Author: Kasper Johansen

Microsoft Edge Group Policy Configuration

Microsoft Edge Group Policy Configuration

Some weeks ago i published an article about how to get started with the new Microsoft Edge browser in Citrix. In the article you got at glimpse of my take on how to configure a couple of GPOs with some configuration for the Microsoft Edge browser.

In this article I’ll drill down and go through some of the settings and what my recommendations are. I am mostly focused on the security side but I will also cover the Microsoft Edge IE Mode feature, which will help you with legacy sites that may only work in Internet Explorer and we’ll also have a look at how to set the default search engine.

Before going any further, please be aware that I assume you have some experience with Group Policy Objects and how they work, also there is information in my previous article you might find useful.

The internet can be a dangerous place, and thus we need to make sure that one of the primary applications used for accessing the internet is as secure as possible. To help us achieve that, Microsoft has provided us with some recommended security baseline settings. A short article by Aaron Margosis at Microsoft telling a bit about the security baseline settings can be found here:

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-chromium-based-microsoft-edge/ba-p/1111863

The article contains a link to the Security Compliance Toolkit where you will find the Security Baseline Settings GPO for Microsoft Edge.

Security Compliance Toolkit:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

On the site click the download button and select the Microsoft Edge v79-zip file and click next:

The contents of the ZIP file:

The folder names are self explanatory in regards of contents. The folder we need here, is the GPO folder as it contains the actual GPO we want to import to Active Directory. If you haven’t been doing a lot of GPO importing, there is a Baseline-ADImport.ps1 script in the Scripts folder, which may help you import the GPO to Active Directory.

If you prefer a more manual approach, this very basic guide provides the necessary information:

https://www.oreilly.com/library/view/active-directory-cookbook/0596004648/ch09s08.html

Group Policy configuration

You should now have a GPO with the latest Security Baseline settings. In my setup it looks like this:

I have imported the Security Baseline settings to a GPO called “Microsoft Edge Security Baseline Configuration and it has been linked to an OU with just one other GPO. The “Microsoft Edge Addtional Configuration” GPO additional settings that I want to apply to the Edge browser. The names here are not set in stone and are purely for reference. Use the naming convention in your own setup or whatever names that makes sense to you.

Using a separate GPO for the additional settings will keep the Security Baseline GPO “vanilla”, which means that the only settings in this GPO are the ones from the Security Baseline GPO provided by Microsoft. This is very helpful when/if Microsoft releases an update for the GPO, as you can import the updated settings to the current Security Baseline GPO, in my case the”Microsoft Edge Security Baseline Con figuration GPO”, and not have to worry about any custom settings configured getting overwritten. Needless to say, a scenario like this will of course mandate a bit of testing before released to production. Also keep in mind that the Security Baseline GPO is targeted the “Stable” release of Edge, not the BETA, DEV or Canary releases.

You will notice that the Security Baseline GPO settings from Microsoft are Computer Configuration settings only:

This is probably because Computer Configuration settings cannot, in most cases, be overridden by User Configuration settings and will therefore always apply.

This is basically what I’ll cover with the Security Baseline GPO. You will have to know the settings in this GPO and what they mean and what impact it may or may not have to your current setup. However I am configuring the Security Baseline GPO as a “mandatory” GPO configuration which should always apply, sort of laying the groundwork for the Edge policy configuration, whether the endpoint being Windows 10 or Windows Server.

The “Microsoft Edge Additional Configuration” GPO, is where I’ll configure settings which adds to the overall configuration of Edge. Which means that the settings in this GPO is combined with Security Baseline GPO, and together they serve as the complete configuration of Edge.

To achieve that, you’ll have to be aware of the link ordering of the GPOs. The Security Baseline GPO should always have a lower link order, than the additional configuration GPO, otherwise the settings in the Security Baseline GPO might not be correctly applied. In my case, as the screenshot above shows, my Security Baseline GPO has a link order of 2, and my additional configuration GPO is linked as order 1.

The link ordering is important if you want to counter a specific setting in the Security Baseline GPO, with the additional configuration GPO. As an example, let’s look at a specific feature in the browser. The Password Manager and protection feature, this feature is disabled in the Security Baseline GPO and from a security stance, that’s not a bad idea. However from a user’s point of view it might be helpful to have a password manager if he user accesses a lot of different website which require a username and password. Combined with an Azure AD login, it’s possible to backup/synchronize the password manager, so if user logs on to a new device, the password manager contents follow the user. Obviously you will have to decide, or maybe your security guys will have to decide, whether or not this feature should be enabled. If you want to counter the disabling of this feature done by the Security Baseline GPO, you can enable the feature in the additional configuration GPO which will, because of the link ordering, then take precedence.

Let’s go over the settings in the additional configuration GPO.

Computer Configuration
Microsoft Edge Update/Applications/Microsoft Edge
Update policy override Enabled –
Updates Disabled
As with all other apps in a non-persistent setup, we do not want any auto updating.
Microsoft Edge/Password manager and protection
Enable saving passwords to the password manager Enabled If you want your users to be able to save passwords to various websites in the password manager in Edge, enable this setting.
User Configuration
Microsoft Edge
Automatically import another browser’s data and settings at first run Disabled I prefer to be in control if any imports of other browser data and settings. This disables the automatic import feature in Edge, which is triggered during first launch.
Block access to a list of URLsEnabled –
Block Access to a list of URLs:
file:///A:/
file:///B:/
file:///C:/
file:///D:/
file:///E:/
file://localhost/c$/
file://localhost/d$/
file://localhost/e$/
Credit goes out to Dave Bretty for this one. A while back he posted an article about how to prevent local drive access via Google Chrome. The same principles goes for Edge – https://bretty.me.uk/secure-local-drive-access-on-your-euc-endpoints/
Configure Internet Explorer integrationEnabled –
Configure Internet Explorer integration: Internet Explorer Mode
Enables the Edge IE Mode
Configure the Enterprise Mode Site ListEnabled –
Configure the Enterprise Mode Site List:
URL to the sitelist.xml file
This provides the URL to the sitelist.xml file. Contains a list of URLs which should trigger IE Mode, and open in a new Internet Explorer “emulation” tab in Edge.
Configure whether a user always has a default profile autimatically signed in with their work or shcool accountEnabledThis prevents the user from deleting the configured Edge profile, if an AAD login is associated with this profile
Define a list of allowed URLsEnabled –
Define a list of allowed URLs:
receiver://*
This can be used to pre-approve certain URLs and sort of whitelist them. In this case the receiver//* is configured, which means that Edge no longer asks about what should happen with ICA files, they are automatically launched with Citrix Workspace App/Receiver
Enable profile creation from the Identity flyout menu or the Settings pageDisabledCreating new profiles in the browser may pose a security risk, as the user will be able to configure non-enterprise accounts and configure synchronization account specific data, extensions etc.
Hide the First-run experience and splash screenEnabledHides or disables the first-run wizard seen during the first launch of Edge.
Set Microsoft Edge as default browserEnabledDoes what it says. Configures Edge as the default browser.
Microsoft Edge/Default search provider
Default search provider nameEnabled –
Default search provider name: Google
Specifies a name of the default search provider.
Default search provider search URLEnabled –
Default search provider search URL:
{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}
Specifies the search URL for the default search provider. In this case it’s Google.
Enable the default search providerEnabledIt does what it says. It enables the default search provider in Edge. Doing this prevents the user from change the default search provider.
Microsoft Edge/Extensions
Allow specific extensions to be installedEnabled –
Extension ID to exempt from the block list:
hdppkjifljbdpckfajcmlblbchhledln
AS per the Security Baseline GPO, all extensions are blocked. This policy provides a list of approved extensions which may be manually installed. In this case I approve the installation of the Citrix Browser Content Redirection extension
Control which extensions are installed silentlyEnabled –
Extension/App IDs and update URLs to be silently installed:
hdppkjifljbdpckfajcmlblbchhledln;
https://clients2.google.com/service/update2/crx
In combination with the policy above, this policy can install any extensions configured. If you want to install extensions from the Google Webshop, you will have to also specify the Update URL
Windows Components/Internet Explorer
Use the Enterprise Mode IE website listEnabled –
Type the location (URL) of your Enterprise Mode IE website list:
URL or UNC to your sitelist.xml file
This is the last of 3 policies to enable the IE Mode feature. Here you specify where IE should look for the sitelist.xml file

You’ll notice that most of the settings are User Configuration settings, the main reason for this is the ability to apply AD user or AD group filters to the User Configuration part of the GPO. This is useful if I have some settings I don’t want to apply to certain user, I can so to say exclude them from the GPO and then configured set of policy settings in another GPO for these users instead.

Internet Explorer integration – IE Mode

One of the great features of Edge is Internet Explorer integration, or IE mode. IE Mode integrates with an already known feature called Enterprise Mode, which surfaced a few years ago in Internet Explorer 10.

What Edge and Enterprise Mode basically does is that based on a list of URLs in an XML file, it can determine if a specific URL should be launched in Internet Explorer and not Edge. We all know these 2 or 3 URLs that will only work in Internet Explorer, well now we can have Edge as the primary browser, and then configure Enterprise Mode to handle these 2 or 3 URLs, so that they open in Internet Explorer.

The way Microsoft has implemented this in Edge is that you can choose to either have Internet Explorer open as a separate process/window, or you can have Edge kind of “emulate” Internet Explorer in a tab within the Edge browser.

As I have mentioned in the group policy overview, you need to have an XML file where the Enterprise Mode URLs are defined. For that Microsoft has provided a tool called Enterprise Mode Site List Manager, which can be downloaded here:

https://www.microsoft.com/en-us/download/confirmation.aspx?id=49974

Once installed you will have this very basic UI:

To populate the list, go to File and click Add:

Here you will have to type in the URL, in this case www.citrix.com. You will also have to select the “Compat Mode”, this is a list of compatibility settings available in Internet Explorer, for now just select Default Mode, this is the default IE11 Mode. Click Save.

Here is my very basic list, with www.citrix.com and www.youtube.com:

Now click File and then save to XML:

Once you have the XML, you need to copy it to a location where your users have read access. I usually copy it to the NETLOGON share, as the users have read access and the XML is also distributed across multiple servers (Domain Controllers). As mentioned, make sure to configure the URL/UNC to the XML file in the “Configure the Enterprise Mode Site List” policy.

So how does it look from to user’s point of view when IE mode is active? It’s very elegant and discreet:

And within the same Edge window I can have another tab open, which is not in IE Mode:

And here I am running Java inside Edge, isn’t that beauti….wait it’s not beautiful, we all hate java, but it is possible to put those legacy java sites inside the Edge browser.

Keep in mind though, that the XML is only parsed during logon, so if you make changes when users are logged only, they will get picked up during next logon.

Remember, group policies are not bad, they are often misunderstood, but not bad.

Microsoft Edge in Citrix

Microsoft Edge in Citrix

We have a new internet browser! Microsoft Edge based on Chromium, available and supported on Windows 7, 8 and 10 and most importantly in Windows Server 2008 R2, 2012/2012 R2, 2016 and 2019. This means that we now have a modern and secure browser that can be managed via Group Policy and is supported by Microsoft in a server operating system.

I have been using this browser for quite some time now and it is awesome. One of the really great features is that you are able to install browser extensions from the Google Chrome Web Store, as Google Chrome has been available for a very long time, there are a lot of available extensions.

However with that said Microsoft now finds themselves in a situation where they offer a browser based on Chromium, which is an open-source project, which then again means that Microsoft does not control the entire code in the Edge browser. I am really excited about how Microsoft will handle this in the future.

So, how do we get the browser up and running in a Citrix VDA? We’ll start with downloading the enterprise MSI file here:

https://www.microsoft.com/en-us/edge/business/download

And while there, we’ll also grab the administrative templates which enables us to configure around 200 different settings in the browser. Remember to copy the administrative templates to your Central Store.

Microsoft has also created a draft security baseline GPO which can be found here:

https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-DRAFT-for-Chromium-based-Microsoft-Edge/ba-p/1066051

With this, we are now ready to install and configure the new Microsoft Edge browser.

Installing the Microsoft Edge browser

Before installing the browser, be aware that you will have to prevent the Citrix API hooks from latching themselves onto the Microsoft Edge process. Citrix has an article on how to disable Citrix API hooks on a per-application basis. Two options are described in the article, I am using the option for XenApp and XenDesktop 7.9 or later. So your UviProcessExcludes value name should look like this:

What you need to do is to add the msedge.exe to any existing value data. This change requires a reboot, so you will have to apply this when installing of the browser.

I have created a small PowerShell script which will add the msedge.exe value to any existing value data:

The Microsoft Edge browser also creates a shortcut on the public desktop (C:\Users\Public\Desktop). I always recommend deleting application shortcuts on the public desktop, as I prefer to control which application shortcuts appear on the user’s desktop. Unfortunately deleting the shortcut on the public desktop is not enough, a shortcut is also created on the user’s desktop (C:\Users\%username%\Desktop) during first logon, even though we deleted the shortcut on the public desktop.

This behavior is not new to me, it is also seen with the Google Chrome browser .

To prevent the shortcut from being created on the user’s desktop, a “master_preferences” file has to be copied to the C:\Program Files (x86)\Microsoft\Edge\Application folder, overwriting any existing master_preferences file.

Here is what the master_preferences file should contain:

Use your favorite text editor to create the master_preferences file, remember to save the file as a UTF8 encoded file.

The last thing we need to do, is to disable the services and delete the scheduled tasks that are responsible for doing automatic updates of the Edge browser. As with any other application in a non-persistent setup, we will have to disable any auto-update feature.

Here is a small post-install PowerShell script which will do the shortcut cleanup and disable the services and delete the scheduled tasks responsible for the auto-update feature in Edge:

Now with the Edge browser installed we can move on to some basic configuration of the browser.

Group Policy Configuration

As mentioned earlier Microsoft has a draft baseline security GPO, and I would recommend to import this in your current environment, obviously you will have to do some testing, but from what I have seen, the current settings shouldn’t be “destructive” meaning, that nothing is broken in the browser. I will bring one additional group policy settings to the table, which are not found in the security baseline GPO. Any additional configurations should be added to another (new) GPO which should be linked to the same OU as the baseline GPO, but with a higher link order.

So in short, you end out with two GPOs. One GPO with the Microsoft security baseline settings, and one with any additional settings you configure.

Here is what a GPO configuration and link order could look like:

If you are unfamiliar with importing GPO settings, I would recommend looking at this guide:

The benefit of doing it this way, is that when Microsoft eventually release updates to their security baseline GPO, your can safely import these updated settings to the baseline GPO or a new GPO, and still have your own custom settings apply, as they are in another GPO.

The Microsoft Edge v79.x Security Baseline GPO contains the security baseline settings from Microsoft, and as mentioned this GPO shouldn’t be modified, as it will complicate any future updates of the GPO settings.

The Microsoft Edge v79.x Additional Configuration GPO should contain whatever policy configurations that applies to your setup. In here I have configured the “Update policy override” the reason for this is that if the user manually triggers the update of Edge, the user is prompted by UAC asking for an administrative username and password, not good,

This concludes the guide and you are ready to start testing the Microsoft Edge browser in your Citrix environment and eventually releasing it to production.

The Windows Server 2019 Start Menu is playing nice

The Windows Server 2019 Start Menu is playing nice

A couple of months ago I penned an article about how to rein the start menu in Windows Server 2016 mostly because I couldn’t find much information, on how to handle the start menu in Windows Server 2016.

I am always aiming at providing the best possible user experience in Session Host scenarios and that, among other things, implies cleaning up the start menu, as it, from a user’s point of view, contains a lot of irrelevant tiles, folders and application shortcuts. In the article 3 different scenarios are described, in each scenario you can achieve certain levels of “lockdown” or clean up of the start menu.

Unlike Windows Server 2016, the start menu in Windows Server 2019 is no longer driven by a mini database, actually Microsoft have deprecated the Tile Data Layer (the mini database feature) , but keeping it alive in Windows Server 2016, probably because it’s an LTSC edition of Windows.

This means that with Windows Server 2019 it’s now a whole lot easier to roam the start menu and customize the tile layout. However considering that we are all now switching to disk based profiles with FSLogix, roaming is a thing in the past.

In this article I’ll be focusing on how to clean up the start menu in Windows Server 2019 using scenario 3 as a baseline. The reason for this is that it provides the highest level of flexibility and customization with the start menu, as you see further on in this article. However scenario 1 and 2 are also possible in Windows Sevrer 2019.

Now, let’s get to it!

In scenario 3, I configure this group policy setting:

I also delete these 4 folders using Citrix Workspace Environment Management:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

Using these steps, the start menu in Windows Server 2019 ends up looking like this:

So, besides the Windows Security app, this is looking pretty good. At the moment, I haven’t found any way to hide or remove the Window Security app, it’s an immersive app aka. a Universal App, so there’s no actual shortcut, like other apps and folders in the start menu.

/StartofUpdate
Update – 16-07-2019:
I was doing some additional testing and came across something that looks like a timing issue. During my testing I started seeing different variants of tiles not getting deleted/removed correctly. The folders where the tile shortcuts are located are deleted, but the tiles themselves are not.

These are some of the different variants of the start menu I have come across:

This is really strange. I tried configuring Group Policy Preferences to delete the folders in the user Programs folder, that didn’t make any difference at all.
This forces me down a path that I was really hoping to avoid, but at the moment I don’t see any other alternatives. A few years ago I was looking into how to build a custom start layout using a so called LayoutModification.xml file.

This XML file can be used to create a custom tile layout with the tiles you specify, I will not elaborate further on how to do this, as I will only use this XML file to clear out any tiles in start menu, and while we’re at it, the taskbar area as well.

Microsoft has a very extensive whitepaper on how to create the LayoutModification.xml file.

Here are the contents of my LayoutModifications.xml file:

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" />
    </StartLayoutCollection>
  </DefaultLayoutOverride>
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
</taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

This will clear out any tiles left in the start menu, and also clear out any tiles/pinned apps on the taskbar. If you don’t want to clear out the taskbar, remove the lines 14 through 19.

When you save the LayoutModification file, make sure to save it as UTF-8 encoding, otherwise it might not work.

There are 2 ways of distributing this XML file. It can be done either via a GPO or copied to the Default User folder. There are pros and cons with either method.

Deploying the XML file via a GPO

This can be done using the Start Layout policy which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

Input the path to the LayoutModification.xml path

Pros:
Easy to configure
Easy to manage

Cons:
Disables to ability to pin applications to the start menu
Citrix Workspace Environment Management is no long able to pin applications either

Deploying the XML file via the Default User

This is done by copying the LayoutModification.xml to the Default User profile, the exact path is:
C:\Users\Default\AppData\Local\Microsoft\Windows\Shell

Copying the file can be done via Group Policy Preferences or a startup script. It can also be done during any automated deployment jobs you might have.

Pros:
Does not disable the ability to pin applications to the start menu
Citrix Workspace Environment Management will be able to handle both application shortcuts and tiles in the start menu

Cons:
Only works for new users, which does not yet have a profile
Existing users, with existing profiles, are not affected by the LayoutModification.xml file.

I prefer copying the LayoutModification.xml to the Default User profile, this provides the best user experience and enables me to use Citrix Workspace Environment Management to build and manage the start menu.

/EndofUpdate

Windows Security

If you, like me, are running the Windows Defender on your servers, users will actually be able to go into the management console of Windows Defender, and poke around. They will obviously not be able to change anything because of the lack of administrative privileges, however in my opinion, they really shouldn’t be able to access this management console.

The only way, for now, to implement some kind of restriction, that doesn’t restrict administrative users, only non-admin users, is to use our good, old friend AppLocker. One of may very first bogs posts, was actually covering AppLocker breaking the start menu. Since then it has become a known fact, that if we enable AppLocker, and you really should, then we have to enable the default Packaged app rule, otherwise the start menu in modern Windows versions break.

However to prevent access to the Windows Security app, you have to take a different approach. You have to remove the default rule, which targets Everyone, and then create to new rules which are slightly more restricted.

How to create the AppLocker rule:

If you are not familiar with AppLocker, Microsoft has a basic guide here that shows how to enable AppLocker in Windows 10. It’s the same procedure on Windows Server 2019.

Start by removing the default rule. Then right click the Packaged app Rules and select Create new rule

Click Next
Click the Select button and specify the Domain Users group
Click the Select button and select a random app in the list, it doesn’t really matter which app
Select an app
Move the slider all the way up, so that there is a * in every box. This tells AppLocker allow any signed packaged apps to run
Click Next
Give the rule a name
Make a similar rule, but target Administrators, instead of Domain Users. Make sure to select BUILTIN\Administrators, otherwise you might block any local administrative users,
Right click the rule that targets the Domain Users and select Properties, go to the exceptions pane
Click add and select Windows Security in the list
Note: This can only be done on a server running Windows Server 2019
Move the slider up a notch, so that there is a * in Package version. This is done to make sure the rule still works, even if Microsoft should change the version of the app
The exceptions box, should now look like this.

Make sure that AppLocker is running and processing rules. Then either reboot your server or do a gpupdate /target:computer /force, to make sure AppLocker picks up the new rules.

Once the new Packaged app Rules are processed and working, users will be met by this message:

The Windows Security app is now blocked by AppLocker

This is not the prettiest of solutions, but it gets the job done, and prevents the users from accessing the Windows Security management console. Hopefully Microsoft comes up with another solution, which is a bit easier to configure, until then this is the way to go.

This concludes the article. The start menu in Windows Server 2019 is a bit easier to handle, than the start menu in Windows Server 2016 and if you are still holding on to any legacy profile handling tehcnology, like Windows Roaming Profile or Citrix Profile Management, then you’ll find that roaming the start menu in Windows Server 2019 has also become a bit easier and more stable, compared to Windows Server 2016.

How to rein the Start Menu in Windows Server 2016

How to rein the Start Menu in Windows Server 2016

In this article I am going to show how to control or rein the start menu in Windows Server 2016. There are a lot of articles describing how to handle the start menu in Windows 10, but very few about Windows Server 2016.

Even though the steps are almost identical in Windows Server 2016 compared to Windows 10, there are a few differences. For instance in Windows Server 2016, you don’t have to remove all the “crap” applications, like Candy Crush, trial editions of Office etc. as they are simply not included with this operating system, as it is an LTSC edition of Windows Server.

Some of the best articles out there are written by James Kindon and James Rankin, I have followed these guys for quite a while, and they know what they are doing. Some of their guides can be found here:

James Kindon:
https://jkindon.com/2018/03/20/windows-10-start-menu-declutter-the-default/

James Rankin:
https://james-rankin.com/articles/management-of-start-menu-and-tiles-on-windows-10-and-server-2016-part-1/
https://james-rankin.com/articles/management-of-start-menu-and-tiles-on-windows-10-and-server-2016-part-2/

James Rankins article is great because it focuses on how to persist, or roam, the start menu, if you haven’t read it yet, it’s highly recommendable.

Both James Rankin and James Kindon adresses the Start menu Tiles, and historically these tiles have been the source of all kinds of issues since they were first introduces in Windows Server 2012/2012R2, but the start menu is not just tiles, it’s also part “old school” start menu, like the one we have in Windows 7 and this part of the start menu, can be handled in a few different ways.

In this article I’ll will cover 3 ways on how to handle the start menu. The start menu in Windows Server 2016 is “split” in two areas the”old school” part is the part in the red box below, also know as All Programs or Programs, in the green box we have start menu tiles.

I’ll will not be covering the different ways to handle the start menu tile configuration, as both James Kindon and James Rankin have provided excellent guides for that part. However I will touch on how to manage app tiles leveraging Citrix Workspace Environment Management.

You will need to have some knowledge of Group Policy and Citrix Workspace Environment Managent and a basic understanding of how a Windows profiles works is also recommended.

I’ll be focusing on 3 different scenarios. Each scenario provide certain levels of usability, or lack thereof, in the start menu and start menu tiles sections

Here is a “before” screenshot of how the start menu looks at the first logon with my test account:

This is a pretty default start menu, one I have seen in many Session Host setups. As you can see I have a range of different applications available to me in the Programs area of the start menu, and of course the default pinned application tiles.

14-07-2019. Extensive edits have been made to the different scenarios outlined below. A colleague of mine made me aware of another, and cleaner approach on how to clear the All Users programs. And unfortunately I may have switched some screenshots and text boxes around in scenario 1 and scenario 2.

Scenario 1 – Total lockdown

This configuration, is by far the easiest one to configure and requires next to no work at all and it will provide a clean start menu with no visible applications. The All Programs section of the start menu i disabled and not visible to the user.

Isn’t this the cleanest start menu you have ever seen?

This configuration can be achieved by configuring the “Remove common program group from Start Menu” and “Remove All Programs list from Start Menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

This setting will remove the common shortcuts found in C:\ProgramData\Microsoft\Windows\Start Menu\Programs and prevent them from being visible in the start menu.
Remove and disable setting, does what it says, removes and disables the Programs area of the Start Menu.

If you do not have the Remove and Disable setting available, you may need to get the latest Windows 10 adminstrative templates.

You will also need to delete four folders in the user’s profile:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

In this case I have configured each folder to be deleted via Citrix Workspace Environment Management like this:

Note that Citrix Workspace Environment Management doesn’t usually take Windows variables, like %APPDATA%, so in this case I have used the so called dynamic token ##UserAppData## which is the equivalent to %APPDATA%. As the folder is deleted, there is no need for the action to run everytime the user logs on, so make sure to click the “Run Once” checkbox.

You will of course have to configure the “Delete Files/Folders” action type.

Repeat this process for the remaining three folders and don’t forget to assign the actions.

One major downside with this scenario is that it may be fairly difficult for the user to pin applications to the start menu, as they are not able to browse any apps via the start menu. However using Citrix Workspace Environment Manager users are able to pin apps to the start menu. This can be achieved via the Citrix Workspace Management Agent, like this:

Right click the the Citrix WEM Agent in the taskbar tray and select “Manage Applications”. In the list of applications, select the app and then click the “Start Menu” and “Start Menu (P) check boxes and click “Update shortcut(s)”.

A possible use case for this scenario could be if your users have gotten used to accessing everything via desktop shortcuts and don’t have the need or demand for using the start menu or start menu tiles.

Scenario 2 – Moderate Lockdown

This configuration is almost identical to Scenario 1, however due to a slightly less restrictive group policy configuration, users are able to access both the Programs and Tiles areas of the start menu.

Here you’ll notice that a nice and clean Programs area of the start menu is available and no tiles are present.

That can be achieved via the group policy setting:
“Remove common program group from Start Menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

This setting will remove the common shortcuts found in C:\ProgramData\Microsoft\Windows\Start Menu\Programs and prevent them from being visible in the start menu.

And as described in scenario 1, we will also have to delete these four folders:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

This scenario delivers a nice and clean start menu where all tiles have been removed and all apps in Programs have been removed. The user will however have to go and find the apps they need on their own.

Scenario 3 – Moderate Lockdown and app shortcut management

This solution is the most flexible solution as it enables us to have more or less full control with the start menu and its appearance. This scenario is basically the same as scenario 2, however we are going to use Citrix Workspace Environment Management to build a start menu, and group the different applications shortcuts.

Here we have a nice and clean start menu, as shown in scenario 2. The Search and Settings shortcuts are, in my opinion, harmless as Search only opens the search bar in the start menu, and settings can be locked down via Group Policy or registry.

Now we bring in Citrix Workspace Environment Management to populate the start menu with application shortcuts.

Just look at this! Doesn’t it bring tears to your eyes?

Citrix Workspace Environment Management is great at populating the start menu, and provides range of different possibilities of grouping application shortcuts etc.

Application shortcuts in Programs, the same apps pinned to the start menu.

Based on your or your users need, you could populate the Programs area and then leave it to the users, to configure the needed tiles using the Citrix Workspace Environment Management agent, as outlined in scenario 1.

This concludes the article. Reining the start menu in Windows Server 2016 can be a daunting task, but if you have Group Policy and Citrix Workspace Environment Management in your arsenal of tools, you will now be able to combine these to provide a great start menu configuration for your users and provide different levels of lockdown and user customizations.

Installing FireFox

Installing FireFox

In this article I’ll show you how to install and configure FireFox in a non-persistent Session Host environment. By non-persistent I mean in a Citrix Virtual Apps and Desktop setup deployed either via Citrix Provisioning or via Citrix Machine Creation Services. However you should be able to use this guide in Microsoft RDS and VMware Horizon as well.

During my research and testing of FireFox I have of course become more familiar with the browser, and it is also currently my second choice of browser, my first choice is still Microsoft Edge. Until recently my second choice was actually Internet Explorer, but I am more and more often experiencing issue with different web sites when using IE, so it’s now down to third choice.

Unfortunately in Session Hosts, we do not have access to the Microsoft Edge, only Internet Explorer is available out of the box. Microsoft has decided that the Edge browser, among other in-box Universal Windows applications, are only available in the semi-annual releases of Windows.

For anyone caring a bit about privacy, it may also be that FireFox is becoming one of the last independent browsers out there, as Microsoft late last year announced that Edge is moving to the Chromium open source project.

This means that at some point two of the four major browsers (Edge, Google Chrome, FireFox and Internet Explorer) will be running on the Chromium core.

To get started you will need to pick a FireFox installer that suits your needs. Currently FireFox is being maintained in two tracks, the Regular Release and Extended Support Release (ESR).
The ESR edition of FireFox is not updated with new features, updates will only address security vulnerabilities. Updates to the Regular Release may contain feature additions and will also address security vulnerabilities. So going with the ESR edition, could mean less testing when the browser is updated, as any updates will not contain new features.

Mozilla has a release calendar for 2019 where you can track when a new Regular Version is released.

For this article I am using the latest ESR 64-bit edition of FireFox, which currently is version 60.5.0. You can find the latest ESR edition here:
https://www.mozilla.org/en-US/firefox/organizations/all/.

You will also need the Group Policy Administrative Templates for FireFox, they can be found at Mozillas GitHub repository here:
https//github.com/mozilla/policy-templates


Click “Clone or Download”. That triggers a download of a ZIP file which contains the ADMX and ADML files needed.

So let’s get started.

Installing FireFox manually is pretty straight forward, I will not provide an install guide here. I will instead show how to do an unattended install of FireFox.

To do an unattended install of FireFox via command line or a script, you will need an INI file, with a few options.

Here are the contents of the INI file I use:

[Install]
;The name of the directory where the application will be installed in the system's program files directory
InstallDirectoryName=Mozilla Firefox

;Create a shortcut for the application in the current user's QuickLaunch directory.
QuickLaunchShortcut=false

;Create a shortcut for the application on the desktop.
;This will create the shortcut in the All Users Desktop directory
;If that fails this will attempt to create the shortcuts in the current user's Start Menu directory.
DesktopShortcut=false

;Create shortcuts for the application in the Start Menu.
;This will create the shortcuts in the All Users Start Menu directory
;If that fails this will attempt to create the shortcuts in the current user's Start Menu directory.
StartMenuShortcuts=true

;The MozillaMaintenance service is used for silent updates and may be used for other maintenance related tasks.
;It is an optional component.
MaintenanceService=false

Additional information about the arguments can be found here:
https://wiki.mozilla.org/Installer:Command_Line_Arguments

An important thing to remember is to include the “MaintenanceService=false” in the INI file, this excludes the FireFox Maintenance Service from the install process.
According to Mozilla this service is used for silent updates and “other maintenance tasks” whatever that means. As we all know it’s usually not a good idea to do any kinds of updates or “other maintenace tasks” in a Session Host based setup, whether it’s non-persistent or not. A certain degree of application control is still needed.

To install FireFox unattended using the INI file, use the /INI=<full path to configuration INI file> install switch, like this:
“Firefox Setup 60.5.0esr.exe” /INI=”C:\Temp\FireFox-Unattend-INI.ini”

If you are using the INI file provided above, everything should go through smoothly and you should now have a shortcut to FireFox in the Start Menu only, and no Maintenance Service. To verify whether the Maintenance Service is installed or not, go the Services console. If you see a service called “Mozilla Maintenance Service”, the service is installed. You can either remove FireFox and do another install, or simply disable the service.

Now to the more exiting part, group policy. We are going to create a FireFox GPO which configures a few things that addresses general usability and a bit of security/privacy.

Import the ADMX and ADML into your Central Store, then you should be able to access the FireFox group policy settings.

As you can see, we have a few possibilities when it comes to managing the configuration of FireFox. I will not go through every single policy, I will however show you the GPO I have implemented. Just remember that some of the settings in this GPO might not apply to your environment, so read the policy descriptions, understand them, and test whatever policies you apply.

All policies are configured in User Configuration. I prefer this approach, as I am then able to do security filtering of users and/or groups, which enables users and/or groups to receive different group policy configurations.

Here I block the access to the “about:config” page. This page contains a lot of very advanced features and settings, which probably isn’t a very good idea for a regular user to be messing around with.

Other noticeable policies are “Disable System Addon Updates”, which disables the update of System Addons, again we don’t want that in a Session Host based environment. The “Disable Update”, disables the update of FireFox itself.

“Tracking Protection” is enabled, and the user cannot disable it. This provides a security/privacy feature in FireFox which blocks content, cookies or scripts from collecting your browsing data across multiple sites. I recommend enabling the feature in a Session Host based environment, as it will reduce the CPU usage of the FireFox browser dramatically and provide some basic privacy when browsing the internet. A similar feature exists in Internet Explorer, which I have mentioned in another blog post.

The “Allow add-on install from website” is disabled, which prevents the user from installing add-ons to FireFox. We want control of the FireFox application, there are all kinds of add-ons doing all kinds of different things, we don’t want that on our Session Hosts.

The last part is the “Default Search Engine”. Here I configure Google as the default search provider, have you ever met a user that wanted another search provider than Google?
I also remove some built in search providers and essentially only allow Google and DuckDuckGo in the list of search providers and prevent manual addition of other search providers.

This concludes the guide. With this information you should be able to do an unattended setup of FireFox and configure a basic lockdown GPO to deliver a good user experience and prevent users from “messing thing up” for themselves, other users on the Session Host or the Session Host server.

How to prevent Citrix Workspace App popups

How to prevent Citrix Workspace App popups

The other day a coworker approached me to get a solution that would suppress the popup boxes you get, after a successful Citrix Workspace App install.

This first popup you see it this “Add Account” popup box:

The second popup box you see, is this “Citrix Receiver is now Citrix Workspace App” popup box:

Both popup boxes appear after a reboot of the computer and they both require user interaction, to make them go away.

Some may argue that it’s just one or two clicks and you’ll never see them again, I have however seen that at least the “Add Account” popup box can confuse the user and even trigger a support call. So why bother the user with these popup boxes and potentially generate more support tickets?

According to Citrix you are able to remove the “Add Account” popup box by using a combination of command line switches and registry changes:
https://support.citrix.com/article/CTX135438

This works, I have used it plenty of times and it’s easy to implement when you have 100% control over the computer via a deployment system and/or group policy.

However the command line switch /ALLOWADDSTORE=N prevents any manually configured stores to be added to the list of accounts in Citrix Workspace App. Usually that’s not an issue in a 100% managed environment, as we are able to push Citrix StoreFront store account information to the Citrix Workspace App, either via command line switches or via GPO.

But if you are in a situation where you want to remove the popup boxes, but you don’t want to restrict the manual Citrix StoreFront store account configuration, you need to apply a few registry keys and values in HKCU and not HKLM, as described in the Citrix article.

First off. To remove the “Add Account” via HKCU (User context), apply these registry fixes:
HKEY_CURRENT_USER\Software\Citrix\Receiver
HideAddAccountOnRestart=1

HKEY_CURRENT_USER\Software\Citrix\Receiver
EnableFTU=0


Both values are DWORD values.

To remove the “Citrix Receiver is now Citrix Workspace App” popup box apply this registry fix:
HKEY_CURRENT_USER\Software\Citrix\Splashscreen
SplashscreenShown=1

This value is a string or REG_SZ value.

I have tested this procedure on Windows 10 v1809, Windows Server 2016 and Windows Server 2019 with Citrix Workspace App 1812.

Try it out and silence that Citrix Workspace App!


Citrix Published Apps migration script

Citrix Published Apps migration script

Recently I was working on a XenApp and XenDesktop 7.9 upgrade project. The customer didn’t want to touch the existing 7.9 environment, as it was a production environment with around 1000 concurrent users from different parts of the world. Instead a new XenApp and XenDesktop 7.18 site was created and we had to create everything manually in the new site.

Fortunately, besides the published application, there really wasn’t much to be done. We had to create a couple of Machine Catalogs and a few Delivery Groups. However the customer had 50+ published applications and it would take quite a while to manually create those by hand.

As it turned out, the customer couldn’t wait for me to develop this script, so I actually didn’t test it out in that specific environment. However that didn’t stop me from finishing the script, as I expect more 7.x to 7.x or 7.x to 1808 and later migration projects in the future.

As I wasn’t able to find any useful tools from Citrix to help me migrate a 7.x site to another 7.x site, I decided to write my own script, with some inspiration from some older scripts I had used earlier.

The script can be found here:

Copy the code above and save it to file called Migrate-XAapps.ps1. The script contains basic information on usage and also examples of the different switches and paramaters that can be used.

Let me know if you experience any issues. As mentioned in the script, I have tested the code on XenApp and XenDesktop 7.6 LTSR CU6, XenApp and XenDesktop 7.9 and Citrix Virtual Apps and Desktops 1808 and I haven’t run into any issues, however I have probably not covered every possible published application scenario out there.

Installing Foxit Reader

Installing Foxit Reader

A few weeks ago I came across blog post by Carl Webster on a guide on how to install Adobe Acrobat Reader DC. This guide is very detailed and if you are in need of performing an unattended deployment of Adobe Acrobat Reader DC, this is probably the only guide you will need.

However there are other PDF viewers out there, better viewers in my opinion. Adobe Acrobat Reader DC, and versions before DC (11.x, 10.x, 9.x), has become bloated with features most users will never need, especially the online features are almost useless, at least from my point of view. My point of view is of course based on how the application behaves in a non-persistent and/or multi-user environment and general functionallity.

This guide I will show you how to install an alternative PDF Viewer from Foxit. With Foxit Reader you will, in my opinion, get a better performing and less bloated PDF Viewer, compared to Adobe Acrobat Reader DC and it’s just as easy, or maybe easier, to deploy and customize compared to Adobe Acrobat Reader DC.

To get started you will obviously need the Foxit Reader source files. To get those, go to the Foxit website https://www.foxitsoftware.com/

Go to the Log In box and either log in, if you have an account or create a new account. The account is needed to be able to get the Foxit Reader MSI installer, the XML Editor, the Foxit Customization Tool and the Group Policy administrative templates.

Once logged in, go to the download section and click Free Software

Here you will need the Enterprise Packaging which is either an MSI or, depending on the language selected, an ISO with an MSI.

 

Select the language needed, amount of users and make sure to select the MSI package type. As mentioned, depending on your selected language, you may not be able to select the MSI package type, only EXE or ISO is available. In that case select ISO, it will have en MSI package that we can extract and use going forward.

Once past the image verification, you will get to the actual download site. The MSI package download will automatically prompt you to save the file, if not, go ahead and download it manually.

You will need the MSI package, the XML Editor and the Foxit Customization Tool.

So, this it how it should look like, when you have all the needed components:

How to install using an MSI transforms file

Next, extract the FoxitCustomizationTool.zip file, this is used to create an MSI transforms file with pre-configured setup settings.

Fire up the Foxit Customization Tool

Go to File and click Open and select the FoxitReader93_enu_Setup.msi file

Once opened, this is where the good stuff is..

From here on, I will show you how I usually configures the transforms file. The settings shown may not reflect your needs, so consider what you select and/or deselect.

I always disable the Auto Update feature, in non-persistent setups this is recommended.

In the Features pane you can choose which features of Foxit Reader to install or not to install.

This installs the bare minimum features, which allows you to open PDF files in either the Foxit Reader application or within browser windows.

I usually remove any unwanted shortcuts, in this case the Foxit Reader desktop shortcut and the Activate Plugins Start Menu shortcut.

Now all you have to do is save the configuration to an MST file.

Go to File and click Save-As, provide a name for your new MST file and save it in the same directory as the FoxitReader93_enu_setup.msi.

You are now able to deploy Foxit Reader unattended via MDT, SCCM, Altiris, PowerShell etc. using this command line:

msiexec /I FoxitReader93_enu_setup.msi /qb TRANSFORMS=”FoxitReader93_enu_Setup_FCT.mst” ALLUSERS=1

How to install using command line parameters only

If you for some reason don’t want to use a transforms file, a wide range of command line parameters are available when using the MSI installer.

This command line should provide you with the same result as the transforms install method described above:

msiexec /I FoxitReader93_enu_setup.msi /qb ADDLOCAL=”FX_PDFVIEWER” MAKEDEFAULT=1 VIEW_IN_BROWSER=1 DESKTOP_SHORTCUT=0 AUTO_UPDATE=0 NOTINSTALLUPDATE=1 ALLUSERS=1

The Foxit Reader Deployment and Configuration guide describes a few additional command line parameters. The guide can be found on the Foxit Reader download site.

This covers the deployment of the Foxit Reader. Now, we are going to look a bit closer at what’s possible with the XML Editor.

Foxit Reader UI Customization

The XML Editor is needed to customize the graphical user interface of Foxit Reader. This means that you can hide certain parts of the application that may not be relevant for your users to access. I will show a few examples here, but there are a lot of different areas of the UI in Foxit Reader that can be hidden, so it’s really just a matter of picking out the parts that suit your needs.

I’ll usually hide the Help and the Share tabs. The Help tab isn’t really providing any useful information to user and the Share tab makes it possible to integrate with Evernote, OneNote and Sharepoint which may not be available.

To make these changes to the UI you will need an XML file, which you create using the XML Editor.

Open the XML Editor, it should look like this:

Make sure to click the Interface button, and select Foxit Reader. Also in the version box, make sure to type in the correct version of Foxit Reader.

Next go to the Ribbon Set tab. In here you will see a lot of different check boxes, each representing either a feature or a tab to hide. As mentioned, I want to hide the Help and Share tabs, this is done simply by checking the corresponding boxes:

Next click Export and save the XML file:

The XML goes into the C:\Program Files (x86)\Foxit Software\Foxit Reader\ProfStore folder, just overwrite the existing profstore.xml file, as it’s a default XML containing the default out-of-the box configuration.

Look at this nice and clean UI:

You can download a pre-configured sample of profstore.xml file here. Be sure to review the customizations, before production usage.

Deployment script examples

The profstore.xml should be copied as a part of the deployment process. I have provided a couple of examples on how to create either a batch script or a PowerShell script to deploy Foxit Reader and copy the profstore.xml file.

Batch/CMD:

msiexec /I FoxitReader93_enu_setup.msi /qb TRANSFORMS=”FoxitReader93_enu_Setup_FCT.mst” ALLUSERS=1

copy profstore.xml “C:\Program Files (x86)\Foxit Software\Foxit Reader\ProfStore” /Y

PowerShell:

Start-Process -Wait FoxitReader93_enu_setup.msi -Argumentlist “/qb TRANSFORMS="FoxitReader93_enu_Setup_FCT.mst” ALLUSERS=1″

Copy-Item profstore.xml -Destination “C:\Program Files (x86)\Foxit Software\Foxit Reader\ProfStore” -Force

This concludes the guide.

We are now able to get the source files to Foxit Reader and make UI custumizations and deploy it. Now, there is no excuse, start testing Foxit Reader! I am sure you’ll agrre with me that Foxit Reader can easily take on Adobe Acrobat Reader.

Internet Explorer Tracking Protection

Internet Explorer Tracking Protection

One of the most overlooked features of Internet Explorer, is the Tracking Protection feature. Tracking Protection is a feature that prevents websites from tracking your browsing behavior. You know if you for instance search for, let’s sat a new Synology NAS box in Google. Suddenly a lot of NAS related adds appear in your Facebook feed and on various other add-driven sites. That’s basically tracking, someone somewhere now knows that you are in the market looking for a new NAS.

However Tracking Protection also prevents all adds, flash content and the likes from being loaded when accessing a website. This means that in most cases the websites will be loading faster and not consume as many system ressources.

In this blog I will cover how to enable Tracking Protection and why I recommend doing this, especially in a multiuser scenario.

Up until a few years ago my preferred browser was Internet Explorer. Actually, besides the good old days with Netscape Navigator, I have always used Internet Explorer when browsing the internet. I am not trying to start yet another browser war here, but the alternatives like Google Chrome, Mozilla Firefox or Opera never really said me much, I had gotten used to working with Internet Explorer and liked, and still likes, the way it works.

However as Windows 10 was released we received a new browser called Edge. Edge is supposed to be the successor of Internet Explorer and at least for my part, that is the case, but according the various sites here and here, it doesn’t look like Edge is getting favoured by many people, it’s still Google Chrome that’s topping the lists as the most preferred browser.

Even though Google Chrome may be the most preferred browser, this is usually not the case in multiuser setup like Citrix XenApp or Microsoft RDS, as we would like to provide a secure and consistent user experience, that includes the browsing experience as well. We can, via group policy, lock almost everything in Internet Explorer down, which gives us total control of what parts of Internet Explorer the user can access and/or configure. Any Internet Explorer security updates, or just regular feature updates, are all maintained either via the Microsoft Update site or via an internal Windows Server Update Service (WSUS) server, which means that during our regular Windows operating system maintenance we get updates for Internet Explorer as awell as any other relevant Microsoft software.

So how does it work?

How to configure Tracking Protection manually:

First we need to enable Tracking Protection in Internet Explorer:

Click – Tools -> Internet Options – Programs

Click – Manage add-ons

Click – Get a Tracking Protection List online…

This should bring you to this site – http://iegallery.com/da/trackingprotectionlists/ (Or a smilar looking URL based on your region)

That site errors out, way to go Microsoft!

This has been an issue for at least 6 months, maybe more, and it doesn’t look like Microsoft is going to fix it anytime soon.

So what we need to do instead, is to go to this URL – https://www.microsoft.com/en-us/iegallery

Scroll down to the Tracking Protection Lists section and select EasyList Standard, EasyList and Stop Google Tracking, by clicking add on each list.

This adds the lists to Internet Explorer and your Tracking Protection configuration, should now look like this

Your browsing experience should now be significantly faster than before the activation of Tracking Protection and also consume less system ressources.

I have created 2 short videos in which I demonstrate how the browsing experience is in Internet Explorer with and without Tracking Protection enabled. The demonstration is done in Citrix XenApp 7.18 on Windows Server 2016 in Internet Explorer 11with the latest Microsoft Updates. I have used http://www.cnn.com for demonstration purposes, however you will probably notice the same behavior with pretty much any other site.

Tracking Protection disabled:

Tracking Protection enabled:

Have a look at the CPU usage in the first video where Tracking Protection is disabled. When the site just sits there doing nothing, the CPU usage is somewhere between 40% and 70%. This is huge if you have multiple users on a Session Host server, imagine 10 users just loading this page and let it sit doing nothing.

In the second video, where Tracking Protection is enabled the CPU usage is loking a lot better some where between 5% and 15% when the site just sits there doing nothing. Also 37 services have been bloked on this particular website. As I scroll up and down, CPU usage spikes does occur because of the change in content on the site, this is normal behaviour and will occur both with and without Tracking Protection.

How to configure Tracking Protection via Group Policy:

So now you may be asking “Now I have the Tracking Protection enabled on my local Internet Explorer browser, how do I enable it for every user in my environment?”. The answer to that question is: “Via Group Policy and Group Policy Preferences, of course :)”

Once Tracking Protection has been enabled a few things happen in the file system and registry.

In the file system:

  • In the user’s profile 3 so called TPL files gets downloaded, these files contains the EasyList, EasyPrivacy and Stop Google Tracking lists.
  • The TPL files can be found here  – %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection and looks like this:
  • Copy the TPL files to a central location like NETLOGON or a share where users have read access.

In the registry:

  • In the user’s registry 3 registry keys and a few values within these keys are created.
  • The registry key names corresponds with the above TPL GUID like names, and looks like this:
  • The full path the the above keys is – HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Safety\PrivacIE\Lists
  • So, as you see, 3 registry keys are created with names that corresponds with the names of the TPL files.
  • Export the 3 keys to a REG file and in each key, change the “Path” value to %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl

GPO Configuration:

  • Create a new GPO
  • Under User Configuration configure Group Policy Preferences registry items like shown below:
  • For each of the 3 registry keys modify the Path value, so that it looks like this:
  • %<LOCALAPPDATA>%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl
  • This makes sure that the Group Policy engine resolves the %LOCALAPPDATA% correctly, and thereby configures the correct path to the TPL file.
  • You will also have to add this registry value:
  • This enables the Tracking Protection filtering feature.

You may have noticed the Tracking Protection Exceptions group I have in the GPO. The Tracking Protection Exceptions list enables you to configure specific URLs where you don’t want Tracking Protection to be active. This might be internal URLs like an intranet site or some other internal web based application, where Tracking Protection could be messing with the general functionallity of the web site.

To configure a list of exceptions add this to your GPO:

  • Here, as an example, I have the http://intranet.company.local URL you may add as many URLs you want here.

As this GPO configures user settings, it can be applied to both Windows client operating systems and Windows server operating systems. I have tested this specific configuration on Windows 7 and later and on Windows Server 2008 R2 and later, however only with Internet Explorer 11.

This concludes my guide on how to enable and configure Internet Explorer Tracking Protection. Feel free to comment.

The rise and fall of a champion

The rise and fall of a champion

A couple a weeks ago a attended Citrix Synergy at the Hilton Convention Center in Anaheim in the US. I’ve been there a few times before, and it has been a pleasure visiting and attending Citrix Synergy at this venue every time.

There were a lot of great sessions which sometimes made it hard to decide which one to attend. However in this article I will bring my views and opinions about some announcements made regarding Citrix Workspace Environment Manager (WEM) and Citrix Profile Management (CPM) formerly know as Citrix User Profile Manager (UPM).

Citrix announced Office 365 experience support in CPM/WEM. This means that CPM/WEM will be able to handle an Outlook OST file and Windows Search Index Roaming in a non-persistent Session Host/VDI setup, exactly like the 3rd party vendors, FSLogix and Liquidware. This is somewhat great news, as this is a feature I have wanted in CPM for years, however Citrix may have been dragging their feet just a bit too long in this matter.

The Rise….

Before I go any further, a bit of history never hurt anyone. Back in May 2008 Citrix acquired sepagoProfile from sepago, this product was rebranded and became Citrix User Profile Manager (UPM) which meant that Citrix got a Profile Management solution that was far superior to the Windows Roaming Profile solution built in to most Windows versions.

Citrix UPM was THE profile management solution from there on out, well in most cases at least. Of course UPM had issues from time to time, but Citrix was usually very quick to address and solve these issues. Back in the days with Windows XP and Windows  Server 2003 we had to rely on tools like UPHClean to get a stable Windows Roaming Profile environment without profile lockups. With Citrix UPM this was no longer the case, as UPM was much more “intelligent” and had builtin mechanisms to prevent profile lockups.

Gone were the days where we needed obscure batch or VB scripts running during logon or logoff, to manage or support application settings that was not saved in the APPDATA\Roaming folder, Citrix UPM was able to handle files and folders in the APPDATA\Local or APPDATA\LocalLow folders.

UPM eventually got additional features like Profile Streaming which enabled parts of the user’s profile to be streamed to the Session Host or VDI during logon, which most of the times had a huge impact bringing down logon times.

The Fall….

Up until the release of Windows 10 and Windows Server 2016, this was more or less the story with UPM. However, Citrix UPM is curently on a deroute and should, in my opinion, no longer be considered the preferred solution, this is primarily because of how Windows 10 and Windows Server 2016 handles the user’s profiles.

As Citrix UPM still relies on the principles of a roaming profile, copying the profile back and forth between a file server share and the Session Host/VDI during logon and logoff, there are still some situations where Citrix UPM has issues, and it still requires a great deal of configuration and management to prevent profile bloating and to obtain a relatively stable profile environment. Yes it still supports the Profile Streaming feature, but even that has over time shown that it is not always the way to go, as certain applications does not support this feature and may break or not work properly.

Currently there is a major bug in the Citrix UPM version introduced in Citrix XenApp and XenDesktop 7.15 LTSR CU1, which is mentioned in the Citrix discussions forums here – https://discussions.citrix.com/topic/391754-windows-2016-start-menu-blank-icons-with-715-cu1/

Citrix has posted a CTX article with 2 workarounds, however a couple of people are mentioning that these workarounds are not working. There is however a workaround described in the forum thread, which involves a PowerShell script, that should be able to take care of things.

The fact that this bug still exists in both Citrix XenApp and XenDesktop 7.16 and 7.17 and was introduced in an LTSR edition of Citrix XenApp and XenDesktop is, in my opinion, a major let down by Citrix and illustrates just how much Citrix is struggling with Citrix UPM at the moment.

The Future….

In my opinion the future of Citrix UPM is a bit hazy.

Considering the amount of issues that I have personally encountered, with Citrix UPM in Windows Server 2012/2012 R2, Windows 10 and Windows Server 2016, and the major bug described above, I have very little faith in Citrix providing anything remotely stable within this year, eventhough they claim to have the Office 365 experience feature ready within the next 90 days. This means that we are probably going to see this feature in Citrix XenApp and XenDesktop 7.19 or 7.20.

UPDATE – 14-08-18: The UPM Office 365 Experience feature is available in Citrix XenApp and XenDesktop 7.18

Also to be considered is the fact that Citrix is around 4-6 years behind in developing anything disk based whether it be supporting Office 365 or the entire profile in a disk based solution. Microsoft have had their User Profile Disk solution since Windows Server 2012 which was released 6 years ago, FSLogix and Liquidware both have disk based profile solutions going on 4+ years now, so Citrix has some cathing up to do.

To spice things up, Citrix will now have 2 seperate and very different products covering the same Office 365 experience features as Citrix App Layering have the User Layers feature, which is the entire user profile in a disk based solution, this feature is still in Labs though, which means that it isn’t ready for production use yet.

With Citrix App Layering you also have the Office 365 Layers feature, this only covers the Outlook OST file and nothing else, this feature is however production ready, BUT and there is a major “but” in there, both User Layers and Office 365 Layers is only available with the Platinum license, mentioned in this article – A Breakdown of Citrix App Layering Features by Edition this will prevent a lot of customers from being able to implement these features.
UPDATE – 25-05-18:
Te above statement around the Office 365 Layer was incorrect. As per this article – https://www.citrix.com/products/xenapp-xendesktop/feature-matrix.html the Office 365 Layer is available in all XenApp and XenDesktop license models, however it’s currently only supported on Windows 7 and Windows 10 64-bit.

I am looking very much forward to see how Citrix will develop both the User Layer and Office 365 Layer in Citrix App Layering and the merge of Citrix WEM/CPM with the Office 365 experience feature. If Citrix manages to get the Office 365 experience feature stable, a disk based profile solution with WEM/CPM, may not be far behind and if Citrix goes down that road FSLogix and Liquidware may have their work cut out for them.

For now, my recommendation is still to go with a disk based profile solution, like FSLogix Profile Container and Office 365 Container.