Installing Applications on RDS/XenApp

Install Mode

  • Admin token CMD >  change user /install

Execute Mode

  • Admin token CMD >  change user /execute

Notes:

  1. change user /query provides the current mode state.
  2. when the machine reboots it resets to execute mode.
  3. install mode facilitates the capture of user application settings (registry etc..) during the install and apply’s them to multi-user  sessions in execute mode.
  4. Applications like Antivirus, VDA, PVS Target device etc… do not require install mode.
  5. General rule, use install mode for all the applications that you intended to publish.

Citrix FMA Maintenance Mode difference between Server OS and Desktop OS

User connectivity is affected as follows when in maintenance mode:
With Server OS machines, users can connect to existing sessions but cannot start new sessions.
With Desktop OS and Remote PC Access machines, users cannot connect or reconnect once the machine is in maintenance mode. If they are already connected, then they stay connected until they next disconnect or log off.
Machines are available for user connections when you take them out of maintenance mode.
 
ref: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-5/cds-manage-delivery-groups-wrapper/cds-put-desktop-into-maintenance-mode-rho.html

Things to consider when decommissioning Citrix XenApp/XenDesktop Site(Controllers)

  1. Make sure those controllers are not used as Secure Ticket Authority (STA) in the Netscaler Access gateway; if so replace those IPs with the new controller IPs. same goes with Web Interface gateway configuration.  – This is very important else you will break remote access.
  2. shutdown and remove the Virtual Machines from Citrix Studio.
  3. uninstall Director that is pointed to this site.
  4. clean up configuration of these controllers from web interface or store front.
  5. generate usage reports if need through OData API
  6. shutdown the controllers.
  7. take the database offline.

Netscaler: Block Outlook Anywhere for external users

Responder Policy

Action: Reset
Expression: http.req.url.path.CONTAINS(“rpc”) && client.IP.SRC.IN_SUBNET(10.200.0.0/16).NOT
Bind it to exchange load balance vServer. This will block access to Exchange IIS “Rpc” virtual directory (Outlook Anywhere) for devices outside 10.200.0.0/16.
You can also go little beyond and create a pattern set and include

  1. owa
  2. rpc

and use the pattern set in the Responder Expression.
http.req.url.path.CONTAINS_ANY(“exch_ps”) && client.IP.SRC.IN_SUBNET(10.200.0.0/16).NOT

Install VMware Tools on CentOS 7 to enable host shared folder access

make sure to install all updates for vmware workstation; (for instance 10.4 has buggy tools; fixed in 10.7)

yum install gcc make perl "kernel-devel-uname-r == $(uname -r)"
mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cp VMwareTools-9.6.5-2700074.tar.gz /tmp
cd /tmp
tar -xvzf VMwareTools-9.6.5-2700074.tar.gz
cd vmware-tools-distrib/
./vmware-install.pl

shared folders get mounted under /mnt/hgfs

Powershell Snippet – Retrieve Citrix Endpoint Name from WFAPI

$code = @'
using System;
using System.Runtime.InteropServices;
namespace WFAPI
{
public enum WF_INFO_CLASS
{
WFVersion, // OSVERSIONINFO
WFInitialProgram,
WFWorkingDirectory,
WFOEMId,
WFSessionId,
WFUserName,
WFWinStationName,
WFDomainName,
WFConnectState,
WFClientBuildNumber,
WFClientName,
WFClientDirectory,
WFClientProductId,
WFClientHardwareId,
WFClientAddress,
WFClientDisplay,
WFClientCache,
WFClientDrives,
WFICABufferLength,
WFLicenseEnabler,
RESERVED2,
WFApplicationName,
WFVersionEx,
WFClientInfo,
WFUserInfo,
WFAppInfo,
WFClientLatency,
WFSessionTime,
WFLicensingModel
}
public class Program
{
[DllImport("wfapi.dll", CharSet=CharSet.Unicode,SetLastError=true)]
public static extern bool WFQuerySessionInformation(System.IntPtr hServer, int sessionId, WF_INFO_CLASS WFInfoClass, out System.IntPtr ppBuffer, out uint pBytesReturned);
[DllImport("wfapi.dll", ExactSpelling = true, SetLastError = false)]
public static extern void WFFreeMemory(IntPtr memory);
public const int WF_CURRENT_SESSION = -1;
public static string GetClientName()
{
System.IntPtr buffer = IntPtr.Zero;
uint bytesReturned;
try
{
bool sessionInfo = WFQuerySessionInformation(System.IntPtr.Zero, WF_CURRENT_SESSION, WF_INFO_CLASS.WFClientName, out buffer, out bytesReturned);
return Marshal.PtrToStringUni(buffer);
}
catch
{
return string.Empty;
}
finally
{
WFFreeMemory(buffer);
buffer = IntPtr.Zero;
}
}
}
}
'@
Add-Type -TypeDefinition $code -Language CSharp
[WFAPI.Program]::GetClientName()

Note: To make the code simple/small no error checking is included; Assumption: this code is called inside an active ICA session.
Tested with XenDesktop 7.6

Download Windows Security Updates for MDT (packages) offline deployment

  • Deploy your MDT image
  • Install Microsoft Baseline Security Analyzer (MBSA)
  • Scan
  • MBSA saves the result under the current user profile directory – %USERPROFILE%\SecurityScans
    Powershell Script to download the missing updates

     $MBSAResult = Get-Content '.\SecurityScans\WORKGROUP - I3-PC (10-11-2015 8-03 PM).mbsa'
    $MBSAResult.SelectNodes("//UpdateData") | ? { $_.IsInstalled -eq "false" } | % {
        $URL = $_.References.DownloadURL;
        Start-BitsTransfer -Source $URL -Destination C:\MDTPackages
    }
    
  • import these packages in to MDT and these get automatically installed by DISM during the deployment

Note: At the time of writing this post Microsoft Baseline Security Analyzer version 2.3 contains the DownloadURL in the xml blob & hence was able to pull the update cab file, not sure if this would be the case in the future releases of MBSA.
Some update cab files might get rejected by MDT (eg: office/.net/silverlight)

Powershell Snippets – Create local windows user and set password to never expire

[ADSI]$server = "WinNT://localhost"
$LocalUser = $server.Create("User", "localuser")
$LocalUser.SetPassword("localuser")
$ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
$LocalUser.userflags = $LocalUser.userflags[0] -bor $ADS_UF_DONT_EXPIRE_PASSWD
$LocalUser.SetInfo()