Citrix Profile Management and Folder re-direction Configuration

Citrix Profile Management and Folder re-direction Configuration

  1. Folder Re-Direction Group Policy
  2. Exclude Policy
  3. Citrix UPM Install and Configuration
    1. Sync “AppData\Local\Microsoft\Windows\UsrClass.dat”



HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

2014-10-20 17_28_17-Tripwire SecureCheq

It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained.  I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..

So here is a basic Overview of how to create a Secure Windows 2012 R2 SOE. This method can be applied to any support OS.
Firstly, understand your security posture requirements:- I have listed a few here :

It is also important to understand SAN Critical Controls and Defeating Kill Chains.

This course is also a good starting point -SEC505: Securing Windows with the Critical Security Controls:-

Understand the Critical Security Controls –

Security Standards

These are the core Security Standards and vital information for Windows harderning

The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System.  Once you have a policy setup, you need to maintain that posture  using Desired State management and Continuous Monitoring

Desired State

Security Scanners

Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..

The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.

** you can not create a Secure hardened OS without a Security Scanner..

Implement OS Encryption

Implement Bootlocker


Install Microsoft Enhanced Mitigation Experience Toolkit

Here is a link to my own SOE settings –

HowTo: SCCM 2012 R2 Endpoint Protection Comprehensive Virus Scan Exclusions List

HowTo: SCCM 2012 R2 Endpoint Protection Comprehensive Virus Scan Exclusions List

Here is a full list of all Virus Scan Exclusions list. Its best to just only excluded what is required per server.. So this is just a reference.

  • Excluded files and folders
  • Excluded file types
  • Excluded processes

Here is the Full Configuration File for SCCM 2012 R2 Antimalware Policies. Just create a .XML File and Import – AllServerExclusionsSCCM


2014-09-10 12_31_55-System Center 2012 R2 Configuration Manager (Connected to RES - Resimac)


Windows 8 and Server 2012 Optimisation Guide for Citrix VDI

Windows 8 and Server 2012 Optimization Guide for Citrix VDI

' Title: Windows 8 and Server 2012 VDI Optimization Script
' Author: Pablo Legorreta
' Modifications: Steven Krueger & William Elvington
' Special thanks to Jonathan Bennett (AutoITScript)
' for creating a wonderful optimizer tool and to Jeff Stokes (MSFT)
' for creating the original baseline script for Windows 7

' Purpose: The following script will prepare a Windows 8 or Server 2012
' static image for VDI deployment based on MSFT and Citrix recommendations.

' Requirements: Administrative Privileges, Registry backup - Just in case 😉

' // ==============
' // Variables
' // ============== 

' Constants
Const ForReading = 1
Const Disable_Aero = False
Const Disable_BranchCache = False
Const Disable_EFS = False
Const Disable_iSCSI = False
Const Disable_MachPass = False
Const Disable_Search = False

Const Install_NetFX3 = False
Const NetFX3_Source = "D:\Sources\SxS"

' Common objects
 Set oShell = WScript.CreateObject ("WScript.Shell")
 Set oFSO = CreateObject("Scripting.FileSystemObject")
 Set oEnv = oShell.Environment("User")

' Command Line Arguments for Some Settings
 Set colNamedArguments = WScript.Arguments.Named

If colNamedArguments.Exists("Aero") Then
 strAero = colNamedArguments.Item("Aero")
 strAero = Disable_Aero
 End If

If colNamedArguments.Exists("BranchCache") Then
 strBranchCache = colNamedArguments.Item("BranchCache")
 strBranchCache = Disable_BranchCache
 End If

If colNamedArguments.Exists("EFS") Then
 strEFS = colNamedArguments.Item("EFS")
 strEFS = Disable_EFS
 End If

If colNamedArguments.Exists("iSCSI") Then
 striSCSI = colNamedArguments.Item("iSCSI")
 striSCSI = Disable_iSCSI
 End If

If colNamedArguments.Exists("MachPass") Then
 strMachPass = colNamedArguments.Item("MachPass")
 strMachPass = Disable_MachPass
 End If

If colNamedArguments.Exists("Search") Then
 strSearch = colNamedArguments.Item("Search")
 strSearch = Disable_Search
 End If

If colNamedArguments.Exists("NetFX3") Then
 strNetFX3 = colNamedArguments.Item("NetFX3")
 strNetFX3 = Install_NetFX3
 End If

' Enable RDP Connections
RunWait "WMIC rdtoggle where AllowTSConnections=0 call SetAllowTSConnections 1,1"
RunWait "netsh advfirewall firewall set rule group=" & Chr(34) & "remote desktop" & Chr(34) & " new enable=Yes"

' // ==================
' // Service Settings
' // ==================

' Disable Application Layer Gateway Service
RunWait "sc config ALG start= disabled"

' Disable Background Intelligent Transfer Service
RunWait "sc config BITS start= disabled"

' Disable Bitlocker Drive Encryption Service
RunWait "sc config BDESVC start= disabled"

' Disable Block Level Backup Engine Service
RunWait "sc config wbengine start= disabled"

' Disable Bluetooth Support Service
RunWait "sc config bthserv start= disabled"

If strBranchCache = True Then
 ' Disable BranchCache Service
 RunWait "sc config PeerDistSvc start= disabled"
 End If

' Disable Computer Browser Service
RunWait "sc config Browser start= disabled"

' Disable Device Association Service
RunWait "sc config DeviceAssociationService start= disabled"

' Disable Device Setup Manager Service
RunWait "sc config DsmSvc start= disabled"

' Disable Diagnostic Policy Services
RunWait "sc config DPS start= disabled"
RunWait "sc config WdiServiceHost start= disabled"
RunWait "sc config WdiSystemHost start= disabled"

' Disable Distributed Link Tracking Client Service
RunWait "sc stop TrkWks"
RunWait "sc config TrkWks start= disabled"

If strEFS = True Then
 ' Disable Encrypting File System Service
 RunWait "sc config EFS start= disabled"
 End If

' Disable Family Safety Service
RunWait "sc config WPCSvc start= disabled"

' Disable Fax Service
RunWait "sc config Fax start= disabled"

' Disable Function Discovery Resource Publication Service
RunWait "sc config FDResPub start= disabled"

' Disable HomeGroup Listener Service
RunWait "sc config HomeGroupListener start= disabled"

' Disable HomeGroup Provider Service
RunWait "sc config HomeGroupProvider start= disabled"

If striSCSI = True Then
 ' Disable Microsoft iSCSI Initiator Service
 RunWait "sc config msiscsi start= disabled"
 End If

' Disable Microsoft Software Shadow Copy Provider Service
RunWait "sc config swprv start= disabled"

' Set Network List Service to Auto
RunWait "sc config netprofm start= auto"

' Disable Offline Files
RunWait "sc config CscService start= disabled"

' Disable Optimize Drives Service
RunWait "schtasks /change /tn ""microsoft\windows\defrag\ScheduledDefrag"" /disable"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\Enable", "N", "REG_SZ"
RunWait "sc config defragsvc start= disabled"

' Disable Secure Socket Tunneling Protocol Service
RunWait "sc config SstpSvc start= disabled"

' Disable Security Center
RunWait "sc config wscsvc start= disabled"

' Disable Sensor Monitoring Service
RunWait "sc config SensrSvc start= disabled"

' Disable Shell Hardware Detection Service
RunWait "sc config ShellHWDetection start= disabled"

' Disable SNMP Trap Service
RunWait "sc config SNMPTRAP start= disabled"

' Disable SSDP Discovery Service
RunWait "sc stop SSDPSRV"
RunWait "sc config SSDPSRV start= disabled"

' Disable SuperFetch
RunWait "sc config SysMain start= disabled"

' Disable Telephony Service
RunWait "sc config TapiSrv start= disabled"

If strAero = True Then
 ' Disable Themes Service
 RunWait "sc config Themes start= disabled"
 End If

' Disable UPnP Device Host Service
RunWait "sc config upnphost start= disabled"

' Disable Volume Shadow Copy Service
RunWait "sc config VSS start= disabled"

' Disable Windows Backup Service
RunWait "sc config SDRSVC start= disabled"

' Disable Windows Color System Service
RunWait "sc config WcsPlugInService start= disabled"

' Disable Windows Connect Now - Config Registrar Service
RunWait "sc config wcncsvc start= disabled"

' Disable Windows Defender Service
RunWait "sc config WinDefend start= disabled"

' Disable Windows Error Reporting Service
RunWait "sc config WerSvc start= disabled"

' Disable Windows Media Player Network Sharing Service
RunWait "sc config WMPNetworkSvc start= disabled"

' Break out Windows Management Instrumentation Service
RunWait "winmgmt /standalonehost"
RunWait "sc config winmgmt group= COM Infrastructure"

' Disable Windows Search Service
 If strSearch = True Then
 RunWait "sc stop WSearch"
 RunWait "sc config WSearch start= disabled"
 End If

' Disable Windows Updates
RunWait "sc config wuauserv start= disabled"

' Disable WLAN AutoConfig Service
RunWait "sc config Wlansvc start= disabled"

' Disable WWAN AutoConfig Service
RunWait "sc config WwanSvc start= disabled"

' // ================
' // Computer Settings
' // ================

' Disable Hard disk timeouts
RunWait "POWERCFG /SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0"
RunWait "POWERCFG /SETDCVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0"

 ' Disable Action Center
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth", &H00000001, "REG_DWORD"

 ' Optimize Processor Resource Scheduling
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl\Win32PrioritySeparation", &H00000026, "REG_DWORD"

 ' Disable TCP/IP / Large Send Offload
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload", &H00000001, "REG_DWORD"

 ' Disable hibernate
RunWait "powercfg -h off"

 ' Disable NTFS Last Access Timestamps
RunWait "FSUTIL behavior set disablelastaccess 1"

 If strMachPass = True Then
 ' Disable Machine Account Password Changes
 oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange", &H00000001, "REG_DWORD"
 End If

 ' Disable memory dumps
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\LogEvent", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\SendAlert", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot", &H00000001, "REG_DWORD"

 ' Disable default system screensaver
oShell.RegWrite "HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive", 0, "REG_DWORD"

 ' Increase service startup timeouts
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServicesPipeTimeout", &H0002bf20, "REG_DWORD"

 ' Increase Disk I/O Timeout to 200 seconds.
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\TimeOutValue", &H000000C8, "REG_DWORD"

 ' Disable Other Scheduled Tasks
RunWait "schtasks /change /tn ""microsoft\windows\Application Experience\AitAgent"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Application Experience\ProgramDataUpdater"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Application Experience\StartupAppTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Autochk\Proxy"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Bluetooth\UninstallDeviceTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\BthSQM"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\Consolidator"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\KernelCeipTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\Uploader"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\UsbCeip"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Diagnosis\Scheduled"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Maintenance\WinSAT"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\MobilePC\HotStart"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Power Efficiency Diagnostic\AnalyzeSystem"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\RAC\RacTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Ras\MobilityManager"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Registry\RegIdleBackup"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Shell\FamilySafetyMonitor"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Shell\FamilySafetyRefresh"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\AutoWake"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\GadgetManager"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\SessionAgent"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\SystemDataProviders"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\UPnP\UPnPHostConfig"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\WDI\ResolutionHost"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Windows Filtering Platform\BfeOnServiceStartTypeChange"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Windows Media Sharing\UpdateLibrary"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\WindowsBackup\ConfigNotification"" /disable"

 ' Configure Event Logs to 1028KB (Minimum size under Vista/7) and set retention to "overwrite"
 Set oEventLogs = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!//./root/cimv2").InstancesOf("Win32_NTEventLogFile")
 For Each e in oEventLogs
 e.MaxFileSize = 1052672
 e.OverWritePolicy = "WhenNeeded"
 e.OverWriteOutdated = 0

oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\Application\Retention", 0, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\Security\Retention", 0, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\System\Retention", 0, "REG_DWORD"

 ' Set PopUp Error Mode to "Neither"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\ErrorMode", 2, "REG_DWORD"

 ' Disable bootlog and boot animation
RunWait "bcdedit /set {default} bootlog no"
RunWait "bcdedit /set {default} quietboot yes"

 ' Disable UAC secure desktop prompt
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop", &H00000000, "REG_DWORD"

 ' Disable New Network dialog
RunWait "reg add HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff"

 ' Disable AutoUpdate of drivers from WU
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching\searchorderConfig", 0, "REG_DWORD"

 ' Turn off Windows SideShow and install NetFX3
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow\Disabled", 1, "REG_DWORD"
 If strNetFX3 = True Then
 RunWait "dism /online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:" & NetFX3_Source & " /NoRestart"
 End If

' Disable IE First Run Wizard and RSS Feeds
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize", 1, "REG_DWORD"

 ' Disable the ability to clear the paging file during shutdown
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\ClearPageFileAtShutdown", 0, "REG_DWORD"

' Disable Internet Explorer Enhanced Security Enhanced
oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073\IsInstalled", 0, "REG_DWORD"
oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073\IsInstalled", 0, "REG_DWORD"

' Disables Background Layout Service
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\EnabledAutoLayout", 0, "REG_DWORD"

' Disables CIFS Change Notifications
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteRecursiveEvents", &H00000001, "REG_DWORD"

 ' Disable Data Execution Prevention
RunWait "bcdedit /set nx AlwaysOff"

 ' Set Power Saving Scheme to High Performance
RunWait "powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" 

 ' Set Recovery Dump to Small
RunWait "wmic recoveros set DebugInfoType = 3" 

 ' Perform a disk cleanup
 ' Automate by creating the reg checks corresponding to "cleanmgr /sageset:100" so we can use "sagerun:100"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Active Setup Temp Folders\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Downloaded Program Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Internet Cache Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Memory Dump Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Offline Pages Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Old ChkDsk Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations\StateFlags0100", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle Bin\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Setup Log Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error memory dump files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error minidump files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Upgrade Discarded Files\StateFlags0100", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Archive Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Queue Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Archive Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Queue Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Upgrade Log Files\StateFlags0100", &H00000002, "REG_DWORD"
RunWait "cleanmgr.exe /sagerun:100"

' // =============
' // User Settings
' // =============

' Reduce menu show delay
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\MenuShowDelay", "0", "REG_SZ"

 ' Disable cursor blink
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\CursorBlinkRate", "-1", "REG_SZ"
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\DisableCursorBlink", &H00000001, "REG_DWORD"

 ' Force off-screen composition in IE
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Force Offscreen Composition", &H00000001, "REG_DWORD"

 ' Disable screensavers
oShell.RegWrite "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive", "0", "REG_SZ"
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive", "0", "REG_SZ"
oShell.RegWrite "HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive", "0", "REG_SZ"

 ' Don't show window contents when dragging
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\DragFullWindows", "0", "REG_SZ"

 ' Don't show window minimize/maximize animations
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics\MinAnimate", "0", "REG_SZ"

 ' Disable font smoothing
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\FontSmoothing", "0", "REG_SZ"

 ' Disable most other visual effects
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\VisualFXSetting", &H00000003, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarAnimations", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow", &H00000000, "REG_DWORD"
RegBinWrite "HKEY_CURRENT_USER\Control Panel\Desktop", "UserPreferencesMask", "90,12,01,80"

 ' Disable Action Center
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth", &H00000001, "REG_DWORD"

 ' Disable IE Persistent Cache
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Persistent", 0, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Feeds\SyncStatus", 0, "REG_DWORD"

 ' Done

' // ================
' // Functions
' // ================

Function Run(sFile)
 Run = oShell.Run(sFile, 1, False)
 End Function

 Function RunWait(sFile)
 RunWait = oShell.Run(sFile, 1, True)
 End Function

 Function RunWaitHidden(sFile)
 RunWaitHidden = oShell.Run(sFile, 0, True)
 End Function

 Function IsServer()
 IsServer = False
 On Error Resume Next
 For Each objOS in GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem")
 If objOS.ProductType = 1 Then IsServer = False
 If objOS.ProductType = 2 Or ObjOS.ProductType = 3 Then IsServer = True
 End Function

 Sub RegBinWrite (key, value, data)
 key = "[" & key & "]"

 If value <> "@" then
 value = chr(34) & value & chr(34)
 End if

 valString = value & "=" & "hex:" & data

 tempFile = GetTempDir() & "\regbinaryimport.reg"
 Set txtStream = oFSO.CreateTextFile(tempFile,true)
 txtStream.WriteLine("Windows Registry Editor Version 5.00")

 oShell.Run "regedit.exe /s """ & tempFile & """", 1, true

 oFSO.DeleteFile tempFile
 End Sub

 Function GetTEMPDir()
 GetTEMPDir = oEnv("TEMP")
 If InStr(GetTEMPDir, "%") Then
 GetTEMPDir = oShell.ExpandEnvironmentStrings(GetTEMPDir)
 End If
 End Function 



  • Superfetch
  • Themes
  • Windows Audio
  • Windows Audio Endpoint Builder
  • Google Update Service
  • Window Search
  • Internet Connection Sharing
  • Media Center Extender Service
  • Routing and Remote Access
  • Adobe Flash Player Update Service
  • Fax

Complexity of Application Presentation/Streaming and Distribution

Complexity of Application Presentation/Streaming and Distribution

I wanted to highlight and explain the complexity of designing Application Deployment and Management for  Windows Desktops and VDI environments in a single diagram.


(opps, I mean Microsoft 🙂

Update 02/04/16 Adding a few Application Deployment Options

  • Click Once Applications
  • Container Applications (AppZerto)
  • Application Layer (e.g. Citrix AppDisk.)

There are so many options for Application Deployment and they are all very complex and architecturally different and affects the user interaction with the application.

You can also have combination of these application deployment and management technologies. Example Citrix XenApp + AppV + SCCM.

The core problems is Usability, when you design such complex solutions its almost impossible to guarantee the same level of usability as a locally installed application which is what the end user is expecting.. (Example of usability – Copy/Pase, Print, Content sharing,etc) 

Combining this with the complexity of User State and profile management options, it is no wonder many VDI projects fail and cause major frustrations for end users.

The key is to provide the same user functionality as locally installed application when using different technologies to deliver and manage applications and user environments. (Click here to find out how to solve this problem.)

Overview of Application Deployment and Management options

  • Citrix XenApp Published Application (HDX Stream) + FlexCast Models
  • Citrix VDI-in-a-BOX
  • VMware ThinApp
  • Microsoft RemoteApp (RDS Stream)
  • App-V Application
  • App-V and SCCM (App-V Local Interaction feature, Virtual Environment and Connection Groups)
  • Application Deployment (Kace, LanDesk, Altris, SCCM)
  • Locally Installed Application

[Update 07.11.2014] – I saw information on Cloudvolumes,com, when it was released, but, they didn’t release any information. Until VMware acquired them. I think this is the future of Application Deployment – VMWare AppVolumes. This essentially can solve this complexity. Al thought, how it handles, upgrades, conflicts,etc Needs to be tested. I can’t wait for Microsoft to come up with a similar solution. –

Since writing this article and doing some more research on VMWare AppVolumes and UniDesk., could solve the problem of delivering applications and maintaining Microsoft and Application updates.

User State Profile Management

  • Microsoft UE-V
  • Citrix Profile Management
  • AppSense Profile Management
  • MANProfiles, FlexKit, Folder Re-Direction,etc
  • Citrix Personal vDisk

User/Application Interactions

  • Copy/Paste
  • Print
  • Application Content Sharing
  • mailto: and hyperlinks,etc
  • File Sharing
  • Application Plug-ins

FlexCast Models

  1. Hosted VDI- Assigned VDI Server OS (Windows Experience) (Persistent)
  2. Hosted Shared – Pooled VDI Server OS (Windows Experience) (Non-persistent)
  3. Streamed Desktops
  4. Hosted Blade PCs (VDI)
  5. Hosted VM-Based Desktops (VDI)
  6. Shared Published Desktop
  7. Remote PC

and of course Persistent vs Non- Persistent Desktops, Pooled vs Static,etc..  add to the complication and that is another topic. 

I thought this was a relevant diagram on the subject.


Be careful Will Robinson, most Citrix pre-sales guru’s don’t understand this complexity. (yeah you!)

But, dont worry, I am building a DaaS platform to solve all of this..

Alternative Application Deployment options in order of preference:-

  1. UniDesk
  2. Microsoft App-V
  3. AppZero
  4. FsLogix
  6. VMware AppVolumes
  7. Microsoft Docker (Beta only)
  8. VMware ThinApp
  9. AppDNA

Organizations with growing VDI environments find the tools used to deliver applications and updates to physical computers create significant issues when used for VDI. This research compares alternative approaches to software delivery to help organizations make the best choice for their environment.

So, now that we understand the issues, how do we solve the problem. Here is some technology that is absolutely required for any VDI deployment.

DaaS Build Phase

DaaS Build Phase

  1. Setup Proliant Server
  2. Install XenServer
    1. Setup XenServer GUI Appliance and Configure it to Autostart
    2. </li>
      	<li>Setup a Autostart vApp
      Create a Autstart vApp and add VMS
      Get uuid of vApp: xe appliance-list name-label="autostart"
      edit rc.local:
      echo "xe appliance-start uuid=869aabc7-5b30-b0bf-79cf-ca5acbb162be" >> /etc/rc.loca
      xe vm-param-set uuid=29025d12-5148-9ed3-9e21-78c1fc35a44a other-config:auto_poweron=true
  3. Create Windows 2012 R2 DataCenter Template
  4. Install DC
  5. Install Management Server
  6. Install SQL Server in HA
  7. Install KMS and activate
    1. Install Windows Activation Tool –
  8. Install Citrix Server
  9. Install Citrix License Server
  10. Install RDS Licenses
    1. Install RDS License Role

    2. Run RD licensingManager

    3. Active Server Wizard

    4. Install Licenses / Service Provider License Agreement / Windows 2012 / RDS Per User CAL /

    5. User Corporate Enrolment Number

    6. Setup RDS License GPO – Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

  11. Install SQL Server 2012
  12. Build SCCM
    1. ConfigMgr 2012 R2 Prerequisites Installation Tool 1.3.0 –
    2. Install SQL Server 2012 SP2 on the same server as SCCM, as SQL is free. SQLConfiguration.ini
    3. Pre-requisits
      1. Servers Accounts must be in Local Administrator Group
      2. Create a SQLAdmin Group and add it as the SQL Administrators
    4. Check Pre-requisites – start \E:\SMSSETUP\BIN\X64\prereqchk.exe /LOCAL
    5. Test Schema Extension .\ADSchemaExtensionConflictAnalyzer.ps1 –inputfile E:\SMSSETUP\BIN\X64\ConfigMgr_ad_schema.ldf –outputfile results.ldf
    7. Install WSUS via Windows Features
    8. Extend Schema *.ldf / \SMSSETUP\BIN\X64\extadsch.exe
    9. AD schema has now be extended, AD must be configured to allow
      each ConfigMgr Site security rights to publish in each of their domains.
    10. Create  System Manager Container and give the SCCM computer object full permissions
      1. DSA.msc
      2. View Advanced Features
      3. Create new Container under System called System Manager
      4. Create a Group and add all SCCM Computer names it and add Full Permissions to this container
      5. Select Advanced and select this group Edit and Allow / This object and all descendant objects (Select All)
    11. Server Roles
      1. NET Framework 4.0
      2. Windows Server Features:
      3. .NET Framework 3.5.1 Features
      4. .NET Framework 3.5.1
      5. Background Intelligent Transfer Service (BITS)
      6. Add Required Role Services
      7. Remote Differential Compression
      8. Windows Role Services
      9. Web Server
      10. Common HTTP Features
      11. WebDAV publishing
      12. Application Development
      13. ASP.NET
      14. “Add Required Role Services”
      15. ASP
      16. Security
      17. Windows Authentication
      18. Management Tools
      19. IIS 6 WMI Compatibility
    12. Install Remote Differential Compression – Install-WindowsFeature Rdc
    13. Change the SQL Server(MSSQLSERVER) Logon with Domain Service Account
    14. Install Bits – install-windowsfeature BITS
    15. Create a Firewall Group Policy and Allow inbound rules for SQL Replication ports 1433 and 4022 (
    16. Install Windows ADK for Windows 8.1 –
    17. NOT Installed – In Server Manager select Features, Add Features, Select .NET Framework 3.5, also select WCF Activation and when prompted answer Add Required Role Services click next and next again. (Make sure the BIT and IIS service is running/restart after install).
    18. Not installed – Set SQL Server Properties/General/Server Colation/SQL_Latin1_General_CP1_CI_AS
    19. Not installed – Enable Bits –
    20. Download prerequisites – SMSSETUP\BIN\X64\SetupDL.exe <target dir>
    21. Add the SCCM Server domain computer account to local Administrators group of the SQL Server
    22. Setup SQL Properties/Memoy/ 50% of the Maximum memory and set MIN and MAX to same/static
    23. Add IIS 6 Management Compatibility Role
    24. IIS Configuration
      1. IIS \ Server \ Authentication \ Windows Authentication – Enable
      2. IIS \ Sites \ Default Web Site\ Add Authoring Rule – All content | All Users | Read | Local
      3. IIS \ Sites \ Default Web Site\ WebDAV Settings ????
    25. Reporting Services Configuration ???
    26. Change Server Collation SQL_Latin1_General_CP1_CI_AS (Run CMD as Administrator)
      3. Reattach existing database
    27. Reference:
    28. Checklist for Required Post Setup Configuration Tasks
      1. Checklist for Required Post Setup Configuration Tasks –
      2. Configure Sites and the Hierarchy in Configuration Manager –
      3. System Center Updates Publisher 2011 – Install –
      4. Clients for Additional OS –
      5. Install SP1
      6. Install App-V Integration and Clients
      7. Install Update Publisher
      8. Install WSUS
      9. Setup download schedule
      10. Desired Configuration Management (DCM)
      11. OSD + Integration with the Microsoft Deployment Toolkit (MDT)
      12. Configure Application Packages
      13. Tools
        1. Install RightClick Tools
        2. Client Center for Configuration Manager –
        3. Install System Center 2012 R2 Confiugration manager Toolkit –
        4. Install System Center 2012 Configuration Manager Support Center –
        5. Configuration Manager Trace Log Tool
        6. Install System Center Dashboard –
          2. Microsoft SQL Report Builder –
  13. Install App-V Standalone
    4. Setup Citrix Integration
      3.  Components
        1. App V Report Server
          1. Run the Installed and install the Reporting Services on the SQL Server.
        2. App-V Management Server
          1. Download the software Microsoft Desktop Optimisation -E:\App-V\Installers\5.0\Server
          2. Prerequisites –
          3. Install Silverlight on the management Server
          5. Install the Web Server ISS Role on the Management Server
          6. Install Application Services Role and Net.3.5
        3. App-V Sequence Server
        4. SQL Server
        5. Client
  14. Build App-V and App-V Sequence
    1. Install App-V Remote Application Packager –
  15. Build XenApp RDS Host Template Server
  16. Configure KMS licenses for RDS and OSs
    1. Install Volume Activation Management Tool –
    2. Activiate
    3. Setup DNS for KMS
  17. Configure Citrix License Server + Citrix Licensees
  18. Setup a Windows 8.1 and Windows 2012 OSD
    1. setup a isolated PXE boot environment and DHCP config –
  19. MED-V
  20. MDOP
  21. Microsoft Assessment and Deployment Kit –
  22. Citrix Profile Server
  23. Setup IPAM
  24. Test Federated Access
  25. Monitoring
    1. Setup Puppet Server
    2. Setup Nessus
    3. Setup Splunk Server
    4. Setup WireShark
    5. OpenVMS
    6. Snort
    7. Wireshark
    8. HP Isight Manager for Linux –
    9. HP Version Control Repository Manager – HP Version Control Repository Manager (VCRM)
    10. HP Service Pack for ProLiant (SPP) Version 2014.02.0 –
    11. HP Supplement –
    12. ManageEngine Free Monitoring –
    13. Install Microsoft Best Practice Analyser
    14. Install Microsoft Software Inventory Analyser (MSIA) and Asset Inventory Service
    15. Microsoft Baseline Security Analyser
    16. Citrix License Reporting Tool
    17. Deploy Remote Server Administration Tools on Management Server
    18. Install Windows PowerShell Web Access on Management Server
    19. Windows Assessment Services
    20. Best Pratice Analysers
  26. XenServer Backup –
  27. PKI Infrastructure
  28. XenServer Orchestra –
  29. GPO Configurations
    1. Windows Defender and Active Protection Services –
    2. Configure Desktop Experience in Windows Server 2012 R2
  30. Setup PVS Server
    1. Configure BSMh
  31. Setup Sophos Virus Protection
    1. Update exclusions for Citrix, SQL, Clustering
    2. Install Microsoft Malicious Software Removal –[/embed]
    3. Microsoft Saftey Scanner –[/embed
  32. Setup Management Server
    1. Window Server Essentials Experience
    2. User Access Logging
    3. Windows Inventory Logging
    4. Windows System Resource Manager
    5. Configure Printer Servers
    6. Application Server
    7. Setup Desktop Template
  33. Windows Desktop Experience Configuration
    1. Adds the Desktop Experience and XPS Viewer features to the Windows server configuration
    2. Moves the Citrix folder items in the Start menu to the Administrative Tools folder (including the Citrix AppCenter)
    3. Creates a new Windows Theme file and sets the default wallpaper
    4. Starts the Windows Themes service and configures it to start automatically
  34. Configure Citrix CloudPortal and vWorkspaces
    2. Billing System
    3. Self-Services Website
    4. Manager Engine Self-Services
  35. Setup Puppet and Desired State Manager
    1. Setup Desired State Pull/Push –
  36. Active Directory
    1. Enable Active Directory Recycling Bin
    2. Setup GPO Backup and System State

Microsoft SPLA licensing for Windows 8

Microsoft SPLA licensing for Windows 8

update –,microsoft-allows-per-user-volume-licensing-of-windows.aspx#ixzz3IG3TsLeT

This is a subject that is always a discussion in almost all DaaS opportunities. Can a Microsoft MSP provide Windows 8 OS. The quick Answer is NO. Microsoft MSP/ SPLA licensing only covers Windows SERVER Operating Systems. (I won’t go into the all the different FlexCast models here and stick with providing a dedicated OS for users.)

However, there is a way a Microsoft MSP can provide Windows 8. Here is a quick guide:

  1. Customer and Microsoft MSP must sign up for License Mobility Through Software Assurance. Volume Licensing customers can license their server applications on-premises and in the cloud on a qualified service provider’s shared hardware environment for specific applications.
  2. Customer must purchase all Windows 8 OS Licenses.
  3. Customer must purchase all Virtual Desktop Access licenses. (If the client devices aren’t PCs covered by [Software Assurance].
    • Windows Virtual Desktop Access (VDA) is an authorization strategy that requires each device seeking access to a Windows virtual desktop in a virtual desktop infrastructure (VDI) to be licensed.
    • Windows Virtual Desktop Access (Windows VDA): A standard benefit of Software Assurance and a stand-alone subscription-based license which allows roaming access to Windows virtual machines (VMs) from thin clients, third party, and non-Windows-based devices.
    • The goal of Windows Virtual Desktop Access is to simplify licensing requirements in a virtual environment by licensing the devices that seek access to virtual desktops, instead of licensing the virtual desktops themselves.
    • Because VDA is included as a feature of Software Assurance (SA), primary users of devices covered by SA can access their virtual desktops at no extra charge. Microsoft defines a primary user as someone who has used the computing device for more than 50% of the time in a 90 day period.
    • If the user wishes to access a Microsoft VDI from a device that is not covered by Software Assurance, however, a separate Windows VDA license is required. Such devices include thin clientszero clients and third-party devices such as contractor-owned PCs. As of this writing, a separate VDA license costs $100 per year, per device.
    • Licensing_Windows_Desktop_OS_for_Virtual_Machines
    • Providing Microsoft Desktop as a Service licensing guide
    • More info :-
  4. Transfer these licenses to the Service Provider: [Detailed steps]
  5. The Microsoft MSP must provide the Windows 8 OS on DEDICATED hardware and not shared infrastructure with any other customer.  Which cannot be used to provide any kind of service to any other customer of the service provider. Microsoft advise the dedicated-hardware requirement applied to all of the hardware utilised to provide the solution to the customer: servers, storage and, presumably, switching infrastructure as well.
  6. Windows 8 can be used for Rental Desktops can not be used either. Remote access. Rental Rights do not allow for remote access to software. Microsoft Rental Rights are a simple way for companies to rent, lease, or outsource desktop PCs with Windows desktop operating system and Microsoft Office licenses to third parties (such as Internet cafés, hotel and airport kiosks, business service centers, and office equipment leasing companies) through a one-time license transaction valid for the term of the underlying software license or life of the PC. Solidify your role as trusted advisor by helping your customers be in compliance, by using an additive license that fits their business model—without requiring special tools, processes, reporting, or paperwork.

Definition of Severity Levels

Definition of Severity Levels

Severity Definitions are intended to provide guidance on correct assignment of severity levels in the event of an incident.



  • Sev 1 The product, service or channel is unavailable or unusable with NO planned and agreed sustainable workaround

 The problem may be directly impacting either:

 · External customers’ ability to interact with the customer

· Customers’s ability to service its customers

· The Business unit’s production workflow

The product, service or channel must be classified as business critical (eg it needs to be available within 24 hours of a disaster)

  • Sev 2 The product, service or channel is available however functions are restricted or degraded

 Significant exposure may exist. Business can continue to operate at a reduced capacity while the problem exists.

  • Sev 3 The product, service or channel is available with no immediate impact to external or internal customers

 Acceptable workaround is in place. The business can continue to operate at full or close to full capacity while the problem exists.

1. CIO Override – a vulnerability that poses a serious threat to the Customer, is wormable (i.e. Sasser
Virus) and code is in the wild and available to hackers. 247 to put this on the environment.
2. Critical – a vulnerability that poses a serious threat to , is typically wormable (i.e. Sasser Virus),
however code is not in wild as yet. Normal business hours to deploy this on the environment.
3. Important – vulnerability that poses a threat to is typically vulnerability that needs to be initiated
within and is local to the workstation. Normal business hours to deploy this on the environment.
4. Moderate – a minor vulnerability may pose a threat to . Usually patched to keep the platform
current. This type of patch will only be deployed if is deploying other hot fixes, otherwise it is deployed in the next Enterprise release.