Posts

Intune installation requires a wire...or does it?

If you are using Intune (great!) it assumes you have a wired connection (not great) - this is more of an issue as some machine now no longer have built in ethernet ports. It is possible to connect to your wireless - albeit in a slightly awkward way.....here's how During the OOBE hit SHIFT+F10 to get a command window and type either; start ms-settings: To get the settings window or start ms-availablenetworks: To see the network fly outs. Thanks to  Using a wireless network connection with Windows Autopilot white glove – Out of Office Hours (oofhours.com)

Bulk assign AD groups to Citrix applications using Powershell

PowerShell to add an Active Directory group to a Citrix delivered Application Run PowerShell from your Citrix Delivery Controller server...as admin If your applications reside in specific folder find the UID of that folder... PS C:\>Get-BrokerApplication | Select Name, AdminFolderUid Now use that UID in the following to disable inherited permissions PS C:\> Get-BrokerApplication -AdminFolderUid 1 | Set-BrokerApplication -UserFilterEnabled $true Now run this to assign a domain group PS C:\> Get-BrokerApplication -AdminFolderUid 1 | Add-BrokerUser -Name "DOMAIN\GroupName" I ripped this code from  https://discussions.citrix.com/topic/383089-restricting-one-app-to-a-domain-group/ Thanks.

Ubuntu Citrix VDA Install

Yesterday I tried to install VDA on an Ubuntu VM....here's how it went... I strongly recommend not "going it alone" and use the scripts provided by Citrix as these will normally work. Citrix annoyingly call this "Easy Install" which might offend some stalwart IT admins but please swallow your pride these scripts do EVERYTHING for you if your IT environment is not bonkers....like mine is. I needed some tweaks as we have a UPN which differs from our domain so our user accounts have a UPN to blogger@domain.com but reside in a domain called my.name.net....yes yes yes as I said bonkers. Once I found this issue things went pretty smoothly. Here's my recipe dragged straight from Citrix documents https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview/easy-install.html Make sure you are really install Ubuntu 18.04 and patch it to the gunnels - install vmware tools etc... Sort out the /etc/hosts to include one

Images from Media Creation Tool

Image
When importing an Windows 10 image from the Media Creation Tool I was seeing the error "the source directory specified does not contain an identifiable operating system" This is because MDT needs a WIM image not an ESD image which MCT uses. Nice.  Not. To convert an ESD image file to one useable by MDT you need to complete the following. Log into your machine as Admin Install and create a Windows 10 build using the Media Creation Tool straight to USB Install Deployment and Imaging Tools onto your MDT box (unless you have it already!) Run Deployment and Imaging Tools Environment as Admin Type and run the following to list all the OS's in the ESD file dism /Get-WimInfo /WimFile:<path to install.esd> Find the OS you want and note down the Index Then run the following dism /export-image /SourceImageFile:<path to install.esd> /SourceIndex:<INDEX> /DestinationImageFile:<path for install.wim> /Compress:max /CheckIntegrity

Citrix Store email discovery

We are rolling out Citrix and wanted to use the email discovery - whilst this has issues due to our choice of network IP addresses (don't ask!) I found a couple of web pages which assisted in getting this sorted. https://www.jgspiers.com/configuring-citrix-receiver-email-based-discovery/ https://www.virtualexperience.no/2012/08/25/configure-citrix-receiver-email-based-discovery/ I only have need for this process internally as we are not running netscalers.  Yet.  So my DNS requirements are somewhat simplified. This all boils down to three things. an internal SRV record for _citrixreceiver._tcp.domain.com port 443 a certificate from internal (trusted) PKI with a SAN of discoverReceiver.domain.com - I used a web server template and included the FQDN as CN and FQDN, shortname of the server and discoverReceiver.domain.com as SANs install this certificate into IIS default website - or whatever website you are using to host the Store.  Change "domain.com" to

PXE booting, MDT and 802.1x

Image
Oh dear. We implemented site wide 802.1x when we moved. This has caused numerous issues which we are still tracking down and killing with fire. Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine. Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment. Here's how we did it.   Caveats:  I'm assuming you know MDT and how PXE works. We use Computer certificates as the 8021x auth method. 802.1x is working in our environment GPO is used to start the wired 802.1x service on built machines. GPO is used to configure the network profile to use 802.1x What you need Get a USB stick to take your WinPE 4GB may be enough Make sure you are running an up to date working MDT installation! Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!! Export the machine

Bitlocker and MBAM on Windows 10 1903

Image
Recently our SQL servers broke. Big time. Totally unrecoverable. This box "only" ran small infrastructure databases. MBAM being the main one. We only noticed when we needed to unlock a bitlocker locked machine and MBAM wasn't responding.   Our backups we toast too as the SQL server box had been unusable for longer than our retention period and we now had backups of a broken machine. Not great.  We now monitor this server.  Like a hawk.  Horse. Bolt. Stable.  Oh well.  We did have the data on separate disks so we were able to get the bitlocker database itself back and mount this on a new SQL box so not all lost. We took this opportunity to upgrade MBAM and the MBAM client we delivered to the end points. Then Windows 1903 was released and we began piloting this to certain users.  Due to the recent "interest" in MBAM we noticed that bitlocker was not enabling on these machine despite the GPO being in place. This GPO worked fl