Virtual Entity: 2016

Tuesday, December 20, 2016

Prevent Java pop-ups in Citrix

Summary:
To stop the built in date expiration (which is typically the more difficult to stop)
Put the following line in Deployment.properties

deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked

Set an environment variable

setx deployment.expiration.check.enabled false /m

Expanded Solution (Copied and pasted from my notes in Word, so formatting is a little borked)

Prevent Java pop-ups in Citrix.

NOTE: The below steps were developed for Java 7 Update 51. Issues were found with limiting the “Allow this application to run” prompt when using Java 7 Update 75
1. Global Java settings can be configured on a system by creating two files under c:\windows\sun\java

a. Create the following files in notepad, and remove the .txt extension when you are done.

b. Create Deployment.config and add the italicized lines

i. This file specifies the config file (below), and can be used to enforce the settings as mandatory

ii. deployment.system.config=file\:C\:/Windows/Sun/Java/Deployment/deployment.properties

iii. deployment.system.config.mandatory=true

c. Create Deployment.properties

i. This file is where you specify any system-wide settings you want in place for Java. Google the filename for examples (note *.locked lines prevent user modification of the setting)

                                                             ii.      deployment.javaws.autodownload=never
                                                            iii.      deployment.javaws.autodownload.locked
                                                           iv.      deployment.expiration.check.enabled=false
                                                             v.      deployment.expiration.check.enabled.locked

1. Stop expiration of version check. Even with no internet connection, expiration can be flagged by a preconfigured date.

2. Note, java ignores this file for this specific setting the first time it is run after this entry is entered. To prevent this use one of the following 3 methods

a. Environment variable (Recommended)

i. Win7/2008: setx deployment.expiration.check.enabled false /m

b. Java WebStart command line to set property per user

i. javaws -userConfig deployment.expiration.check.enabled false

c. Edit Reg for user

i. HKCU\Software\AppDataLow\Software\JavaSoft\DeploymentProperties

1. REG_SZ: deployment.expiration.check.enabled "false"

EDIT: This previously (and mistakenly) said DWORD instead of REG_SZ.

                                                           vi.      deployment.expiration.check.enabled.locked
                                                          vii.      deployment.expiration.decision=never
                                                        viii.      deployment.expiration.decision.locked
                                                           ix.      deployment.expiration.decision.suppression=true
                                                             x.      deployment.expiration.decision.suppression.locked
2.       If receive cream bar at top of IE asking to run Java, add site to trusted sites
3.       Prevent “Do you want to run this application” pop up warning

a. Go into the Java app, and when prompted by this, check “Do not show this again...”

b. Go to Control Panel, and launch the Java control panel.

c. Go to Security tab > Click Manage Certificates

d. Export the cert for this application form the java control panel

e. Launch the Windows Certificates Manager (Launch MMC, add Certificates snap-in) for the computer cert store.

f. Select Trusted Publishers and import the cert.

g. Go back to the Java control panel and remove the cert from Security tab > Manage Certificates…

4. Prevent Internet Explorer from prompting to run Java

a. Add *.website.com to the trusted sites in Internet Explorer

Read More ->>

migrating-domain-controllers-from-server-2008-r2-to-server-2012-r2

http://jackstromberg.com/2013/10/migrating-domain-controllers-from-server-2008-r2-to-server-2012-r2/

Read More ->>

Thursday, December 15, 2016

Good old DSA.MSC on Windows Server 2012

good-old-dsa-msc-on-windows-server-2012/

Read More ->>

Wednesday, October 5, 2016

StoreFront – Disabling Client Detection

Disabling Client Detection

This article provides the steps to disable client detection on a Citrix StoreFront web site by performing the following steps.

Logon to the StoreFront Server as an administrative account
Open Windows Explorer and navigate to thec:\inetpub\wwwroot\Citrix\{Your StoreFront Site Name}Web

E.G. c:\inetpub\wwwroot\Citrix\My-App-StoreWeb

Edit the web.config file on Notepad
Search for the line :-

<pluginAssistant enabled=”true” upgradeAltLogin=”true”/>

Change the <pluginAssistant enabled=”true” to <pluginAssistant enabled=”false”

<pluginAssistant enabled=”false” upgradeAltLogin=”true”/>

Save and Exit the web.config file
Open a Command Prompt and execute IISRESET to restart the World Wide Web Service

Repeat the steps above on all StoreFront Servers in the Server Group

Read More ->>

Thursday, May 5, 2016

Unable to Remove XenDesktop Delivery Controllers from the XenDesktop Site

From http://support.citrix.com/article/CTX139505

Solution

Complete the steps to remove the orphaned Delivery Controller (Controller) from a XenDesktop 7.x site:

Run the Get-BrokerController command from PowerShell to get the SID of the orphaned Controller.
Execute the following PowerShell script, replacing the XenDesktopDatabase with your XenDesktop database and the DCSID with your SID of the Controller you want to remove:

$DBName = "XenDesktopDatabase"
$EvictedSID = "DCSID"

#
# Generate Database 'Evict' Scripts for XenDesktop DataStore
#
#
Get-ConfigServiceStatus

Get-LogSite 

Get-BrokerController   -Filter {(SID -eq $EvictedSID)} -MaxRecordCount 2147483647

Add-Content "$PWD\evict_$sid.txt" (Get-AcctDBSchema  -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-HypDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-ProvDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-BrokerDBSchema -DatabaseName $DBName -ScriptType 'Evict' -SID $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-MonitorDBSchema -DatabaseName $DBName -DataStore 'Site' -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-SfDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-EnvTestDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-ConfigDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-LogDBSchema -DatabaseName $DBName -DataStore 'Site' -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-AdminDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

Add-Content "$PWD\evict_$sid.txt" (Get-AnalyticsDBSchema -DatabaseName $DBName -ScriptType 'Evict' -Sid $EvictedSID)

# Script completed successfully

# Generate Database 'Evict' Scripts for 'Logging' DataStore

#
#
Get-ConfigServiceStatus 

Get-LogSite 

Get-BrokerController   -Filter {(SID -eq $EvictedSID)} -MaxRecordCount 2147483647

Add-Content "$PWD\evict_$sid.txt" (Get-LogDBSchema -DatabaseName $DBName -DataStore 'Logging' -ScriptType 'Evict' -Sid $EvictedSID)

# Script completed successfully

# Generate Database 'Evict' Scripts for 'Monitor' DataStore

#
#
Get-ConfigServiceStatus 

Get-LogSite 

Get-BrokerController   -Filter {(SID -eq $EvictedSID)} -MaxRecordCount 2147483647

Add-Content "$PWD\evict_$sid.txt" (Get-MonitorDBSchema -DatabaseName $DBName -DataStore 'Monitor' -ScriptType 'Evict' -Sid $EvictedSID)

# Script completed successfully

After running the script, the evict.txt file is created under the users profile. The file contains a script required to run on the SQL server.

Problem Cause

The XenDesktop 7.x Delivery Controllers had been removed from Active Directory (AD) before they were removed from the XenDesktop site. The Controller removal process makes use of stored procedures that require a valid domain SID to generate the Transact-SQL (T-SQL) eviction script.
When a Controller is removed from AD before attempting to remove it from Studio, the stored procedure fails to generate the necessary part of the T-SQL script that removes the references to the Controller.

Read More ->>

Friday, March 4, 2016

Mcafee ePo considerations using Citrix Provisioning Services

http://www.efferen.nl/2011/01/mcafee-epo-considerations-using-citrix-provisioning-services/

ePo Agent recommendations:

Delete the Agent GUID for McAfee EPO agent; otherwise all machines deployed came up in EPO server as the same computer. So, if you are going to use the Provisioning Services image in Shared Image mode, Citrix recommends stopping the McAfee framework service and deleting the following registry key, just before your create your Provisioning Services image.

Stop the McAfee Framework service (but leave on Automatic start up) and delete the AgentGUID registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\

Additional registry keys may need to be cleared or deleted before rolling out an image in Standard Image mode. To run McAfee 8.5i and EPO on a vDisk in Standard Image mode, the values for the following registry keys must be deleted before imaging the Master Target Device (this could also be done after building the image by putting the image back into Private Image Mode):

Associates\ePolicy Orchestrator\Agent\AgentGUID
Associates\ePolicy Orchestrator\Agent\MACADDRESS
(if using Host Intrusion)

Make sure there is not a policy applied to this PC on EPO that restarts the framework service after X seconds…. (Otherwise this key might be recreated before you start the Provisioning Services image creation process).

The problem here is that each time a PC restarts in Shared Image Mode, a different GUID is recreated. It might be necessary to set EPO to delete stale entries from its Asset database. The results might also not provide a true reflection in reports of a particular PCs infection history, as it will have a new record in the EPO database each time a reboot occurs. This is preferable over having lots of PCs with only one of them having updated antivirus at a time.

Virusscanning recommendations:

Scan local drives only. DO NOT scan network drives.
Only scan “Incoming” files (ie. write events).
Exclude the pagefile(s) from being scanned.
The “%ProgramFiles%\Citrix” folder contains many configuration and log files that are always changing, especially the Local Host Cache (imalhc.mdb) and Resource Manager Local Database (RMLocalDatabase.mdb). You could exclude the whole folder. More specifically, the main ones are:
“%ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB”
“%ProgramFiles%\Citrix\Citrix Resource Manager\SummaryFiles”
“%ProgramFiles%\Citrix\Independent Management Architecture”
“%ProgramFiles%\Citrix\logs”
Exclude the Print Spooler (%SystemRoot%\System32\spool\PRINTERS) folder. Note that in our deployments we typically place these folders on the non-System Drive.
We would recommend excluding as much of the user’s profile (%UserProfile%) as possible. In fact, the only folder that is of major concern is the Temporary Internet Cache (”%UserProfile%\Local Settings\Temporary Internet Files”).
If you do not exclude the Profiles, then exclude the user‘s Presentation Server Client bitmap cache (”%UserProfile%\Application Data\ICAClient\Cache” or “%AppData%\ICAClient\Cache”) used for ICA pass-through connections by the locally installed PNClassic and PNAgent.
Exclude .dat and .tmp files.
Disable the heuristics mode of scanning, this setting can be very intensive on the system
Exclude smss.exe, winlogon.exe, userinit.exe, csrss.exe and wfshell.exe
Exclude the Softgrid folders (especially the cache)

Provisioning Services recommendations:

Limit antivirus definition updates to the Target Device. Create a plan to upgrade the vDisk periodically using manual, automatic or automated techniques such as Automatic vDisk updates or by using something like WorkFlow Studio.

Avoid scanning your disk write cache location if that write cache is hosted on the Provisioning Services server. In limited testing it has been observed that most scanners cannot detect a virus within this location because of their inherit design and the methods used to determine a virus.
Do not scan your Targets I/O stream in real-time. This can cause excessive retries when the Target expects it’s I/O and that process is delayed by real-time scanning, there is good potential for a second and maybe more requests for the same packet fragment.
Avoid scanning the BNDevice.exe process on the Target. There are a few drivers that should be excluded from scanning, as well, in the <systemroot>\windows\system32\drivers directory you can exclude BNNS.sys, BNNF.sys, BNPort.sys, and bnistack.sys

General server recommendations

Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder: %windir%\SoftwareDistribution\Datastore
Turn off scanning of the log files that are located in the following folder:
“%windir%\SoftwareDistribution\Datastore\Logs” Specifically, exclude the following files:

Read More ->>

Sealing Steps After Updating a vDisk

https://www.citrix.com/blogs/2015/11/16/sealing-steps-after-updating-a-vdisk/

Run chkdsk C:\ and reboot
Clean-up event logs if they are not redirected to the cache disk :
- Via PowerShell -> Get-EventLog -List |%{$_.clear()}
- wevtutil cl system
if vSphere is used, delete « ghost » NICs :
- open elevated prompt
- type : ” SET DEVMGR_SHOW_NONPRESENT_DEVICES=1 “ and validate
- type : ” Start devmgmt.msc ” and validate
- click on View and ” Show Hidden Devices “
- delete « ghost » NICs
run slmgr.vbs /dlv to ensure a proper KMS server and license configuration
If MS Distributed Transaction Service is installed, run msdtc.exe -reset
if MS Message Queuing is installed, clear its cache :
- NET STOP MQAC
- NET STOP MSMQ
Run Disk Cleanup on C:\ drive as elevated administrator
Delete local profiles that are not required
Stop Citrix Profile Manager service
If Citrix Profile Manager is configured via GPO, check that its INI in C:\Program Files\Citrix\User Profile Manager has been renamed
Delete Citrix Profile Manager logs from c:\Windows\System32\LogFiles\User Profile Manager if not redirected to the cache disk
if using App-V or similar technology, check for updated App-V content to update the precache within the vDisk image
Perform required “de-personalization” for your antivirus (refer to their KB, as the process will differ based on the vendor)
Perform required “de-personalization” for your monitoring agent (SCOM, Tivoli..)
Perform required “de-personalization” for your other agents (AppSense, RES, SCCM..)
Perform a full antivirus scan on the virtual machine
Stop Client DHCP service
Run elevated : “regedit /s DHCP_clear.reg” (see Dave’s post)
Perform a Defrag on the virtual machine
PvD only: run inventory (with machine shutdown option ticked)
Shutdown the machine if PvD is not used
Perform a defrag of the VHD by mounting it in a WS2012R2 server

Virtual Entity

Tuesday, December 20, 2016

Prevent Java pop-ups in Citrix

migrating-domain-controllers-from-server-2008-r2-to-server-2012-r2

Thursday, December 15, 2016

Good old DSA.MSC on Windows Server 2012

Wednesday, October 5, 2016

StoreFront – Disabling Client Detection

Disabling Client Detection

Thursday, May 5, 2016

Unable to Remove XenDesktop Delivery Controllers from the XenDesktop Site

Solution

Problem Cause

Friday, March 4, 2016

Mcafee ePo considerations using Citrix Provisioning Services

Sealing Steps After Updating a vDisk

Thursday, February 18, 2016

Best Practices for Configuring Citrix Provisioning Services

Wednesday, February 17, 2016

How To Tweak Citrix Storefront 3.x Resource Enumeration Process