I have been working with a client on a XenApp 6 to 7.11 (Seven Eleven) migration project recently.  The client has a large list of shortcuts which were published in their existing Farm and staff were used to accessing content via those shortcuts.  This presented a challenge and was potentially going to slow down the migration time until all shortcuts had been published on the new 7.11 site.

My approach to this challenge was to use a combination of powershell and Excel to automatically create the new published content and apps.  I did this by extracting a list of published applications on the client's existing XenApp 6.5 Farm and saving the data into and Excel Spreadsheet

The article will describe the the method and Powershell script that I used to automatically publish all of the application shortcuts within the Excel Spreadsheet.  This should be used as a guide and I'm sure many of you will be able to tweak and improve the Powershell code or perhaps remove the requirement for Excel.

Method:

Installed Excel on one of my Delivery Controllers

Copied the Exported Application Data and removed unwanted column information so that I was left with (Publication Name, Command Executable, Command path, Working Directory)

From the Delivery Controller, launched Powershell and ran Get-BrokerDeliveryGroup. Noted the UID of the delivery group

Copied the Shortcut.excel spreadsheet into a directory called "Shortcuts"

Modified the powershell script to imclude the path to the excel file and the UID of the delivery group.


POWERSHELL SCRIPT

$rowcount=0
$xl = New-Object -COM "Excel.Application"
$xl.Visible = $true
$wb = $xl.Workbooks.Open("C:\shortcuts\shortcuts.xlsx")
$ws = $wb.Sheets.Item(1)
$rowcount = $ws.UsedRange.Rows.Count
$wb.Close()
$xl.Quit()

$FilePath = "C:\shortcuts\shortcuts.xlsx"
$SheetName = "Sheet1"
$objExcel = New-Object -ComObject Excel.Application
$objExcel.Visible = $true
$WorkBook = $objExcel.Workbooks.Open($FilePath)
$WorkSheet = $WorkBook.sheets.item($SheetName)
$Row=1
$NAMEVAR=1
$EXEVAR=2
$PATHVAR=3
$WRKDIRVAR=4
while($row -le $rowcount){
$CommandLineEXE=$worksheet.Rows.Item($ROW).Columns.Item($EXEVAR).Text
$CommandLinePATH=$worksheet.Rows.Item($ROW).Columns.Item($PATHVAR).Text
$WORKDIR=$worksheet.Rows.Item($ROW).Columns.Item($WRKDIRVAR).Text
$Name=$worksheet.Rows.Item($Row).Columns.Item($NAMEVAR).Text
$PubNameVAR=$worksheet.Rows.Item($Row).Columns.Item($NAMEVAR).Text
$pspubnameVAR="-PublishedName "+$PubName
$psnameVAR=$NameVAR
$appVAR=New-BrokerApplication -ApplicationType “HostedOnDesktop” -CommandLineArguments $CommandLinePATH -CommandLineExecutable $CommandLineEXE -CpuPriorityLevel "Normal" -DesktopGroup 5 (This it the delivery group UID) -Enabled $True -MaxPerUserInstances 0 -MaxTotalInstances 0 $psname -Priority 0 -SecureCmdLineArgumentsEnabled $True -ShortcutAddedToDesktop $False -ShortcutAddedToStartMenu $False -workingdirectory $workdir -UserFilterEnabled $False -Visible $True -WaitForPrinterCreation $False -Description "Keywords:auto"
Add-BrokerApplication $appVAR -DesktopGroup "NAME OF YOUR DESKTOP DELIVERY GROUP"
$Row+=1
}

$workbook.close
$objexcel.close

EXCEL SPREASHEET COLUMNS

Column A - Exported Publication's Name

Column B - Exported Publication's Command Line

Column C - Exported Publication's Path

Column D - Exported Publication's Working Directory

Save the spreadsheet to the path specified in the script.

Run the script

Follow this Citrix Article:

http://support.citrix.com/article/CTX136668

Get-brokersession | Where-Object {$_.sessionstate -eq "Disconnected" -and $_.sessionstatechangetime -lt (Get-date).AddHours(-4)} | stop-brokersession


Use this command to stop sessions that have been disconnected for 4 hours. This could be useful when the Timings you want are not accepted by the Sessions GPO setting. 

When you add an App-V sequenced package into the new XenApp 7.8 integrated App-V library, you will need to make sure that the location you are importing the packages from is a network Share.  If you do not import the package from a network share, you'll notice that the powershell command to import the package is run, but the Studio screen appears blank and the application is not added.

On further investigation,  the Studio Console Log will display "Successful" for the import.  The Windows event log will show no details of any error.  You can launch Powershell from Studio and type the command:

Get-AppLibAppVpackage

This will display a list of the imported App-V packages.  You may notice that there will be entries in there even though there is nothing in Studio.  Notice the erroneous metadata entries (Your failed import attempts) and zero package GUID information.  When you try to remove these entries using Remove-AppLibAppVPackage -UID, it will not work.  

Citrix will implement a patch for this issue, but in the meantime, please be aware that if you add a package from any location that isn't a share, it will not display an error and it may create erroneuos metadata entries.

• Check the location that you import the Sequenced Packages from is a Network Share

• Check the Citrix Application Library Service is running on the Delivery Controllers

Your XenApp/Xendesktop services may be running, but how can you check that they are working as they should?  Do the following:

Launch Studio Console from a Desktop Delivery Controller and Select the Launch Powershell option

Check each service in turn with these commands:

Get-ConfigServiceStatus
Get-BrokerServiceStatus
Get-HypServiceStatus
Get-AcctServiceStatus
Get-ProvServiceStatus
Get-AnalyticsServiceStatus
Get-MonitorServiceStatus
Get-AdminServiceStatus
Get-logServiceStatus
Get-SfServiceStatus
Get-EnvTestServiceStatus
GetADIdentityService

If they return as "OK", then it indicates the Service is running and connected with the database.

You have created a shared start menu for your Hosted Shared Desktops, but you notice that the start menu groups and tile locations are not being applied for your users.  So you Logon as an admin and pin your apps to the tile menu again and create start menu groups. You make sure that the Start menu folder redirection is configured to Move the contents of your Start Menu to the shared start menu location.  You wish to use the Start Menu layout setting in Group Policy so that your Start menu tile format can be exported to XML and loaded for all users. You notice that the GPO setting isn't available because you are using 2008 AD servers. So what can be done? Follow this procedure to test a solution:

Download: https://www.microsoft.com/en-gb/download/details.aspx?id=43413

Make sure that you have already created the redirected Start Menu on a file share that has Access Based Enumeration enabled. Make sure that you have pinned all of your apps to the start menu and created any start menu groups

1 ) Go to DC.

2) Copy Startmenu.adml & admx files into same folder location and rename the copies to startmenubackup

3) Run the installer for the Win 8 2012 GPOs on the DDC with the GPMC console installed

4) C:\Program Files (x86)\Microsoft Group Policy\Windows Server 2012\PolicyDefinitions
Copy Startmenu.adml &  Startmenu.admx from Desktop Delivery Controller  "C:\Program Files (x86)\Microsoft Group Policy\Windows Server 2012\PolicyDefinitions"  to Domain Controller Policy Central Store

5) Overwrite existing files.

6) Go to your Start Layout Policy and check that "Start" or "Start Layout" GPO setting is available in Users\Admin Templates\Start Menu & Task Bar

7) Export your Start Layout using:

8) export-startlayout –path “\\YourStartMenuShareLocation\StartLayout.xml” -as xml

9) Edit the "Start" Layout GPO setting to point to the path that your XML file is located in (as above)
May have to copy Start Menu.adml and ADMx files into the c:\windows\policydefinitions of your Server 2012 controller and edit the GPO settings on there if you have no 2012 DCs.

10) Apply the policy and test.  You should see the apps that your user has access to and the start menu layout should include the Start Menu groups you created

Combine Compute and Storage onto your Hyper-V server nodes.

Include RDMA NICs from Chelsio or Melanox. Reduce your storage costs using Microsoft Storage Spaces Direct.

 Check out this video. The good stuff starts 50 seconds in

This powershell command can be used to convert old .ico files into Base64, so that they can then be assigned to a XenApp 7.7+ published application.  You can use the Studio console to import these icons too, but there may be an occasion where you have a list of apps and associated icon files that can be imported easier via powershell.

You can use this powershell command to automate the conversion of multiple files and then have them assigned to Citrix published app IconUIDs:

You will need to change the Icon path and Publication name for this test. You will also need to run this test from a machine that has the latest XenApp/Desktop CMDlets installed.  eg a Delivery Controller (Run the Powershell tool from the Studio Console if in doubt)

asnp citrix*
$path="c:\icons\harmony.ico"
$convertedicon=[convert]::ToBase64String((get-content $path -encoding byte))
New-BrokerIcon -encodedicondata $convertedicon
$icontemp=get-brokericon -property uid,encodedicondata | where-object{$_.Encodedicondata -eq $convertedicon}
$InputIconID=$icontemp.uid
Get-BrokerApplication -name "PublicationName" | Set-BrokerApplication -IconUid $inputiconid

Offline Root CA

If you are using a 2008 AD and upward Active Directory, you will be able to Edit the Default Domain policy and add the CAroot Cert and CA Intermediate Cert in to the policy.  This is ofcourse after you have installed the servers and have those certificates to import.  This GPO import will allow your Machines on the Domain to automatically add the certs to their store.  Rather than having to push them out manually.  But take note that if you use a 2003 AD, you will need to create a script to deply the intermediate cert, as the GPO option for intermediate certificates is not available in 2003 AD.  

First of all, do not install a CA on a Domain Controller! You want to create two new VMs and have one attached to the domain and the other not on the domain. See below:

• Connect subordinate server to domain
• Install AD certificates sevices on stand alone Root server
• Only install the certificate authority
• Click Configure AD certificate services
• User the local admin credentials (as this is not on domain)
• Setup "Standalone CA"
• Make it the Root CA
• Create a new Key Pair
• Select RSA Microsoft Software Ket Storage Provider 2048
• SHA2 for the cert fingerprint
• Keep the Common Name
• Validity Period 10 years (Only have to turn this on every 10 years)
• Default DB locations
• configure
• Go into Cert Authority Snapin
• Right click your server name in Cert authority snapin, properties
• CDC -
• AIA - Where you pull your public key from.  You need to configure this
• so that when unit is turend of the public key can be taken form server 1
• Once you get the public key, it isn't valid until the Certificate Revokation list is checked (CRL)
• In Extensions Tab, Select Extension "CRL Distribution Point (CDP)
• Select "C:\windowssystem32...."
• Publish CRLS to this location and Publish Delta CRLs to this location are checked
• Click on LDAP and check include all crls specify where to publish in the active directoy when publishing manually
• Go to  HTTP and remove it
• Go to File and remove it
• Add, custom location. http://subserver/certenroll/<caname><CRLNameSuffix><DeltaCRLAllowed>.crl
• click OK
• Include CRLS & INCLUDE CDP extension certificates
• For AIA - Remove HTTP and File
• Tick Include the AIA extension of issued certificate
• Add custom Location: http://subserver/certenroll/<ServerDNSName>_<CaName><CertificateName>.crt
• Click OK
• Make sure that Include in the AIA extension of issues certificates
• Restart
• Go to Revoke Certificates, right click All Tasks, Publish, New CRL
• CMD - to command line
• certutil -setreg CA\validityperiod "years"
• certutil -setreg CA\validityperiodunits 10
• certutil -setreg CA\DSConfigDN "CN=Configuration,dc=yourdn,dc=yourdn"
• certutil -setreg CA\DSDomainDM "dc=yourdn,dc=yourdn"
• Right click server in CA auth mmc and restarts services
• Go to revoke certificate, properties, publish

Subordinate server

• Install AD certificates
• Add CA authority and Certificaew web service
• Next and install
• Configure tick Certificate authority
• Select Enterprise CA
• Select Subordinate CA
• Create Key pair
• RSA 2048
• Keep the server common name
• SAve the certifiacte to c: drive
• next
• configure
• You will get warning, but thats normal
• Open Explorer
• Show hidden files
• C:\
• You will see the CSR .req file
• open new explorer window and go to stand alone server c$ on root server
• windows\system32\certsrv\certenroll
• Copy .req file from sub server to certenroll server on root
• Go to C:\windows\system32\certsrv\certenroll on sub server c:
• copy both files from cert enroll on root server to sub cert enroll server.  not req
• Got to Rootserver
• Right click server, all tasks, submit a new request. 
• C:\windows\system32\certsrv\certenroll and select .req
• will show in pending requests, hit F5
• Right click on the the pendign request and select Issue
• It will appear in issued certificates
• double click it
• Detail
• Copy file
• Choos PKCS7 include all certs in cert path
• next
• Save as subserver.  So this has exported the private key
• Goto sub server
• CMD prompt
• certutil -dspublish -f server2_server2-ca.crt RootCA
• certutil -dspublish -f server2-ca.crl
• certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
• Open MMC cert services
• Right click Root CA
• All tasks
• install CA
• goto cert enroll dir on sub server
• choose p7b file
• OK
• Shutdown Root Ca
• Goto sub server
• MMC - riclick and start service
• gpudpate / force
• will autoenroll
• Domain controller will grab a cert
• GPMC
• Domain Defualt Policy
• Policies
• Windows settings
• Security settings
• Public Key policies
• Intermidate cert authorities
• R click import
• Got to Enroll folder and select "server1.crt"
• Goto Trusted root and import root.crt from Enroll folder

http://msitproblog.com/2015/10/27/installing-an-app-v-5-1-server-infrastructure/

If you wish to configure your XenApp environment to be accessible via the same URL, both internal or external, then be aware that this isn't as simple as it used to be with Web interface. Web interface was in no way comparable to the enhanced security and architecture of the modern Citrix Storefront and Netscaler Access Gateway.

To configure the same URL for both internal and external users, you will likely need a SAN certificate with the CN name configured for your external domain, plus the internal Load Balanced store DNS address and Callback address.

It is possible to configure the Receiver client to use Beacons and identify whether they should authenticate via an internal or external URL. Think carefully with regards to single URL, as it may not be required. I'm not a fan of placing the internal storefront name on a Public Certificate. Do your users really care whether they have to type in "Storefront" into their web browser when working on site? It is also very easy to just place the external url on a corporate internet page as a link, or add the link as a shortcut to the Desktop or Browser favourites. Do you really need a single URL? Probably not.

https://www.citrix.com/blogs/2014/05/28/a-video-is-the-next-best-thing-hdx-with-framehawk/

A useful presentation by "Scott & Scott" on Microsoft SPLA Licensing.

A good article on how to use VMware workstation to upgrade the VMware tools on your PVS vDisk. Possible alternative to using Winimage etc if Citrix environment is run over Vsphere.

https://www.virtuallyboring.com/citrix-pvs-use-vmware-workstation-to-upgrade-vmtools/

http://www.jasonsamuel.com/2015/09/18/how-to-deploy-microsoft-azure-mfa-ad-connect-with-citrix-netscaler-gateway/