How To Guide: Streaming Microsoft Office with Citrix XenApp 5 – Best Practice Guide & Licensing Overview

August 27, 2009

Citrix Technology Professional (CTP) Alexander Ervik Johnsen has written a very useful piece on how to Profile and Stream Microsoft Office 2007 using Citrix XenApp 5.0

This is a great guide and covers how to stream Office to a desktop, or, into a Citrix XenDesktop session.  His article and guide can be found on his website here.

Further to the actual process of profiling and streaming the Office application, I also want to ensure everyone is aware of the Microsoft Per Device Licensing Model for Server Hosted Applications.

Many Microsoft applications, including Microsoft Office™, Project™ and Visio™, are licensed on a per-device basis. This means a desktop application license is required for each and every device that is able to potentially access the application or server where the application is installed, regardless of whether a user executes and runs the application of not.  This makes licensing Microsoft applications in virtual environments a tricky, potentially very costly, and misunderstood subject. 

One misconception is that by ‘publishing’ or ’streaming’ applications to a limited “user” group, that group is compliant with the Microsoft license agreement – in other words, Microsoft licenses their applications per user.  This is in fact in breach of the Microsoft licensing model, and can lead to legal action.

I have written a blog, which also includes official Microsoft approved whitepapers on how to control and enforce application access and license compliance on a per device basis  in such virtual environments,  that blog can be found here

In addition to helping ensure compliance, effective license control and management can also reduce Microsoft License requirements and associated costs – more information on this can be found here.

If anyone has any questions or comments, as always, please do let me know.


My login’s too cold – it’s not all about TS and VDI

August 17, 2009

Goldilocks was hard at work managing “Three Bears Industries”. She added a default printer here, mapped a network drive there, and sorted out a few group policy settings. All in a days’ work for the over worked, under paid IT administrator.

She heard a noise a the front door – “The Bears are back!!!” she exclamed, and slipped quietly out through the back door and on to her next client.

“My Login makes me tooo Hot – Hot and bothered from waiting!!!!! ” yelled Papa Bear. “My Login makes me toooo cold – I feel like hibernating ! ” grumbled Mama Bear.

Baby Bear looked at his parents with big blue eyes and said “My Login just sucks !!”. You gotta love kids, they always say what they feel. But then, that’s the harsh reality in thousands of organizations – Logins suck!!

“Three Bears Industries” needs AppSense.

“But isn’t AppSense only useful in those environments? Why do I need AppSense if I’m a fat client site?”.  Think about it, If AppSense provides value in VDI and TS, then why would it NOT provide value in a real physical desktop?

In two weeks time, I start a rollout at a site who saw value in AppSense at the desktop level – around 3,000 of them to be precise.  AppSense has hundreds of desktop sites around the world – managing profiles, security and performance with our software.

These guys went through our ROI process a couple of months back. We found they were losing around 80 man hours per DAY while users sat around waiting to login – thats 10 people every day they were paying for nothing. We also found the Helpdesk staff were spending around 300 hours per month fixing profile issues.

I introduced them to ENVIROMAN – looking very Borat like in his bright green Budgy Smugglers. He showed them a couple of quick demos, rollback of personalization settings, streamed application settings from desktop to desktop, and the rest is history – Thank You ENVIROMAN – your subscription to “Geek Monthly” is in the mail :-)

But seriously Guys, checkout our value on the desktop – your wallet will thank you.

Some Mandatory Profile Best Practices *** Updated April 16th 2010.

August 7, 2009

There are a number of different ways that you can capture a profile that you want to subsequently use as a mandatory profile. My preferred approach is to logon as a non-administrative test user, run whatever applications are needed and configure as appropriate, logoff and then take the resulting ntuser.dat, obviously renamed to, as the mandatory profile’s registry hive. I generally do not have any folders in the folder specified for the mandatory profile – it just contains the file and nothing else. *** Update:  However, on Vista, Win7 and WS08, the empty folder AppData\Roaming does need to be created. In addition, if none of the folders that by default are used for items such as “My Pictures” and “My Music” exist in the base profile, these special folders will not be available to the user who is assigned this mandatory profile. However, it is strongly recommended that folder redirection is used to provide these special folders, if required, rather than using the defaults provided in the locally cached profile folder hierarchy. ***

Once the file has been copied away, I load it as a hive in regedit and then check various elements of it; namely:

  1. Security – the Access Control Entries (ACEs) for the user used to generate the profile should be removed and an Everyone – Full Control ACE added in its place. It is not actually ideal to open up security to this extent but since we don’t know what user is going to use the profile, we cannot lock it down much further although it could be done with a tool such as subinacl.exe [] at logon. For VDI environments, which are necessarily single user, it probably doesn’t matter but for Terminal Services, it means that a user with access to HKEY_USERS through regedit or other tools/scripts/macros can read and write/delete any other logged on user’s registry settings.
  2. Search the hive for the username of the user used to generate the hive and delete/replace the values as appropriate.  Note that there is no guarantee that changing a REG_SZ value to a REG_EXPAND_SZ and using “%Username%” or “%UserProfile%” in place of the actual username or locally cached profile folder respectively will work since it is up to the application that reads the value to implement environment variable expansion. Don’t be tempted to delete a whole key unless you are prepared to test that no ill effects occur. For instance, deleting the key “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”, because it contains values with the path to the generating user’s locally cached profile folder, will cause problems at logon whereas deleting all of the values in the key, but not the key itself, does not cause issues.
  3. Delete all policy registry keys such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies” and “HKCU\Software\Policies” (unless of course you want to apply GPO like lockdown this way but it can cause confusion).
  4. Strip out anything that you do not want – the best mandatory profiles are generally the simplest. There is, unfortunately, no easy way of deciding what should be stripped out. I tend to focus on Most Recently Used (MRU) lists such as those for opened documents, searches, runs and so on. The benefit of starting with the default user profile rather than a “contaminated” user profile is that this step, generally, is not required.
  5. Check all autorun locations, such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” and “RunOnce”. It is usually best to have nothing in these keys and have things run at logon via other means.
  6. Set application defaults, such as disabling splash screens, either by running the application and configuring it or by directly editing the registry if you know what keys/values need setting.

Once you have unloaded the hive and quit regedit, delete all .log and similar files that may have been created when the hive was loaded. Also check that the folder containing the file and the file itself are owned by the local administrators group and have no write/delete access for non-administrators. This is particularly important if the mandatory profile will be local to the system it is used on rather than through a share since share level permissions can also help protect the hive from accidental or deliberate damage.

Finally, thoroughly test the mandatory profile works as desired when assigned to a representative, non-administrative, user and the available applications are run.

I hope this has been of use, and if you have any questions or comments, please do let us know.

VDI Personalization and Configuration: Profile Management & Logon Scripts – not enough for multiple delivery mechanisms & OS platforms?

July 24, 2009

As a leading user environment management vendor, AppSense are in a unique position in that we have been involved many VDI projects and rollouts, of which the majority vary in architecture, technology and requirements.  One thing that does however remain the same between such projects is that of the requirement for user personalization management.

For many years the roaming profile provided user personalization in SBC environments, however as VDI deployments become more and more complex, with varying methods of desktop and applications delivery, along with multiple desktop operating systems and subsequently, profile versions, the roaming profile is no longer able to provide the user with their required settings in such (complex?) scenarios.

Furthermore, these desktops must now be constructed and configured based on the context of the user and/or connecting device.  i.e. mapping specific printers local to the user and device dependent on the location of the user logging on, or applying security policies to hide or remove access to network drives, folders, data and functionality such as copy and paste or print, again, based on the location of the user.  Whereby the desktop delivered to a user when connected locally inside the corporate LAN is different to that of the desktop delivered to the same user when connecting remotely from outside of the LAN.

One more point to consider is that of enabling the user to freely roam between the server hosted or provisioned virtual desktop, and the users local desktop device such as their PC or roaming laptop.  How do you as IT enable user settings to automically follow the user between different platforms?

AppSense Environment Manager was designed from the ground-up with functionality to accommodate the above requirements, making it, or, other user environment management solutions essential to the mass adoption of VDI on an enterprise scale.  In essence, AppSense provides the ability to encompass multiple delivery technologies and OS platforms by allowing the user to roam between the paradigms without any noticeable change to their desktop or user experience, enabling IT and the organization to benefit from flexibility, agility and lower TCO.  I do at this point want to highlight that this is different to the personalization management provided by the leading VDI vendors (Citrix, Microsoft, VMware etc), as their in-built functionality is typically designed for their delivery platform, not each other’s.   In essence, further to the advanced personalization and simplification of desktop management, AppSense also enables an organization to use combinations of both existing technologies, and (potentially) more importantly, any future VDI delivery technologies and vendors.
I have just found a very nice blog covering the functionality of not only AppSense Environment Manager, but also the base technology inherent within the leading VDI service providers – Citrix, VMware and Microsoft.  Hopefully from this blog post, and the information over at GenerationV, you will see how AppSense bridges the gap between the roaming user and a dynamic, flexible VDI model..

For more information on this, the GenerationV Profile Management blog can be found here

AppSense Technical University Training For Partners

July 22, 2009

I am excited about writing this one, the much awaited 2009 AppSense Technical University is soon upon us! It will take place in October and November!!  Following on from our previous events, there are some exciting new developments at AppSense that we would like to share with you; amongst other topics:

  • User Introduced Applications (UIA) Technology – do we need, and how do we enable, users to install applications into non-persistent VDI sessions, and have the applications (and settings and preferences) remain available in the next non persistent vdi session?!
  • AppSense Management Suite Version 8.1 Product RoadMap
  • ‘Policy & Personalization’ best practices across virtual and multi OS platform environments



Why attend the AppSense Technical University?

The AppSense University is a ‘free of charge’ event to our AppSense Certified Solution Partners, and is a great chance to meet up with the AppSense Technical teams, as well as your peers from within the community. As a valued member of our Certified Solutions Partner program, you are invited to this comprehensive technical update and networking event.

The 2 day event will include in-depth, hands on training designed to enable you to provide consultancy services and implement the AppSense Management Suite for prospects and customers.

Register for further information

As always, AppSense is hosting several Technical University events in locations around the globe. If you are interested in attending an AppSense Technical University, click on the country or region most relevant to you and we will keep you informed of the event details:

United States, November 2009 

United Kingdom, October 2009

Norway, November 2009

DACH Region, November 2009

BeNeLux, November 2009

Australia, October/November 2009

We look forward to seeing you there!

Best Regards,

The AppSense Technical University Team.

Telephone: +44 (0)1928 793 444

Citrix Session & Application Timeouts, a Great Solution

July 21, 2009

I had a great day on Tuesday. An AppSense client had an issue where their remote workers experienced their Citrix applications timing out on them.

After connecting, and using application 1, by the time they go to use application number 2, it had timed out, and when they try to restart it, Web Interface had timed out as well.

So the clients question was  “How can AppSense help me?!”.

Enter “ENVIRO-MAN” from the left of screen. All dressed in pretty green and looking surprisingly like the Environment Manager Product Manager :-)

“Your session timeouts do not scare me” he roared as he landed awkwardly on the photocopier, injuring his knee.

While “ENVIRO-MAN” proceeded to bore one of the office staff with stories about the mighty Blackpool Football Club, I decided to dig in and fix the problem.

Session Timeouts are controlled by a number of parameters – as examples, there are some per server settings based on type of connection (RDP or ICA) and some user based settings set in Active Directory.

However, if you require more granularity, that’s where AppSense Environment Manager lives…

By using a Group Policy Action (Set ADM Policy / Set ADMX Policy), I was able to load in the ADM settings from the “C:\Windows\inf” directory.  I then typed “session” into the filter, and up came the Terminal Server Session Timeout setting…  Magic :-)

By using EM Rules/Conditions I could now vary the Session timeouts based on IP address, Client Name, or even by integrating it into the results of Citrix AAC filters :-)

I demoed it to the client (they were blown away), thanked ENVIRO-MAN for his help and left to help the next client in need.

All in a good days work :-)

Review of AppSense Environment Manager 8 by vExpert Tom Howarth

July 8, 2009

Tom Howarth (a VCP/vExpert specializing in Thin Client & Virtualization solutions) and author of has published a comprehensive review of AppSense Environment Manager Version 8.0

Tom is well known and highly respected within the VMware and Citrix communities and as such, this positive review comes with high regards.  In Tom’s concluding words he describes AppSense Environment Manager as, “It is a Ronseal product – it does what it says on the tin.”

The article can be viewed at

Group Policy Objects (GPO’s) & AppSense Environment Manager

July 1, 2009

Background information on GPO’s
Group Policy Objects are a common part of most organizations IT policy, while they are a needed tool for controlling the desktop, applications and security settings presented to a user, they are also one of the most complicated and time consuming policies to set up and maintain in an enterprise environment.

The main challenge with GPO’s is quite simply the management overhead required to keep on top of the ever changing requirements of the enterprise. Given that Policy is typically applied [within the AD] at Domain level, Computer Organizational Unit (OU) level and at User OU level, it can easily and rapidly become a management nightmare to ensure that the complexity does not overcome the needs of policy configuration in the first place. This along with the GPO’s inability to have fine enough granularity (limited to AD Groups and OU as the means of depicting whether Policy is applied) make GPO’s a difficult method to accurately deliver the policy to the corporate end points and end users.
Managing GPO’s with AppSense Environment Manager.
AppSense Environment Manager resolves the above issues, reducing complexity and saving on time and cost by completely replacing the admin intensive process with an easy to use graphical user interface, complete with wizard based actions.

Actions can be selected and then applied at a user or device level, based on environment variables, without the need for any complex scripts. Furthermore, the GUI ensures consistency between Administrators, meaning any other support worker can quickly troubleshoot and amend any existing configuration.

AppSense Environment Manager builds on the GPO technology, but instead of relying on complex scripting and applying settings at an OU level or computer level, Environment Manager uses a GUI interface to present the administrator with an easy to read list of ADM templates and GPO settings, and then enables them to be applied at a user level based on a flexible rules list.

With the Environment Manager flexible rule set, Group Policy actions need not be applied at a group level.. but instead, to whoever or whatever you want..