You have created a shared start menu for your Hosted Shared Desktops, but you notice that the start menu groups and tile locations are not being applied for your users.  So you Logon as an admin and pin your apps to the tile menu again and create start menu groups. You make sure that the Start menu folder redirection is configured to Move the contents of your Start Menu to the shared start menu location.  You wish to use the Start Menu layout setting in Group Policy so that your Start menu tile format can be exported to XML and loaded for all users. You notice that the GPO setting isn't available because you are using 2008 AD servers. So what can be done? Follow this procedure to test a solution:

Download: https://www.microsoft.com/en-gb/download/details.aspx?id=43413

Make sure that you have already created the redirected Start Menu on a file share that has Access Based Enumeration enabled. Make sure that you have pinned all of your apps to the start menu and created any start menu groups

1 ) Go to DC.

2) Copy Startmenu.adml & admx files into same folder location and rename the copies to startmenubackup

3) Run the installer for the Win 8 2012 GPOs on the DDC with the GPMC console installed

4) C:\Program Files (x86)\Microsoft Group Policy\Windows Server 2012\PolicyDefinitions
Copy Startmenu.adml &  Startmenu.admx from Desktop Delivery Controller  "C:\Program Files (x86)\Microsoft Group Policy\Windows Server 2012\PolicyDefinitions"  to Domain Controller Policy Central Store

5) Overwrite existing files.

6) Go to your Start Layout Policy and check that "Start" or "Start Layout" GPO setting is available in Users\Admin Templates\Start Menu & Task Bar

7) Export your Start Layout using:

8) export-startlayout –path “\\YourStartMenuShareLocation\StartLayout.xml” -as xml

9) Edit the "Start" Layout GPO setting to point to the path that your XML file is located in (as above)
May have to copy Start Menu.adml and ADMx files into the c:\windows\policydefinitions of your Server 2012 controller and edit the GPO settings on there if you have no 2012 DCs.

10) Apply the policy and test.  You should see the apps that your user has access to and the start menu layout should include the Start Menu groups you created

Combine Compute and Storage onto your Hyper-V server nodes.

Include RDMA NICs from Chelsio or Melanox. Reduce your storage costs using Microsoft Storage Spaces Direct.

 Check out this video. The good stuff starts 50 seconds in

This powershell command can be used to convert old .ico files into Base64, so that they can then be assigned to a XenApp 7.7+ published application.  You can use the Studio console to import these icons too, but there may be an occasion where you have a list of apps and associated icon files that can be imported easier via powershell.

You can use this powershell command to automate the conversion of multiple files and then have them assigned to Citrix published app IconUIDs:

You will need to change the Icon path and Publication name for this test. You will also need to run this test from a machine that has the latest XenApp/Desktop CMDlets installed.  eg a Delivery Controller (Run the Powershell tool from the Studio Console if in doubt)

asnp citrix*
$path="c:\icons\harmony.ico"
$convertedicon=[convert]::ToBase64String((get-content $path -encoding byte))
New-BrokerIcon -encodedicondata $convertedicon
$icontemp=get-brokericon -property uid,encodedicondata | where-object{$_.Encodedicondata -eq $convertedicon}
$InputIconID=$icontemp.uid
Get-BrokerApplication -name "PublicationName" | Set-BrokerApplication -IconUid $inputiconid

Offline Root CA

If you are using a 2008 AD and upward Active Directory, you will be able to Edit the Default Domain policy and add the CAroot Cert and CA Intermediate Cert in to the policy.  This is ofcourse after you have installed the servers and have those certificates to import.  This GPO import will allow your Machines on the Domain to automatically add the certs to their store.  Rather than having to push them out manually.  But take note that if you use a 2003 AD, you will need to create a script to deply the intermediate cert, as the GPO option for intermediate certificates is not available in 2003 AD.  

First of all, do not install a CA on a Domain Controller! You want to create two new VMs and have one attached to the domain and the other not on the domain. See below:

• Connect subordinate server to domain
• Install AD certificates sevices on stand alone Root server
• Only install the certificate authority
• Click Configure AD certificate services
• User the local admin credentials (as this is not on domain)
• Setup "Standalone CA"
• Make it the Root CA
• Create a new Key Pair
• Select RSA Microsoft Software Ket Storage Provider 2048
• SHA2 for the cert fingerprint
• Keep the Common Name
• Validity Period 10 years (Only have to turn this on every 10 years)
• Default DB locations
• configure
• Go into Cert Authority Snapin
• Right click your server name in Cert authority snapin, properties
• CDC -
• AIA - Where you pull your public key from.  You need to configure this
• so that when unit is turend of the public key can be taken form server 1
• Once you get the public key, it isn't valid until the Certificate Revokation list is checked (CRL)
• In Extensions Tab, Select Extension "CRL Distribution Point (CDP)
• Select "C:\windowssystem32...."
• Publish CRLS to this location and Publish Delta CRLs to this location are checked
• Click on LDAP and check include all crls specify where to publish in the active directoy when publishing manually
• Go to  HTTP and remove it
• Go to File and remove it
• Add, custom location. http://subserver/certenroll/<caname><CRLNameSuffix><DeltaCRLAllowed>.crl
• click OK
• Include CRLS & INCLUDE CDP extension certificates
• For AIA - Remove HTTP and File
• Tick Include the AIA extension of issued certificate
• Add custom Location: http://subserver/certenroll/<ServerDNSName>_<CaName><CertificateName>.crt
• Click OK
• Make sure that Include in the AIA extension of issues certificates
• Restart
• Go to Revoke Certificates, right click All Tasks, Publish, New CRL
• CMD - to command line
• certutil -setreg CA\validityperiod "years"
• certutil -setreg CA\validityperiodunits 10
• certutil -setreg CA\DSConfigDN "CN=Configuration,dc=yourdn,dc=yourdn"
• certutil -setreg CA\DSDomainDM "dc=yourdn,dc=yourdn"
• Right click server in CA auth mmc and restarts services
• Go to revoke certificate, properties, publish

Subordinate server

• Install AD certificates
• Add CA authority and Certificaew web service
• Next and install
• Configure tick Certificate authority
• Select Enterprise CA
• Select Subordinate CA
• Create Key pair
• RSA 2048
• Keep the server common name
• SAve the certifiacte to c: drive
• next
• configure
• You will get warning, but thats normal
• Open Explorer
• Show hidden files
• C:\
• You will see the CSR .req file
• open new explorer window and go to stand alone server c$ on root server
• windows\system32\certsrv\certenroll
• Copy .req file from sub server to certenroll server on root
• Go to C:\windows\system32\certsrv\certenroll on sub server c:
• copy both files from cert enroll on root server to sub cert enroll server.  not req
• Got to Rootserver
• Right click server, all tasks, submit a new request. 
• C:\windows\system32\certsrv\certenroll and select .req
• will show in pending requests, hit F5
• Right click on the the pendign request and select Issue
• It will appear in issued certificates
• double click it
• Detail
• Copy file
• Choos PKCS7 include all certs in cert path
• next
• Save as subserver.  So this has exported the private key
• Goto sub server
• CMD prompt
• certutil -dspublish -f server2_server2-ca.crt RootCA
• certutil -dspublish -f server2-ca.crl
• certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
• Open MMC cert services
• Right click Root CA
• All tasks
• install CA
• goto cert enroll dir on sub server
• choose p7b file
• OK
• Shutdown Root Ca
• Goto sub server
• MMC - riclick and start service
• gpudpate / force
• will autoenroll
• Domain controller will grab a cert
• GPMC
• Domain Defualt Policy
• Policies
• Windows settings
• Security settings
• Public Key policies
• Intermidate cert authorities
• R click import
• Got to Enroll folder and select "server1.crt"
• Goto Trusted root and import root.crt from Enroll folder

http://msitproblog.com/2015/10/27/installing-an-app-v-5-1-server-infrastructure/