Desktop as a Service – Design Decisions

Desktop as a Service – Design Decisions


Helpdesk, Self-Service, Billing and Account Management

Session Layer

  • Microsoft RDP
    • This is a very cost effective options with allot of feature restrictions
  • Citrix ICA
    • This is a fully featured option, while its more expensive, the issues that will be faced with a pure RDP options will add to cost for support over time and anything other than the most basic small 10 man organisations will become a burden.

Flexcast Model

  • Hosted shared non-persistent

Image result for citrix flexcast models

Infrastructure Layer

  • Build own Server Rack
    • This is much too cumbersome to build, can use a single server for PoC and Testing/Dev
  • AWS
    • Run into Microsoft licensing issues on AWS, but has better advance networking features.
  • Azure
    • As Microsoft is the core product for Windows Desktop, this is the ideal voice.
  • VMware based IaaS


Use DaaS Platforms

  • Citrix Workspaces
    • Can you this layer for the VPN / Dashboard access
  • VMware Horizon DaaS
    • Too restrictive,, when a complex customer requirement is required, this model wont allow for that..
  • 3rd Party DaaS providers
    • No way, i want to have complete ownership and flexibility and to reduce any middle men.


Session Isolation and Architecture

  • Shared Delivery Group/Shared Delivery site isolation.
    • The Shared Delivery Group/Shared Delivery Site isolation model uses shared Delivery Groups for application and desktop workers between smallest tenants within the same shared delivery site. This model presents the lowest cost of service delivery to the CSP (and as should follow, to the tenants) with least security. (Other types;Private Delivery Site isolation / Private Delivery Group/Shared Delivery Site isolation)


Solution Result

  • Use Azure to increase End-to-End Partnership with Microsoft.
  • Utilise Microsoft products as much as possible and fully managed
  • Use Citrix Workspace for entry / Dashboard access.


Network Design/Security Groups and vLANS

  • DMZ
    • Internet facing (SSL Port 443 only)
    • First hop (Firewall/NetScaller/VPN/Proxy)
    • Second hop (WebServer/Proxy
    • Firewall to Internal
  • Shared Session Servers vLAN
  • Isolated Private Tenant AD, Site and Network
    • Private AD
    • Private SL
    • Private Exchange
    • Private AppServers
    • Private File Servers
    • Private SharePoint
    • Azure AD Connect
  • Application vLAN
  • Management vLAN
    • Active Directory
    • ADFS
    • Azure AD
    • DNS/DHCP
    • CERTs
    • SQL
    • CloudPortal Services Manager
    • XenDesktopControllers
    • StoreFront Servers
    • License Servers
    • NTP Server
    • ITSM Server
      • ConnectWise
      • ManageEngine
      • Chat/Ticket
    • Security Applications
  • Storage vLAN

Citrix Cloud

Network Connectivity

  • Private Direct Links and VMware SD-WAN or NetScaler SD-WAN (which ever has NTU)

Active Directory OU Design

  • CPSM
    • CSM_MGTM
    • Tenant1(T)
    • Tenant2(2)

Office 365

  • Advanced Features
    • Enhance Security
    • Backup
    • Archival
    • Largefile

Azure Componets


Azure Automation Build

Azure CSP, MSPLA and CSP licensing Options

  • Microsoft Server VM
    • Azure Subscription per user/per month
  • Microsoft RDS
    • Azure Subscription per user/per month
    • BYO RDS MSPLA Server (invisible)
  • Azure Citrix XenApp Essentials
    • BYO/CSP (invisible)
    • Azure Subscription per user/per month
    • Cost Comparision
      • $12.00 USD per user/month, NetScaler Gateway Service, 1 GB data transfer per user per month, 25 minimum user per month.
      • $6.25 USD RDS
      • Exchange USD = 1.33816 AUD
      • Total $456.25 USD / $610.53 AUD


Citrix  XenApp Base 9.21
NetScaler Gateway 2.86
RDS 7.38
Citrix VM 1.59
RDS 1.59
NetScaler Gateway 1.59
  • Citrix NetScaler
    • BYO/CSP (invisible)
    • Azure Subscription per user/per month
    • Cost Comparison
  • Due to the minimum required of $610.53 per month this is not the ideal option to start and its also a service so not configurable So all BYO

Citrix Profile Management and Folder re-direction Configuration

Citrix Profile Management and Folder re-direction Configuration

  1. Folder Re-Direction Group Policy
  2. Exclude Policy
  3. Citrix UPM Install and Configuration
    1. Sync “AppData\Local\Microsoft\Windows\UsrClass.dat”



HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

2014-10-20 17_28_17-Tripwire SecureCheq

It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained.  I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..

So here is a basic Overview of how to create a Secure Windows 2012 R2 SOE. This method can be applied to any support OS.
Firstly, understand your security posture requirements:- I have listed a few here :

It is also important to understand SAN Critical Controls and Defeating Kill Chains.

This course is also a good starting point -SEC505: Securing Windows with the Critical Security Controls:-

Understand the Critical Security Controls –

Security Standards

These are the core Security Standards and vital information for Windows harderning

The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System.  Once you have a policy setup, you need to maintain that posture  using Desired State management and Continuous Monitoring

Desired State

Security Scanners

Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..

The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.

** you can not create a Secure hardened OS without a Security Scanner..

Implement OS Encryption

Implement Bootlocker


Install Microsoft Enhanced Mitigation Experience Toolkit

Here is a link to my own SOE settings –


HowTo: SCCM 2012 R2 Endpoint Protection Comprehensive Virus Scan Exclusions List

HowTo: SCCM 2012 R2 Endpoint Protection Comprehensive Virus Scan Exclusions List

Here is a full list of all Virus Scan Exclusions list. Its best to just only excluded what is required per server.. So this is just a reference.

  • Excluded files and folders
  • Excluded file types
  • Excluded processes

Here is the Full Configuration File for SCCM 2012 R2 Antimalware Policies. Just create a .XML File and Import – AllServerExclusionsSCCM


2014-09-10 12_31_55-System Center 2012 R2 Configuration Manager (Connected to RES - Resimac)


Windows 8 and Server 2012 Optimisation Guide for Citrix VDI

Windows 8 and Server 2012 Optimization Guide for Citrix VDI

' Title: Windows 8 and Server 2012 VDI Optimization Script
' Author: Pablo Legorreta
' Modifications: Steven Krueger & William Elvington
' Special thanks to Jonathan Bennett (AutoITScript)
' for creating a wonderful optimizer tool and to Jeff Stokes (MSFT)
' for creating the original baseline script for Windows 7

' Purpose: The following script will prepare a Windows 8 or Server 2012
' static image for VDI deployment based on MSFT and Citrix recommendations.

' Requirements: Administrative Privileges, Registry backup - Just in case 😉

' // ==============
' // Variables
' // ============== 

' Constants
Const ForReading = 1
Const Disable_Aero = False
Const Disable_BranchCache = False
Const Disable_EFS = False
Const Disable_iSCSI = False
Const Disable_MachPass = False
Const Disable_Search = False

Const Install_NetFX3 = False
Const NetFX3_Source = "D:\Sources\SxS"

' Common objects
 Set oShell = WScript.CreateObject ("WScript.Shell")
 Set oFSO = CreateObject("Scripting.FileSystemObject")
 Set oEnv = oShell.Environment("User")

' Command Line Arguments for Some Settings
 Set colNamedArguments = WScript.Arguments.Named

If colNamedArguments.Exists("Aero") Then
 strAero = colNamedArguments.Item("Aero")
 strAero = Disable_Aero
 End If

If colNamedArguments.Exists("BranchCache") Then
 strBranchCache = colNamedArguments.Item("BranchCache")
 strBranchCache = Disable_BranchCache
 End If

If colNamedArguments.Exists("EFS") Then
 strEFS = colNamedArguments.Item("EFS")
 strEFS = Disable_EFS
 End If

If colNamedArguments.Exists("iSCSI") Then
 striSCSI = colNamedArguments.Item("iSCSI")
 striSCSI = Disable_iSCSI
 End If

If colNamedArguments.Exists("MachPass") Then
 strMachPass = colNamedArguments.Item("MachPass")
 strMachPass = Disable_MachPass
 End If

If colNamedArguments.Exists("Search") Then
 strSearch = colNamedArguments.Item("Search")
 strSearch = Disable_Search
 End If

If colNamedArguments.Exists("NetFX3") Then
 strNetFX3 = colNamedArguments.Item("NetFX3")
 strNetFX3 = Install_NetFX3
 End If

' Enable RDP Connections
RunWait "WMIC rdtoggle where AllowTSConnections=0 call SetAllowTSConnections 1,1"
RunWait "netsh advfirewall firewall set rule group=" & Chr(34) & "remote desktop" & Chr(34) & " new enable=Yes"

' // ==================
' // Service Settings
' // ==================

' Disable Application Layer Gateway Service
RunWait "sc config ALG start= disabled"

' Disable Background Intelligent Transfer Service
RunWait "sc config BITS start= disabled"

' Disable Bitlocker Drive Encryption Service
RunWait "sc config BDESVC start= disabled"

' Disable Block Level Backup Engine Service
RunWait "sc config wbengine start= disabled"

' Disable Bluetooth Support Service
RunWait "sc config bthserv start= disabled"

If strBranchCache = True Then
 ' Disable BranchCache Service
 RunWait "sc config PeerDistSvc start= disabled"
 End If

' Disable Computer Browser Service
RunWait "sc config Browser start= disabled"

' Disable Device Association Service
RunWait "sc config DeviceAssociationService start= disabled"

' Disable Device Setup Manager Service
RunWait "sc config DsmSvc start= disabled"

' Disable Diagnostic Policy Services
RunWait "sc config DPS start= disabled"
RunWait "sc config WdiServiceHost start= disabled"
RunWait "sc config WdiSystemHost start= disabled"

' Disable Distributed Link Tracking Client Service
RunWait "sc stop TrkWks"
RunWait "sc config TrkWks start= disabled"

If strEFS = True Then
 ' Disable Encrypting File System Service
 RunWait "sc config EFS start= disabled"
 End If

' Disable Family Safety Service
RunWait "sc config WPCSvc start= disabled"

' Disable Fax Service
RunWait "sc config Fax start= disabled"

' Disable Function Discovery Resource Publication Service
RunWait "sc config FDResPub start= disabled"

' Disable HomeGroup Listener Service
RunWait "sc config HomeGroupListener start= disabled"

' Disable HomeGroup Provider Service
RunWait "sc config HomeGroupProvider start= disabled"

If striSCSI = True Then
 ' Disable Microsoft iSCSI Initiator Service
 RunWait "sc config msiscsi start= disabled"
 End If

' Disable Microsoft Software Shadow Copy Provider Service
RunWait "sc config swprv start= disabled"

' Set Network List Service to Auto
RunWait "sc config netprofm start= auto"

' Disable Offline Files
RunWait "sc config CscService start= disabled"

' Disable Optimize Drives Service
RunWait "schtasks /change /tn ""microsoft\windows\defrag\ScheduledDefrag"" /disable"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\Enable", "N", "REG_SZ"
RunWait "sc config defragsvc start= disabled"

' Disable Secure Socket Tunneling Protocol Service
RunWait "sc config SstpSvc start= disabled"

' Disable Security Center
RunWait "sc config wscsvc start= disabled"

' Disable Sensor Monitoring Service
RunWait "sc config SensrSvc start= disabled"

' Disable Shell Hardware Detection Service
RunWait "sc config ShellHWDetection start= disabled"

' Disable SNMP Trap Service
RunWait "sc config SNMPTRAP start= disabled"

' Disable SSDP Discovery Service
RunWait "sc stop SSDPSRV"
RunWait "sc config SSDPSRV start= disabled"

' Disable SuperFetch
RunWait "sc config SysMain start= disabled"

' Disable Telephony Service
RunWait "sc config TapiSrv start= disabled"

If strAero = True Then
 ' Disable Themes Service
 RunWait "sc config Themes start= disabled"
 End If

' Disable UPnP Device Host Service
RunWait "sc config upnphost start= disabled"

' Disable Volume Shadow Copy Service
RunWait "sc config VSS start= disabled"

' Disable Windows Backup Service
RunWait "sc config SDRSVC start= disabled"

' Disable Windows Color System Service
RunWait "sc config WcsPlugInService start= disabled"

' Disable Windows Connect Now - Config Registrar Service
RunWait "sc config wcncsvc start= disabled"

' Disable Windows Defender Service
RunWait "sc config WinDefend start= disabled"

' Disable Windows Error Reporting Service
RunWait "sc config WerSvc start= disabled"

' Disable Windows Media Player Network Sharing Service
RunWait "sc config WMPNetworkSvc start= disabled"

' Break out Windows Management Instrumentation Service
RunWait "winmgmt /standalonehost"
RunWait "sc config winmgmt group= COM Infrastructure"

' Disable Windows Search Service
 If strSearch = True Then
 RunWait "sc stop WSearch"
 RunWait "sc config WSearch start= disabled"
 End If

' Disable Windows Updates
RunWait "sc config wuauserv start= disabled"

' Disable WLAN AutoConfig Service
RunWait "sc config Wlansvc start= disabled"

' Disable WWAN AutoConfig Service
RunWait "sc config WwanSvc start= disabled"

' // ================
' // Computer Settings
' // ================

' Disable Hard disk timeouts
RunWait "POWERCFG /SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0"
RunWait "POWERCFG /SETDCVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0"

 ' Disable Action Center
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth", &H00000001, "REG_DWORD"

 ' Optimize Processor Resource Scheduling
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl\Win32PrioritySeparation", &H00000026, "REG_DWORD"

 ' Disable TCP/IP / Large Send Offload
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload", &H00000001, "REG_DWORD"

 ' Disable hibernate
RunWait "powercfg -h off"

 ' Disable NTFS Last Access Timestamps
RunWait "FSUTIL behavior set disablelastaccess 1"

 If strMachPass = True Then
 ' Disable Machine Account Password Changes
 oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange", &H00000001, "REG_DWORD"
 End If

 ' Disable memory dumps
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\LogEvent", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\SendAlert", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot", &H00000001, "REG_DWORD"

 ' Disable default system screensaver
oShell.RegWrite "HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive", 0, "REG_DWORD"

 ' Increase service startup timeouts
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServicesPipeTimeout", &H0002bf20, "REG_DWORD"

 ' Increase Disk I/O Timeout to 200 seconds.
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\TimeOutValue", &H000000C8, "REG_DWORD"

 ' Disable Other Scheduled Tasks
RunWait "schtasks /change /tn ""microsoft\windows\Application Experience\AitAgent"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Application Experience\ProgramDataUpdater"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Application Experience\StartupAppTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Autochk\Proxy"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Bluetooth\UninstallDeviceTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\BthSQM"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\Consolidator"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\KernelCeipTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\Uploader"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Customer Experience Improvement Program\UsbCeip"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Diagnosis\Scheduled"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Maintenance\WinSAT"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\MobilePC\HotStart"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Power Efficiency Diagnostic\AnalyzeSystem"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\RAC\RacTask"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Ras\MobilityManager"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Registry\RegIdleBackup"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Shell\FamilySafetyMonitor"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Shell\FamilySafetyRefresh"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\AutoWake"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\GadgetManager"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\SessionAgent"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\SideShow\SystemDataProviders"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\UPnP\UPnPHostConfig"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\WDI\ResolutionHost"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Windows Filtering Platform\BfeOnServiceStartTypeChange"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\Windows Media Sharing\UpdateLibrary"" /disable"
RunWait "schtasks /change /tn ""microsoft\windows\WindowsBackup\ConfigNotification"" /disable"

 ' Configure Event Logs to 1028KB (Minimum size under Vista/7) and set retention to "overwrite"
 Set oEventLogs = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!//./root/cimv2").InstancesOf("Win32_NTEventLogFile")
 For Each e in oEventLogs
 e.MaxFileSize = 1052672
 e.OverWritePolicy = "WhenNeeded"
 e.OverWriteOutdated = 0

oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\Application\Retention", 0, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\Security\Retention", 0, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\System\Retention", 0, "REG_DWORD"

 ' Set PopUp Error Mode to "Neither"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\ErrorMode", 2, "REG_DWORD"

 ' Disable bootlog and boot animation
RunWait "bcdedit /set {default} bootlog no"
RunWait "bcdedit /set {default} quietboot yes"

 ' Disable UAC secure desktop prompt
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop", &H00000000, "REG_DWORD"

 ' Disable New Network dialog
RunWait "reg add HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff"

 ' Disable AutoUpdate of drivers from WU
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching\searchorderConfig", 0, "REG_DWORD"

 ' Turn off Windows SideShow and install NetFX3
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow\Disabled", 1, "REG_DWORD"
 If strNetFX3 = True Then
 RunWait "dism /online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:" & NetFX3_Source & " /NoRestart"
 End If

' Disable IE First Run Wizard and RSS Feeds
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize", 1, "REG_DWORD"

 ' Disable the ability to clear the paging file during shutdown
oShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\ClearPageFileAtShutdown", 0, "REG_DWORD"

' Disable Internet Explorer Enhanced Security Enhanced
oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073\IsInstalled", 0, "REG_DWORD"
oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073\IsInstalled", 0, "REG_DWORD"

' Disables Background Layout Service
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\EnabledAutoLayout", 0, "REG_DWORD"

' Disables CIFS Change Notifications
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteRecursiveEvents", &H00000001, "REG_DWORD"

 ' Disable Data Execution Prevention
RunWait "bcdedit /set nx AlwaysOff"

 ' Set Power Saving Scheme to High Performance
RunWait "powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" 

 ' Set Recovery Dump to Small
RunWait "wmic recoveros set DebugInfoType = 3" 

 ' Perform a disk cleanup
 ' Automate by creating the reg checks corresponding to "cleanmgr /sageset:100" so we can use "sagerun:100"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Active Setup Temp Folders\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Downloaded Program Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Internet Cache Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Memory Dump Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Offline Pages Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Old ChkDsk Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations\StateFlags0100", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle Bin\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Setup Log Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error memory dump files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error minidump files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Upgrade Discarded Files\StateFlags0100", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Archive Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Queue Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Archive Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Queue Files\StateFlags0100", &H00000002, "REG_DWORD"
oShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Upgrade Log Files\StateFlags0100", &H00000002, "REG_DWORD"
RunWait "cleanmgr.exe /sagerun:100"

' // =============
' // User Settings
' // =============

' Reduce menu show delay
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\MenuShowDelay", "0", "REG_SZ"

 ' Disable cursor blink
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\CursorBlinkRate", "-1", "REG_SZ"
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\DisableCursorBlink", &H00000001, "REG_DWORD"

 ' Force off-screen composition in IE
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Force Offscreen Composition", &H00000001, "REG_DWORD"

 ' Disable screensavers
oShell.RegWrite "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive", "0", "REG_SZ"
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive", "0", "REG_SZ"
oShell.RegWrite "HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive", "0", "REG_SZ"

 ' Don't show window contents when dragging
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\DragFullWindows", "0", "REG_SZ"

 ' Don't show window minimize/maximize animations
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics\MinAnimate", "0", "REG_SZ"

 ' Disable font smoothing
oShell.RegWrite "HKEY_CURRENT_USER\Control Panel\Desktop\FontSmoothing", "0", "REG_SZ"

 ' Disable most other visual effects
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\VisualFXSetting", &H00000003, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarAnimations", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark", &H00000000, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow", &H00000000, "REG_DWORD"
RegBinWrite "HKEY_CURRENT_USER\Control Panel\Desktop", "UserPreferencesMask", "90,12,01,80"

 ' Disable Action Center
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth", &H00000001, "REG_DWORD"

 ' Disable IE Persistent Cache
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Persistent", 0, "REG_DWORD"
oShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Feeds\SyncStatus", 0, "REG_DWORD"

 ' Done

' // ================
' // Functions
' // ================

Function Run(sFile)
 Run = oShell.Run(sFile, 1, False)
 End Function

 Function RunWait(sFile)
 RunWait = oShell.Run(sFile, 1, True)
 End Function

 Function RunWaitHidden(sFile)
 RunWaitHidden = oShell.Run(sFile, 0, True)
 End Function

 Function IsServer()
 IsServer = False
 On Error Resume Next
 For Each objOS in GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem")
 If objOS.ProductType = 1 Then IsServer = False
 If objOS.ProductType = 2 Or ObjOS.ProductType = 3 Then IsServer = True
 End Function

 Sub RegBinWrite (key, value, data)
 key = "[" & key & "]"

 If value <> "@" then
 value = chr(34) & value & chr(34)
 End if

 valString = value & "=" & "hex:" & data

 tempFile = GetTempDir() & "\regbinaryimport.reg"
 Set txtStream = oFSO.CreateTextFile(tempFile,true)
 txtStream.WriteLine("Windows Registry Editor Version 5.00")

 oShell.Run "regedit.exe /s """ & tempFile & """", 1, true

 oFSO.DeleteFile tempFile
 End Sub

 Function GetTEMPDir()
 GetTEMPDir = oEnv("TEMP")
 If InStr(GetTEMPDir, "%") Then
 GetTEMPDir = oShell.ExpandEnvironmentStrings(GetTEMPDir)
 End If
 End Function 



  • Superfetch
  • Themes
  • Windows Audio
  • Windows Audio Endpoint Builder
  • Google Update Service
  • Window Search
  • Internet Connection Sharing
  • Media Center Extender Service
  • Routing and Remote Access
  • Adobe Flash Player Update Service
  • Fax

Complexity of Application Presentation/Streaming and Distribution

Complexity of Application Presentation/Streaming and Distribution

I wanted to highlight and explain the complexity of designing Application Deployment and Management for  Windows Desktops and VDI environments in a single diagram.


(opps, I mean Microsoft 🙂

Update 02/04/16 Adding a few Application Deployment Options

  • Click Once Applications
  • Container Applications (AppZerto)
  • Application Layer (e.g. Citrix AppDisk.)

There are so many options for Application Deployment and they are all very complex and architecturally different and affects the user interaction with the application.

You can also have combination of these application deployment and management technologies. Example Citrix XenApp + AppV + SCCM.

The core problems is Usability, when you design such complex solutions its almost impossible to guarantee the same level of usability as a locally installed application which is what the end user is expecting.. (Example of usability – Copy/Pase, Print, Content sharing,etc) 

Combining this with the complexity of User State and profile management options, it is no wonder many VDI projects fail and cause major frustrations for end users.

The key is to provide the same user functionality as locally installed application when using different technologies to deliver and manage applications and user environments. (Click here to find out how to solve this problem.)

Overview of Application Deployment and Management options

  • Citrix XenApp Published Application (HDX Stream) + FlexCast Models
  • Citrix VDI-in-a-BOX
  • VMware ThinApp
  • Microsoft RemoteApp (RDS Stream)
  • App-V Application
  • App-V and SCCM (App-V Local Interaction feature, Virtual Environment and Connection Groups)
  • Application Deployment (Kace, LanDesk, Altris, SCCM)
  • Locally Installed Application

[Update 07.11.2014] – I saw information on Cloudvolumes,com, when it was released, but, they didn’t release any information. Until VMware acquired them. I think this is the future of Application Deployment – VMWare AppVolumes. This essentially can solve this complexity. Al thought, how it handles, upgrades, conflicts,etc Needs to be tested. I can’t wait for Microsoft to come up with a similar solution. –

Since writing this article and doing some more research on VMWare AppVolumes and UniDesk., could solve the problem of delivering applications and maintaining Microsoft and Application updates.

User State Profile Management

  • Microsoft UE-V
  • Citrix Profile Management
  • AppSense Profile Management
  • MANProfiles, FlexKit, Folder Re-Direction,etc
  • Citrix Personal vDisk

User/Application Interactions

  • Copy/Paste
  • Print
  • Application Content Sharing
  • mailto: and hyperlinks,etc
  • File Sharing
  • Application Plug-ins

FlexCast Models

  1. Hosted VDI- Assigned VDI Server OS (Windows Experience) (Persistent)
  2. Hosted Shared – Pooled VDI Server OS (Windows Experience) (Non-persistent)
  3. Streamed Desktops
  4. Hosted Blade PCs (VDI)
  5. Hosted VM-Based Desktops (VDI)
  6. Shared Published Desktop
  7. Remote PC

and of course Persistent vs Non- Persistent Desktops, Pooled vs Static,etc..  add to the complication and that is another topic. 

I thought this was a relevant diagram on the subject.


Be careful Will Robinson, most Citrix pre-sales guru’s don’t understand this complexity. (yeah you!)

But, dont worry, I am building a DaaS platform to solve all of this..

Alternative Application Deployment options in order of preference:-

  1. UniDesk
  2. Microsoft App-V
  3. AppZero
  4. FsLogix
  6. VMware AppVolumes
  7. Microsoft Docker (Beta only)
  8. VMware ThinApp
  9. AppDNA

Organizations with growing VDI environments find the tools used to deliver applications and updates to physical computers create significant issues when used for VDI. This research compares alternative approaches to software delivery to help organizations make the best choice for their environment.

So, now that we understand the issues, how do we solve the problem. Here is some technology that is absolutely required for any VDI deployment.

DaaS Build Phase

DaaS Build Phase

  1. Setup Proliant Server
  2. Install XenServer
    1. Setup XenServer GUI Appliance and Configure it to Autostart
    2. </li>
      	<li>Setup a Autostart vApp
      Create a Autstart vApp and add VMS
      Get uuid of vApp: xe appliance-list name-label="autostart"
      edit rc.local:
      echo "xe appliance-start uuid=869aabc7-5b30-b0bf-79cf-ca5acbb162be" >> /etc/rc.loca
      xe vm-param-set uuid=29025d12-5148-9ed3-9e21-78c1fc35a44a other-config:auto_poweron=true
  3. Create Windows 2012 R2 DataCenter Template
  4. Install DC
  5. Install Management Server
  6. Install SQL Server in HA
  7. Install KMS and activate
    1. Install Windows Activation Tool –
  8. Install Citrix Server
  9. Install Citrix License Server
  10. Install RDS Licenses
    1. Install RDS License Role

    2. Run RD licensingManager

    3. Active Server Wizard

    4. Install Licenses / Service Provider License Agreement / Windows 2012 / RDS Per User CAL /

    5. User Corporate Enrolment Number

    6. Setup RDS License GPO – Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

  11. Install SQL Server 2012
  12. Build SCCM
    1. ConfigMgr 2012 R2 Prerequisites Installation Tool 1.3.0 –
    2. Install SQL Server 2012 SP2 on the same server as SCCM, as SQL is free. SQLConfiguration.ini
    3. Pre-requisits
      1. Servers Accounts must be in Local Administrator Group
      2. Create a SQLAdmin Group and add it as the SQL Administrators
    4. Check Pre-requisites – start \E:\SMSSETUP\BIN\X64\prereqchk.exe /LOCAL
    5. Test Schema Extension .\ADSchemaExtensionConflictAnalyzer.ps1 –inputfile E:\SMSSETUP\BIN\X64\ConfigMgr_ad_schema.ldf –outputfile results.ldf
    7. Install WSUS via Windows Features
    8. Extend Schema *.ldf / \SMSSETUP\BIN\X64\extadsch.exe
    9. AD schema has now be extended, AD must be configured to allow
      each ConfigMgr Site security rights to publish in each of their domains.
    10. Create  System Manager Container and give the SCCM computer object full permissions
      1. DSA.msc
      2. View Advanced Features
      3. Create new Container under System called System Manager
      4. Create a Group and add all SCCM Computer names it and add Full Permissions to this container
      5. Select Advanced and select this group Edit and Allow / This object and all descendant objects (Select All)
    11. Server Roles
      1. NET Framework 4.0
      2. Windows Server Features:
      3. .NET Framework 3.5.1 Features
      4. .NET Framework 3.5.1
      5. Background Intelligent Transfer Service (BITS)
      6. Add Required Role Services
      7. Remote Differential Compression
      8. Windows Role Services
      9. Web Server
      10. Common HTTP Features
      11. WebDAV publishing
      12. Application Development
      13. ASP.NET
      14. “Add Required Role Services”
      15. ASP
      16. Security
      17. Windows Authentication
      18. Management Tools
      19. IIS 6 WMI Compatibility
    12. Install Remote Differential Compression – Install-WindowsFeature Rdc
    13. Change the SQL Server(MSSQLSERVER) Logon with Domain Service Account
    14. Install Bits – install-windowsfeature BITS
    15. Create a Firewall Group Policy and Allow inbound rules for SQL Replication ports 1433 and 4022 (
    16. Install Windows ADK for Windows 8.1 –
    17. NOT Installed – In Server Manager select Features, Add Features, Select .NET Framework 3.5, also select WCF Activation and when prompted answer Add Required Role Services click next and next again. (Make sure the BIT and IIS service is running/restart after install).
    18. Not installed – Set SQL Server Properties/General/Server Colation/SQL_Latin1_General_CP1_CI_AS
    19. Not installed – Enable Bits –
    20. Download prerequisites – SMSSETUP\BIN\X64\SetupDL.exe <target dir>
    21. Add the SCCM Server domain computer account to local Administrators group of the SQL Server
    22. Setup SQL Properties/Memoy/ 50% of the Maximum memory and set MIN and MAX to same/static
    23. Add IIS 6 Management Compatibility Role
    24. IIS Configuration
      1. IIS \ Server \ Authentication \ Windows Authentication – Enable
      2. IIS \ Sites \ Default Web Site\ Add Authoring Rule – All content | All Users | Read | Local
      3. IIS \ Sites \ Default Web Site\ WebDAV Settings ????
    25. Reporting Services Configuration ???
    26. Change Server Collation SQL_Latin1_General_CP1_CI_AS (Run CMD as Administrator)
      3. Reattach existing database
    27. Reference:
    28. Checklist for Required Post Setup Configuration Tasks
      1. Checklist for Required Post Setup Configuration Tasks –
      2. Configure Sites and the Hierarchy in Configuration Manager –
      3. System Center Updates Publisher 2011 – Install –
      4. Clients for Additional OS –
      5. Install SP1
      6. Install App-V Integration and Clients
      7. Install Update Publisher
      8. Install WSUS
      9. Setup download schedule
      10. Desired Configuration Management (DCM)
      11. OSD + Integration with the Microsoft Deployment Toolkit (MDT)
      12. Configure Application Packages
      13. Tools
        1. Install RightClick Tools
        2. Client Center for Configuration Manager –
        3. Install System Center 2012 R2 Confiugration manager Toolkit –
        4. Install System Center 2012 Configuration Manager Support Center –
        5. Configuration Manager Trace Log Tool
        6. Install System Center Dashboard –
          2. Microsoft SQL Report Builder –
  13. Install App-V Standalone
    4. Setup Citrix Integration
      3.  Components
        1. App V Report Server
          1. Run the Installed and install the Reporting Services on the SQL Server.
        2. App-V Management Server
          1. Download the software Microsoft Desktop Optimisation -E:\App-V\Installers\5.0\Server
          2. Prerequisites –
          3. Install Silverlight on the management Server
          5. Install the Web Server ISS Role on the Management Server
          6. Install Application Services Role and Net.3.5
        3. App-V Sequence Server
        4. SQL Server
        5. Client
  14. Build App-V and App-V Sequence
    1. Install App-V Remote Application Packager –
  15. Build XenApp RDS Host Template Server
  16. Configure KMS licenses for RDS and OSs
    1. Install Volume Activation Management Tool –
    2. Activiate
    3. Setup DNS for KMS
  17. Configure Citrix License Server + Citrix Licensees
  18. Setup a Windows 8.1 and Windows 2012 OSD
    1. setup a isolated PXE boot environment and DHCP config –
  19. MED-V
  20. MDOP
  21. Microsoft Assessment and Deployment Kit –
  22. Citrix Profile Server
  23. Setup IPAM
  24. Test Federated Access
  25. Monitoring
    1. Setup Puppet Server
    2. Setup Nessus
    3. Setup Splunk Server
    4. Setup WireShark
    5. OpenVMS
    6. Snort
    7. Wireshark
    8. HP Isight Manager for Linux –
    9. HP Version Control Repository Manager – HP Version Control Repository Manager (VCRM)
    10. HP Service Pack for ProLiant (SPP) Version 2014.02.0 –
    11. HP Supplement –
    12. ManageEngine Free Monitoring –
    13. Install Microsoft Best Practice Analyser
    14. Install Microsoft Software Inventory Analyser (MSIA) and Asset Inventory Service
    15. Microsoft Baseline Security Analyser
    16. Citrix License Reporting Tool
    17. Deploy Remote Server Administration Tools on Management Server
    18. Install Windows PowerShell Web Access on Management Server
    19. Windows Assessment Services
    20. Best Pratice Analysers
  26. XenServer Backup –
  27. PKI Infrastructure
  28. XenServer Orchestra –
  29. GPO Configurations
    1. Windows Defender and Active Protection Services –
    2. Configure Desktop Experience in Windows Server 2012 R2
  30. Setup PVS Server
    1. Configure BSMh
  31. Setup Sophos Virus Protection
    1. Update exclusions for Citrix, SQL, Clustering
    2. Install Microsoft Malicious Software Removal –[/embed]
    3. Microsoft Saftey Scanner –[/embed
  32. Setup Management Server
    1. Window Server Essentials Experience
    2. User Access Logging
    3. Windows Inventory Logging
    4. Windows System Resource Manager
    5. Configure Printer Servers
    6. Application Server
    7. Setup Desktop Template
  33. Windows Desktop Experience Configuration
    1. Adds the Desktop Experience and XPS Viewer features to the Windows server configuration
    2. Moves the Citrix folder items in the Start menu to the Administrative Tools folder (including the Citrix AppCenter)
    3. Creates a new Windows Theme file and sets the default wallpaper
    4. Starts the Windows Themes service and configures it to start automatically
  34. Configure Citrix CloudPortal and vWorkspaces
    2. Billing System
    3. Self-Services Website
    4. Manager Engine Self-Services
  35. Setup Puppet and Desired State Manager
    1. Setup Desired State Pull/Push –
  36. Active Directory
    1. Enable Active Directory Recycling Bin
    2. Setup GPO Backup and System State