating system that have been long overdue. The product is still in beta, however people are already up in arms about how ‘intrusive’ UAC is. Why is it that Linux and MacOS users understand why it’s not a good idea to run with administrative privileges and Windows users don’t? *

Cisco and Microsoft Unveil Joint Architecture for NAC-NAP Interoperability

Microsoft and Cisco annouced some time ago that they were working on NAP and NAC interoperability. They’ve demonstrated this recently at the Security Standard conference in Boston (all the cool stuff seems to happen in Boston). You can view the Microsoft PressPass update here and the Cisco press release here (they’re the same thing, no need to read both). Cisco and Microsoft have cross-licensed their protocols to make this interoperability work. You can view a white-paper on this architecture here:

Turning Off AutoComplete on a Logon Point

I went looking for this last week and just couldn’t find it. Well Sam Johnston has let us know how it’s done. If you want to stop the browser from offering to save your username and password when logging into the Access Gateway, follow these steps on your Advanced Access Control servers:

Laptop Battery Life Reaches 76 hours and 56 minutes

Check out the battery life on my IBM ThinkPad T41p. There’s way too much FUD out there about Windows Vista shortening battery life, this is almost two working weeks from a single charge..

Download: Protecting a Network from Unmanaged Clients

I promise this won’t become yet another blog just reposting links to other sites (more original posts to come), but here a link to a new document on the Microsoft Download site that’s worth mentioning. This document goes into the various methods that can be used to protect your network from unmanaged clients. This includes:

Outlook 2007 Icon Already in Vista

Ah, the things you find when you’re looking for something else. I was extracting some icons from Window Vista with the excellent Axialis IconWorkshop and stumbled across MSSVP.DLL in the SYSTEM32 folder. It looks to be a part of Windows Seach. Well, this file has a number of Outlook icons in it and I don’t even have Office 2007 installed on that particular installation of Vista. What a strange behemoth Microsoft is. Here’s a look at the file properties and icons contained within:

Access Gateway and Certificate Revocation Lists

Citrite Sam Johnston has posted about Certificate Revocation List retrieval by the Access Gateway. I’ve not had this issue myself, but I’ll have to keep an eye out for it.

Citrix Starts Blogging

Citrix (other than Jay Tomlin) have finally got their act together and started blogging. You can view the blogs at http://citrite.org/blogs/.

Customise Logon Point Source Files

Customising Logon points in Advanced Access Control is a fairly easy process. Customisation allows you to add a corporate look and feel to the user interface. However, removing and redeploying the Logon Point will remove all customisations - the Logon Point is just a bunch of HTML and graphic files. Here’s how to customise the source files so that redeployed and new Logon Points will already have your customisations.

Access Gateway CITRIX_ADMIN_MONITOR.EXE and Proxy Servers

If you run CITRIX_ADMIN_MONITOR.EXE and after you enter the username and password the Access Gateway does not display, this could be related to proxy settings in Internet Explorer. Even adding the address of the Access Gateway to the proxy bypass list does not solve the issue. Disable proxy settings in Internet Explorer and the Access Gateway desktop displays immediately. In our case we have ISA Server 2004 as our firewall. ISA Server does not allow protocols other than HTTP to be tunnelled over SSL by default and if you check the log files you will see the connection being denied. So the solution here is to either, disable proxy settings when using CITRIX_ADMIN_MONITOR or enable port 9001 to be tunnelled over SSL.

Download: System Center Configuration Manager (SMS) Network Access Protection Process Flow

System Center Configuration Manager (SMS4) will be able to act as a remediation server in a NAP environment, which we would expect of course. Given that, with 3rd party agents, SMS can support operating systems other than Windows, all you need is a NAP system health agent (SHA) for your OS of choice and you can support that OS in your NAP/SMS environment.

Access Gateway Advanced Edition Session Viewer

Advanced Access Control 4.5 includes a session viewer to enable the administrator to view logged in sessions, either directly to Advanced Access Control or view the Acces Gateway (existing versions require you to connect to the Access Gateway desktop to view sessions). Click the link for a full view, note the copy button, this allows you to copy the details of the session to the clipboard.

Scheduling Reboots for the Access Gateway

Martijn Kools has very kindly let me repost his instructions for enabling SSH on the Access Gateway and scheduling a reboot. WARNING: This is a totally unsupported method for enabling SSH. Be sure to have a backup of the config of the AG and access to the Access Gatway CD to be able to perform a reinstall if required.

Esker Tun PLUS Requires Administrative Access

Today’s entrant into the Hall of Shame is Esker Tun PLUS which can be used to provide an ActiveX based terminal emulator via the web. This product downloads no less than 11 ActiveX controls and then wants the user to run an application named TRUST.EXE from a page that has the following text:

The Ten Commandments of Exchange Server

After performing two Exchange disaster recoveries in as many months, I’ve come up with a list of Fifteen Ten Commandments for Exchange Server 😉

Profile Changes in Windows Vista and Windows Server 2008 and beyond

Windows Vista and Windows Server 2008 introduce a number of new user profile paths and environment variables that differ from earlier versions of Windows and these changes may have an impact on scripts such as logon scripts and application install scripts. Most scripts should work correctly - VBScript scripts that use system functions to find folder paths should work as expected, however batch scripts that use environment variables or hard codes scripts will require modifications. Here’s a short run down of the changes.

WSUS Build Numbers

I’ve recently updated a few WSUS servers with WSUS SP1. The admin tool shows build numbers but does not state if the version is RTM or SP1. For reference these build numbers are:

Adventures with SAP GUI, SAPLPD and Terminal Server

Like all ridiculously expensive software we love to hate, the SAP GUI does not use standard Windows print queues to send print jobs, but implementes a printing method they call SAPLPD instead. This is launched by a process that looks to be external to the SAP GUI component and does not respect the working directory key in each users registry. This process will attempt to write a file named LPRINT.NUM to the working directory of it’s parent process, the SAP GUI. If user does not have rights to write to this location the SAP GUI will exit completely without warning.

UI consistency and Microsoft Sans Serif

When Microsoft released Windows 2000, the new default UI font was changed to Tahoma from Microsoft Sans Serif. Unfortunately, not every team involved in developing Windows got the memo detailing this change. (There€™s a whole team for the Display properties applet right?). I think it was also the same teams that then forgot to change the font in various dialogs in Windows XP. It still haunts us in various locations in Windows Vista as of build 5456 for which the new UI font is Segoe UI. Well if you€™re picky like me and just want to see the same font across all UI elements, you can get most of the way there with a couple of registry edits. Navigate to:

The Windows Network Status Icon is Evil

I’ve always thought that turning the little icon that displays network traffic on is dumb. From remote RDP or ICA sessions, it creates and endless loop of traffic. Here’s a quote from the “Advanced Concepts Guide: Citrix Presentation Server for Windows Version 4.0”

Windows Vista, Windows Update and 0x8024402C

After adding my laptop running Windows Vista to our AD domain, Windows Update was unable to synchronise and would produce the following errors:

Slow Program Neighbourhood Agent?

If the Citrix Program Neighbourhood Agent is slow to connect to the PNAgent web service and then takes time to display a list of applications, it’s probably related to folder redirection of the Application Data folder. Program Neighbourhood Agent, by default, stores cache information in the following folder:

Protecting Outlook Web Access with RSA authentication

Outlook Web Access can be protected with an extra layer of authentication via RSA SecurID. This can be implemented in one of two ways:

Windows Clustering in VMware Workstation 5

Truly geeky people will appreciate the ability to run their mailbox on their very own Exchange cluster running on their laptop. Not quite high availability but high on a list of silly things to do. Here’s how to create a cluser in VMware Workstation:

Juggling Java VMs

I’ve just spent yesterday and today working on a site where the client had a need to run both the Microsoft Java VM and the Sun Java VM on their Terminal Servers. (The Microsoft Java VM is used for one site only, yes developers strike again). I was pretty happy when I was able to use Presentation Server 4.0 and Application Isolation Environments to get these to work on the same server, in Internet Explorer, at the same time. Here’s how:

Windows Firewall Technet Resources

Back in June, Microsoft created a resource section on TechNet for the Windows Firewall, check it out here. There is also a link to an article from way back in May 2004 about how Windows determines if the computer is on the domain network or another network and thus when to apply the Domain Windows Firewall profile or the Standard Windows Firewall profile settings pushed out via Group Policy. Using Group Policy to deliver a Domain and a Standard firewall policy to your workstations, allows you to place a less restrictive firewall policy when inside the coporate network and place a tight firewall policy (read deny all inbound) when a machine is away from the corporate network. Check out the article here:

Download: Introduction to Network Access Protection

For an overview of what NAP is and how it works check out the following document from Microsoft:

Access Gateway 4.2.3 Includes Network Speed Setting

The Access Gateway 4.2.3 hotfix includes the ability to set the speed of the network connection, a feature that is not mentioned in the readme. For the last AG installation I did the customer wanted to hard set speed and duplex settings, well now they can.

Citrix Access Gateway 4.5 Beta

We’ve been accepted into the Citrix Access Gateway 4.5, Standard and Advanced Editions Beta Program. No word on a NDA yet, but hopefully I might get a chance to post some details.

Checklist: Access Gateway with Advanced Access Control

After doing a few implementations of the Citrix Access Gateway with Advanced Access Control solution for remote access, I’ve found that successful implementations require some coordination to be implemented within a reasonable timeframe. This is especially challenging in large environment where things tend to move slowly. A checklist with prerequisites goes a long way to help, so here€™s one I prepared earlier in PDF format:

Migrate a certificate from Secure Gateway to Access Gateway

This is listed in the Access Gateway Administrators document, but it’s buried deep, so here’s my own version.

Download: Introduction to Windows Firewall with Advanced Security

Microsoft have posted a document detailing Windows Firewall with Advanced Security in Windows Vista and Longhorn Server. Many organisations have wanted to apply outbound rules to traffic from their Windows boxes, which they will be able to do if they upgrade to Windows Vista or Longhorn, it’s going to be quite a challenge to implement on a large scale basis. It still suprises me though, how many organistations just turn the firewall off completely - in today’s networks, hosts need to actively protect themselves. Treat your internal network as hostile (more on that to come).

Vista: Restarting with Applications Open

When a user reboots Windows XP or 2000 etc. with a program open the user is presented with all sorts of dialog boxes that are a little jaring and the whole experience has got to be confusing to users with only a basic understanding of Windows. Here’s how Windows Vista does it, quite nice I think. Click the thumbnail for more detail.

Windows Aero over RDP / WPF Remoting(?)

I’ve been checking out a recent build of Windows Vista today and took the chance to look at connecting to a remote Windows Vista machine from Windows Vista over RDP. The result was impressive to say the least. The remote session has full support for Aero Glass including all the minimise/maximise effects as well as Flip 3D. Now this would require that the Aero Glass is drawn on the screen locally rather than sent directly via RDP, which is what WPF Remoting is all about. Brian Madden has more on this here and here. Once this is teamed with seamless window support in Windows Longhorn Server the line between a local and remote application will be further blurred - users should almost never notice the difference. This is exciting stuff, as I am really into the user experience. In the Terminal Server world we are always battling what users perceive to be performance related issues. Once we can say good-bye to the current screen scraping type technologies in RDP and ICA I think users will be much happier. Of course we just need to get the applications to use WPF. Developers are you listening?

Raymond Chen on Profile Folders

The latest TechNet Magazine has an article by Raymon Chen on the “Program Files” and “Documents and Settings” folders, including changes to the profiles folder in Windows Vista. It gives some clarification to the changes in Vista and I thought that it applies to my previous post.

WSUS Build Numbers

I’ve recently updated a few WSUS servers with WSUS SP1. The admin tool shows build numbers but does not state if the version is RTM or SP1. For reference these build numbers are:

Symantec Gateway Security 1600 and Sun Java

More fun with consoles developed in Java. Check out the administration tool for Symantecs’ Gateway Security 1600 appliance - 100% CPU usage just to display the logon dialog then 100Mb of RAM just after opening the console:

Citrix AAC and Microsoft's NAP

One of the great features of Citrix Advanced Access Control is the ability to control access to internal resources from trusted machines with End Point Analysis. Citrix have implemented their own client and server components to perform end-point analysis and ensure that client machines are safe for access.

Die Microsoft Sans Serif, Die

When Microsoft released Windows 2000, the new default UI font was changed to Tahoma from Microsoft Sans Serif. Unfortunately, not every team involved in developing Windows got the memo detailing this change. (There’s a whole team for the Display properties applet right?). I think it was also the same teams that then forgot to change the font in various dialogs in Windows XP. It still haunts us in various locations in Windows Vista as of build 5456 for which the new UI font is Segoe UI. Well if you’re picky like me and just want to see the same font across all UI elements, you can get most of the way there with a couple of registry edits. Navigate to:

Applications, Vendors and Citrix Presentation Server

I have a discussion topic that comes up again and again - client A has an application from vendor X that has only just been certified to run on Citrix Presentation Server version Y. This discussion topic is driving me nuts, driving me up the wall, round the bend, I think I’m gonna have an aneurism. Why is the concept of Presentation Server so hard to understand? Presentation Server does not do anything to applications, it’s Terminal Services that is doing the work. Write the applications properly in the first place so we can run it anywhere, run it as a limited user, run it on the latest Service Pack and run on Terminal Server. It’s not that hard, start here: http://msdn.microsoft.com.

Citrix release virtualised ICA client

Citrix have added a new ICA client to their download site. This client is very interesting as it uses application virtualisation from Thinstall that allows the user to run the ICA client without installing it. This is great for users who travel and may want to access applications from their corporate network, but end up in an Internet cafe where the computers don’t have the Citrix ICA Client installed.This client runs from a single compressed executable and evidently requires no change to the host PC. You can read more about the client here.

Installing Office 2007 Beta 2 over Office 2003

If you currently have Office 2003 (or any Office 2003 component such as Visio or Publisher) installed you’ll run into some problems if you upgrade to Office 2007 Beta 2*. The Office 2003 components will not be completely removed and you may have issues such as returning shortcuts or Outlook add-ins trying to reinstall eventually bringing Office 2007 to a grinding halt. If this happens, check out the “Windows Installer CleanUp Utility” for removing all vestiges of Office 2003. You may then have to perform a repair of the Office 2007 applications. See KB290301 for more information. Probalby best to remove an ealier version of Office before installing Office 2007.

Microsoft Systems Manager SoftGrid 4

Now that Microsoft intends to expand their virtualisation strategy with the purchase of Softricity, I expect that we will see a few things with SoftGrid:

Sizing Terminal Servers and the 4GB memory limit

Always an interesting discussion around the traps is that of how much memory to install in Terminal Servers. Due to the nature of Terminal Server and limitations of the 32bit architecture, kernel address space will be exhausted before a Terminal Server will run out of RAM (depending on the number of users, of course). Brian Madden has an excellent article discussing this limitation.

We Don't Need No Stinking Anti-Virus

I’ve recently had conversations about running anti-virus software on some specialised servers. Specifically Windows Servers running ISA Server 2004 or VMware Server (or Virtual Server). The argument for installing anti-virus software on these servers is to ensure they are protected against viruses and worms. I’ve been arguing against installing anti-virus software to ensure maximum performance. The reasons I have argued against are the following:

UPHClean 2.x Beta

The User Profile Hive Cleanup Service is a tool that I’ve even been installing on desktops. A beta for version 2.x is underway and Thomas Koetzing has an impressive writeup of the tool on his site here, where you can also sign-up for the beta. Version 2.x sounds great and I hope that all of the features in this new version make it into Vista which a a similar service built in.

My new favourite Firefox extension

Check out this great Firefox extension that allows you to view pages with the Internet Explorer engine inside Firefox: ietab

Applying the Principle of Least Privilege to User Accounts on Windows XP

Here’s an excellent document I’ve added to my list of articles to give to clients:

Support Site Woes

Over the past week, I’ve been creating an internal Exchange best practice/check list document so that we can standardise on how we configure Exchange servers for our clients. This document includes a number of items including information on configuring AV scanners to exclude certain Exchange folders. I thought it best to provide the reader of this document direct links to knowledgebase articles on various AV products. I attempted to cover the following vendors:

Event Search

Has Microsoft realised the power of EventID.Net? They’ve added an ‘Events and Errors Message Center’ page @ TechNet.

Troubleshooting Applications

I spend alot of time troubleshooting applications on Windows XP and Windows Terminal Server. The challenge, especially in Terminal Server environments is to get applications running and still keep the environment secure. This means spending time with the Sysinternals tools and various others. Brian Madden has started posting videos and presentations from this years BriForum. The first video and slide deck are a great resource for those of us who deploy and manage applications. Definitely worth a watch:

Lessons from the field - Backup Active Directory

Backup the system state on your domain controllers. “Like duh!” you say, well that’s what I said too. I spent Friday a client’s site where a domain controller had gone down and they were experiencing issues with logons and Exchange. The client has/has four domain controllers, one at each of their four sites and all were marked as Global Catalog(ue)s. However once this single DC went down, due to hardware failure, AD essentially went bye-bye. Backups were no good and all the usual diagnostic tools would only show the downed DC as the lone GC. We could not seize the Schema Master and after spending about 6 hours on the phone with PSS, the decision was made to start again with a new domain, DC and Exchange server. Lots of fun that could have been avoided with products like Microsoft Operations Manager or NetIQ AppManager. I still don’t understand why these types of products are generally a hard sell.

Lessons from the field: Presentation Server

I’ll file this under “Stupid Things I Didn’t Know”. Citrix Presentation Server relies on the PATH variable for core components to run. I was adding to the PATH variable, in a scripted build after the CPS install and before a reboot, with a command like this:

Citrix Application Isolation Environment launch delays

In a previous topic, I used the Application Isolation Environment feature in Citrix Presentation Server 4.0 to solve an issue where sites require different versions on the Java VM. A side effect of this was, however, that the application would take around 60 seconds to launch. Turns out the issue pops up on Windows Server 2003 Service Pack 1 and has to do with certificate autoenrollment. Essentially a 60 second delay is implemented to speed things up… Hmm, let ponder that for a second, accept it and move on. To relieve my application launch delay issue, I created the following registry key, the planets aligned, and all worked well.

IIS and Site Identifiers

Having previously having issues installing an applications on IIS where the Default Web Site (i.e. the site with an identifier of 1) no longer exists, I was hesitant to edit the METABASE.XML. So I bit the bullet, stopped IIS, opened METABASE.XML in Notepad and changed all instances of the existing identifier to 1, saved and restarted IIS, and away she went. Bowl me over with a feather, by jove she works!

Presentation Server and the Sun Java VM

If I could live in a world without Java, I’d be happy…

Active Directory Migration Tool v3.0

The Active Directory Migration Tool v3.0 has just been released. I’ll have to add this to my list of things to check out.

Troubleshooting Woes

Last night I attempted to install Citrix Web Interface for Presentation Server 4.0 on a Windows box and received the following error:

Lessons from the field - Virtual PC

Today’s lesson is: Virtual PC and shared folders are slow. I mean really, really slow. Try install Exchange Server 2003 Service Pack 1 into a VM with the source files in a shared folder (Virtual PC shared folders), I almost slit my wrists waiting for that to install. It ended up taking well over an hour. My work around: ROBOCOPY the sources files onto the VM’s hard drive and install from there.

Didn't we just have an ad?

There are 3 reasons why I use Firefox:

ISA Client Spy

Found this via Stanislas Quastana’s blog: ISA Client Spy. Free tools for ISA Server are great and this one, should be an excellent troubleshooting tool.

Secure access to Exchange

Placing an Exchange Front-end server in the DMZ does nothing to increase security.

Securing the network using Microsoft ISA Server 2004

This is a great article discussing the features of ISA Server as a layer 7 firewall (without the usual zealous bubble from Dr T. Shinder)

subscribe via RSS