HP Device Manager Deploy programs to Thin Clients

From a customer I got the question to update the Thin Clients with Flash Player 18 (for Flash Redirection) , the customer has HP Thin Clients with Windows 7 embedded. I suggested they should use the free HP device Manager for managing the Thin Clients, not just for rolling out new image but also install updates onto the TC’s.

After trying to install some software onto the TC I noticed that the software wont install, this is because the TC’s have their TEMP folder redirected to the Z-drive. When changing this to the c-Drive I could install the software. After knowing this I created the separate tasks which I could use in multiple occasions.

Basically you need the following tasks:

  • Change Temp from Z:\Temp to C:\Temp
  • Install Flash Player
  • Change Temp from C:\Temp back to Z:\Temp

Creating tasks

I’m assuming you already configured HP Device Manager and have it working so I won’t explain how to install it.

Open HP Device Manager en login to the console, go to the Task Templates and select on of the templates shown in the screenshot, we will use the following templates for our tasks:

  • _File and Registry
  • _Template Sequence

Task Templates

Create: “Change Temp to C” task and “Change Temp to Z” task

To change the Temp from Z:\Temp to C:\Temp you need to edit the Registry. Open the _File and Registry Template and click add and select Registry. In the new windows create the following tree HKLM\System\CurrentControlSet\Control\Session Manager\Environment\ and add the following values:

Type: REG_SZ
Name: TEMP
Value : C:\Temp

Type: REG_SZ
Name: TEMP
Value : C:\TMP

Temp - C- Registry

Click OK and save the task as “Change Temp to C”.

Repeat these steps with the following values:

Type: REG_SZ
Name: TEMP
Value : Z:\Temp

Type: REG_SZ
Name: TEMP
Value : Z:\TMP

and save the task as “Change Temp to Z”.

Create: “<Program install>” Task

To install the program on the Thin Client we need three steps:

  1. Deploy files
  2. Start install Script
  3. Delete files

First we create the install script. We create a install.cmd file with the following lines:

msiexec /i  “C:\Temp\install_flash_player_18_active_x.msi” /qn
msiexec /i  “C:\Temp\\install_flash_player_18_plugin.msi” /qn

and save this to the same location where the Flash Player install files are located.

Now we create one task to deploy, execute script and cleanup the installation. Open the _File and Registry Template and click add and select “Deploy Files” Click on “Add from local” and specify the “Install.cmd” file and click OK, in the Path On Device set it to C:\Temp. Repeat this step for the Flash install files to. Finally click OK.
 Deploy Files
Now click on add and select “Script”, set the value start in to C:\Temp and Content to Install.cmd and click OK.
Script Sub-task
Now click on add and select “Delete Files”, set the file or folder name equal to all the files you deployed and set the path on device to C:\Temp and click on OK.
Delete files
As you can see below you now have a task which deploys, executes and deletes files. Save this to
Template Editor
Create Template Sequence task
Finally we are going to create the Sequence task which allows us to execute all the tasks we created. Open the _Template Sequence Template and click add and select _Write Filter Settings, set the write filter on Disable and click OK.
Template Sequence - WriteFilter Disabled
Click add and select the Change Temp to C task and click OK.
Click add and select the <Program install> and click OK.
Click add and select the Change Temp to Z task and click OK.
Click add and select _Write Filter Settings, set the write filter on Enabled and click OK.
Now you have the task sequence as you can see below. Save the sequence as Install Flash Player 18 and click OK.
Template SequenceFlash
The task will be created and files are moved to the correct location.
When this is ready you select the devices and deploy the task.
With these steps you can deploy multiple programs to the Thin Clients, I use it for the latest Flash and Citrix Receivers to keep the thin clients compliant.
Good luck with this, when you have any questions feel free to contact me.

NetScaler: Customize logon screen

When configuring the NetScaler for our customer they liked to have some modifications made to the logon screen:

  • “Password 1” and “Password 2” need to be “Password” and “Token ID”.
  • the Citrix Receiver Image needs to be replaced with their company logo.

To meet this we need to change some files on the NetScaler, first I will show how to change the logon screen from “Password 1” and “Password 2” to the new “Password” and “Token ID”.


This is the default when using secondary logon.

Connect to the NetScaler with WinSCP and download the following files:

  1. /var/netscaler/gui/vpn/login.js
  2. /var/netscaler/gui/vpn/resources/en.xml

Edit the login.js file and change the following:

  1. Go to the function ns_showpwd()
  2. Find: if ( pwc == 2 ) { document.write(‘&nbsp;1’); }
  3. Change it to: if ( pwc == 2 ) { document.write(‘&nbsp;’); }
    Or just remove the “1“.
  4. Save the file.

Edit the en.xml file and change the following:

  1. Go to:
    <String id=”Password”>Password</String>
    < String id=”Password2”>Password 2:</String>
  2. Change Password 2 into Token ID
    <String id=”Password”>Password</String>
    <String id=”Password2″>Token ID:</String> 
  3. Save the file.

Now copy both files back to the original location and test the logon page.

Token ID

The new logon screen.

But when you reboot the appliance you will notice the files are back to their original state, to make sure this works even when rebooting the appliance do the following.

    1. Create the directory /var/ns_gui_custom:
      mkdir /var/ns_gui_custom

    1. Create the customtheme.tar.gz file by running the following commands:
      cd /netscaler
      tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
      The customtheme.tar.gz contains all the file for the custom theme and is a copy of the /var/netscaler/gui/ directory, when selecting the Custom theme it is extracted.
    2. Change the theme to Custom
      1. logon to the GUI
      2. Expand the NetScaler Gateway.
      3. select Global settings.
      4. select change global settings.
      5. go to client experience
      6. change the theme to Custom.
      7. save the configuration and reboot.

    When you reboot the NetScaler the files are copied back and the Login Screen is displayed correct.


    Reset Windows Rearm count

    When working with Machine Creation Services we discovered that the Clients all have the same CMID. A different CMID is needed to activate using KMS services. We searched for a solution and everyone mentioned to rearm the machine, but then we received the message that we can’t rearm. We then searched for a solution but everyone was pointing out to set the Skiprearm to 1. When testing this we discovered that the CMID keeps the same after rearming the Windows machine.

    We discovered that the “Remaining Windows Rearm Count” was 0. this means that when you set SkipRearm than you don’t rearm the machine. Knowing this we searched how to reset the Rearm count and found an article that explained how we could reset the rearm count. http://www.daniel-mitchell.com/blog/reset-windows-7-rearm-count/

    To do this follow the below instructions:

    1. Create reset.bat on C:\
    2. add the following code:

      reg load HKLM\MY_SYSTEM “%~dp0Windows\System32\config\system”
      reg delete HKLM\MY_SYSTEM\WPA /f
      reg unload HKLM\MY_SYSTEM

    3. Restart your machine to repair mode using the F8 key.
    4. In the System Recovery Options menu, select Command Prompt.
    5. Now type in D:\reset.bat. The C-drive is used as recovery partition.
    6. If the script is executed successfully you should get the message “The operation completed successfully”.
    7. Reboot your machine.

    Now the rearm count is reset to 5. You can check this using slmgr /dlv.

    rearm count

    Now set make sure the Skiprearm is set to 0 at the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SoftwareProtectionPlatform

    Now the Image is ready to deploy and the KMS server will receive different CMID’s from the servers.


    NetScaler: Using groups membership to Authenticate

    When using the NetScaler Gateway 10.x and you need to allow remote users access based on their group membership, you can use the Active Directory groups. To configure this create an Active Directory group and set the following settings on the LDAP server within the NetScaler go to: NetScaler Gateway > Policies> Authentication/Authorization> Authentication> LDAP and then Servers tab and then edit/create the LDAP server:

    Connection Settings:

    • IP address: your Domain Controller
    • Port: 389
    • Base DN: dc=subdomain,dc=domain,dc=nl
    • Administrator Bind: Administrator account

    Other Settings:

    • Server Logon Attribute: sAMAccountName/UserPrincipalName
    • Search Filter: memberOf=CN=XenDesktop Remote ,OU=Groups,OU=Resources, DC=subdomain,dc=domain, DC=nl
    • Group Attribute: memberOf
    • Sub Attribute Name: CN
    • Security Type: PLAINTEXT

    Nested Group Extraction:

    • Maximum Nesting Level: 2
    • Group Name Identifier: sAMAccountName/UserPrincipalName
    • Group Search Attribute: memberOf
    • Group Search Sub-Attribute: CN
    • Group Search Filter: <BLANK>


    I Hope this helps you.


    NetScaler: Allow Password Change

    When users need to change their password when using the NetScaler Gateway you can use the option: Allow Password Change, which can be set when configuring the LDAP authentication.

    The Password change option is only allowed when you communicate using LDAPS (port 636) or LDAP-TLS (port 389), but you have to make sure your Domain controller also uses LDAPS or LDAP-TLS. I will use the LDAPS on port 636.

    Before you can start make sure you have a CA in your network and the Domain Controller has a Certificate, install this certificate on the NetScaler using the following article: http://www.vdnieuwenhof.eu/2013/09/install-iis-certificate-on-citrix-netscaler-10-1/ You can use the root certificate for this, then you don’t need to install the certificate from all the domain controllers.

    After you installed the certificate on the NetScaler edit the LDAP settings on the NetScaler go to: NetScaler Gateway > Policies> Authentication/Authorization> Authentication> LDAP and then Servers tab and then edit the LDAP server.

    • IP address: your Domain Controller
    • Port: 636
    • Base DN: dc=subdomain,dc=domain,dc=nl
    • Administrator Bind: Administrator account
    • Server Logon Attribute: sAMAccountName/UserPrincipalName
    • Security Type: SSL
    • Allow Password Change: Checked

    Allow Password Change

    I hope this helps.


    New Policy Settings in Windows Server 2012 and Windows 8

    With Windows server 2012 and Windows 8 Microsoft added some new features, they also created the proper Group Policy configuration options for this. With Windows server 2012 and Windows 8 they added 160 new items which are only compatible with Windows server 2012, Windows 8 or Windows RT. They added a total of 350 items which are compatible with earlier versions and the new Windows Server 2012 and Windows 8.

    You can download the complete list of available Group Policy items here: http://www.microsoft.com/en-us/download/details.aspx?id=25250


    Install IIS certificate on Citrix Netscaler 10.1

    In our test environment I recently used an existing SSL Wildcard certificate for making the Netscaler available external, to accomplish this I needed to export the certificate from a IIS server and import the certificate into the Netscaler. When using StoreFront 2.0 which also advises you to use a SSL certificate you also need this certificate imported into the Netscaler.

    SSL Export-Import (1)

    Exporting the Certificates

    To use the exported files we need to export the Certificate two times, one time with the private key and one time without.

    1. Right click the certificate and select “All Tasks” then select “Export“. Follow the wizard and choose option ” Yes, export the private key” and continue the wizard. When you don’t get the option to export the private key, the issue a new certificate with the private key export option.

     SSL Export-Import (3)

     2. When you received the option to export the private key, you now should receive the PKCS #12 (.PFX) options, uncheck all the options, click “Next” and choose a password and filename and export the Certificate.  Choose a filename that’s looks like the certificate name, because the netscaler will store the files with the names you choose. When using something like “certificate.pfx” this could get confusing in time.

    SSL Export-Import (4)

     After we exported the certificate for the first time we now need to export it again. Read more »


    Citrix Shadowing/Remote Assistance session display is garbled/skewed

    When Shadowing a user with Citrix Shadowing (which uses Microsoft Remote Assistance) it’s possible the screen gets garbled/skewed.

    Remote Assistance

    To solve this problem set the following settings in the Group Policy: Read more »


    Microsoft Office 2013 needs 20% more capacity to maintain VDI performance

    New Project VRC research tests relative impact of Office 2013 against Office versions 2007 and 2010

    Madrid – Amsterdam, June 25, 2013 – Today, at TechEd Europe 2013 in Madrid Spain, Project Virtual Reality Check (Project VRC) announced the release of a new white paper about the relative impact of Microsoft Office on the performance of VDI based user environments.

    Microsoft Office is the most used application suite in the corporate environment. The goal of this new white paper was to investigate and document the VDI performance impact of Microsoft Office 2013 in comparison to the previous two versions of Microsoft Office, 2007 and 2010.

    The comparison of Office 2007 with Office 2010, showed only a 1% performance difference in favour of Office 2007. The comparison of Office 2007 and Office 2013 showed a significant performance decrease of over 20%. This leads to the conclusion that to maintain the same performance levels with the newest version of Microsoft Office, about 20% more infrastructure capacity may be needed.

    Office 2013 also consistently uses more CPU and over 272% more memory than Office 2007. In comparison, Office 2010 only uses 26% more memory. Optimizations such as turning animations and hardware graphics acceleration off did not influence the performance in any way.

    Another key finding published in the white paper is that running x64 versions of Windows and Office will have substantial impact on Storage IOPS and memory footprint in comparison to x86 versions.

    Jeroen van de Kamp, CTO of Login Consultants: “Many organizations are considering upgrading to Office 2013. To help them to make the correct decisions in the upgrade process, we wanted to provide independent insight in the VDI performance impact of this new Microsoft Office version.”

    Ruben Spruijt, CTO of PQR: “The goal of project VRC is to provide objective test data that will benefit the VDI and Server-Based Computing industry and end-user organisations. We recognise that every production environment is different. We therefore highly recommend to test the performance impact of Office 2013 in your own environment, before deployment.”

    Project ‘Virtual Reality Check’ (Project VRC) was started in 2009 by SBC and VDI specialists PQR (www.pqr.com) and Login Consultants (www.loginconsultants.com) and focuses on independent research in the desktop virtualization market. Several white papers were published about the performance of different hypervisors, application virtualization solutions, Windows Operating Systems and antivirus solutions.

    All Project VRC tests are performed with Login VSI (www.loginvsi.com). This vendor independent tool simulates realistic user workloads to objectively test the performance and scalability of VDI and Server Based Computing environments. The full test methodology used is described in the white paper.

    This and all other Project VRC white papers can be downloaded for free at www.projectvrc.com. To keep up-to-date with the latest developments you can follow Project VRC on Twitter @ProjectVRC.


    Citrix Desktop Director 2.1

    With XenDesktop 5.6 Citrix released Desktop Director 2.1, Desktop Director provides an overview of XenDesktop hosted desktops and XenApp  sessions. It enables support teams to perform basic maintenance tasks and to monitor and troubleshoot system issues. With Desktop Director you can view session information, disconnect a session, shadow a session, view HDX performance and much more. Desktop Director is a nice web-based console but it’s hard to set it up the first time you use it.

    You can find the eDocs here: http://support.citrix.com/proddocs/topic/director-210/director-210-wrapper.html

    System requirements:

    Desktop Director 2.1 is compatible with the following versions of XenDesktop and XenApp, and has the same server-side requirements as those versions:

    • XenDesktop 5.6, XenDesktop 5.5, XenDesktop 5 Service Pack 1

      Personal vDisks are not supported for XenDesktop 5.5 or XenDesktop 5 Service Pack 1.

      HDX information displays are not supported for XenDesktop 5 Service Pack 1.

    • XenApp 6.5

      Additional setup is required on the XenApp server to support Desktop Director.

    Desktop Director 2.1 supports the following browsers:

    • Internet Explorer 8 or 9
    • Firefox 8.x
    • Safari 5

    Adobe Flash Player 10 must be installed to view the graphs.


    Desktop Director 2.1 is on the XenDesktop 5.6 iso but can also be downloaded separatly at the following location: http://www.citrix.com/downloads/xendesktop/product-software.html the default version is 2.1.0, but at the moment 2.1.4 is already out which will solve some problems and is a good start when you use a clean install.

    Version 2.1.4 (LIMITED RELEASE – Hotfix XD210DDirector004) can be downloaded at the hotfix section of XenDesktop 5.6 ith the following link: http://support.citrix.com/article/CTX136809


    I Always like a tiered solution so the installation will be on a separate server, because Desktop Director uses IIS and you already need a Web Interface server I use this server as location for the Desktop Director.

    To install the Desktop director use the Autolaunch form d XenDesktop 5.6 ISO and disable all component except the Desktop Director, After the desktop director is installed install the Hotfix to version 2.1.4.

     Install using Autolaunch

    When the installation is finished we need to configure Desktop Director.