All About the Windows Insider Program

Theresa Miller - Tue, 02/19/2019 - 06:30

Are you a Windows user who loves to tinker? Do you want to have all of the latest and greatest Windows features delivered directly to your desktop before everyone else? If you answered yes to these questions, the Windows Insider Program is for you! What is the Windows Insider Program? The Windows Insider Program is […]

The post All About the Windows Insider Program appeared first on 24x7ITConnection.

How to Configure SoftEther, a Free VPN Server for macOS & Windows

Helge Klein - Mon, 02/18/2019 - 18:14

This post describes a real-world configuration of the free VPN server SoftEther. It shows how to set up a VPN for macOS and Windows clients on a Hyper-V Windows guest VM.

Our Setup and Requirements

Our situation was as follows:

  • Multiple Hyper-V hosts with VMs on an internal network.
  • One VM is the VPN gateway. It is configured with two NICs. One is connected to the internal network, the other to the internet.
  • The VPN should provide remote access via SSTP for Windows and L2TP for macOS clients.
  • It should be possible to connect to the VPN with the clients that come with each operating system. Installing additional client software should not be necessary.
  • The VPN should be bridged to the local network so that VPN clients get IP addresses from the internal network’s DHCP server.
  • Authentication should be performed against a RADIUS server (we use Duo Authentication Proxy).

HTTPS Certificate

SSTP is based on HTTPS. The good thing about that is that most firewalls and hotel networks should let it through. The bad thing is that we need to deal with certificates. I used a TLS certificate from our internal Active Directory root CA.

Caveat: Unreachable CRL

We are using an internal certificate authority that is not accessible from the internet. As a consequence, the CA’s certificate revocation list (CRL) is not accessible from the internet either.

The Windows SSTP client refuses to connect when it cannot contact the CRL specified in a server certificate. There are two ways around that:

  1. Set the following registry values on your VPN clients: HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\NoCertRevocationCheck=1 [REG_DWORD]
  2. On the CA, configure a certificate template to not include revocation information in issued certificates.
Requesting the Certificate

Run the following openssl commands on any Windows or Linux machine that has OpenSSL installed. OpenSSL is part of any Splunk installation, for example (even on Windows).

Create a private key:

openssl genrsa -des3 -out c:\temp\vpn\vpn.key 4096

Create a certificate request with the private key:

openssl req -new -key c:\temp\vpn\vpn.key -out c:\temp\vpn\vpn.csr
  • Submit the CSR to your CA
  • Important: if you want to incorporate multiple server namens in the certificate, specify them in the additional attributes field as follows:
  • You get a P7B file, but SoftEther expects a CER. To convert, double-click the P7B file to open it in the certificates MMC. Locate your certificate, right-click and select All Tasks – Export. Choose the format “Base-64 encoded X.509 (CER)”.
Importing the Certificate in SoftEther
  • Open SoftEther VPN Server Manager
  • Click “Encryption and Network Settings”
  • Click “Import” and specify the location of the CER file
  • Specify the location of the certificate’s KEY file
  • Enter the key’s passphrase
  • While you are in that dialog:
    • Disable “Use Keep Alive Internet Connection”
    • Switch the encryption algorithm name to ECDHE-RSA-AES256-GCM-SHA384
  • Copy your CA’s root certificate to the directory C:\Program Files\SoftEther VPN Server\chain_certs
Gateway VM Configuration

On the Hyper-V host, go to the gateway VM settings and click “Enable MAC address spoofing” in the “Advanced Features” of the VM’s internal NIC.

SoftEther Configuration Virtual Hub Creating a Virtual Hub
  • Open SoftEther VPN Server Manager
  • Create a virtual hub
User and RADIUS Config
  • Open SoftEther VPN Server Manager
  • Click “Manage Virtual Hub”
  • Click “Manage Users”
  • We are managing users in RADIUS, but we need a wildcard entry here to not block everybody
  • Add a single user with “User Name” set to an asterisk (*) and “Auth Type” set to “RADIUS Authentication”
  • Go back to the “Management of Virtual Hub” dialog
  • Click “Authentication Server Setting”
  • Enable “Use RADIUS Authentication” and provide the necessary information
  • Go back to the main page of SoftEther VPN Server Manager and make sure the virtual hub is online
Blocking Internet Access

In a split tunnel configuration you want your VPN clients to connect directly to the internet, not via the VPN. Split tunneling is a client configuration (see below), but you may want to enforce it by blocking all internet connections originating from VPN clients:

  • Open SoftEther VPN Server Manager
  • Click “Manage Virtual Hub”
  • Click “Manage Access Lists”
  • Add the following rules:
    • Pass, Priority=10, Memo=Enable LAN access, Contents=(ipv4) DstIPv4=
    • Pass, Priority=11, Memo=Enable LAN access (reverse), Contents=(ipv4) SrcIPv4=, DstIPv4=
    • Pass, Priority=12, Memo=Allow DHCP requests, Contents=(ipv4) SrcIPv4=, DstIPv4=, Protocol=UDP, DstPort=67-68
    • Pass, Priority=13, Memo=Allow DHCP responses, Contents=(ipv4) SrcIPv4=, DstIPv4=, Protocol=UDP, SrcPort=67-68
    • Discard, Priority=1000, Memo=Block everything (else), Contents=(ether) \*
Network Bridge
  • Open SoftEther VPN Server Manager
  • Click “Local Bridge Setting”
  • Select your virtual hub
  • Select the LAN adatapter connected to your internal network
  • Click “Create Local Bridge”
  • Exit all dialogs and reboot the SoftEther VM
Protocols and Ports L2TP
  • Open SoftEther VPN Server Manager
  • Click “IPsec / L2TP Setting”
  • Check “Enable L2TP Server Function (L2TP over IPsec)”
  • Uncheck all other options
  • Specify an IPsec pre-shared key (PSK)
  • Open SoftEther VPN Server Manager
  • Click “OpenVPN / MS-SSTP Setting”
  • Check “Enable MS-SSTP VPN Clone Server Function”
  • Uncheck the OpenVPN checkbox (unless you want to use it, of course)
  • Open SoftEther VPN Server Manager
  • In the listener list, delete ports 992 (function unknown), 1194 (OpenVPN), and 5555 (SoftEther remote management)

Note: when you connect to SoftEther Server Manager next make sure so specify 443 (the only remaining one) instead of 5555


In your firewall, create rules to enable the following ports:

  • SSTP: TCP 443
  • L2TP over IPSec: UDP 500 and 4500

In the Windows firewall disable or delete the following rules added by SoftEther:

  • SoftEther VPN Server
  • SoftEther VPN Server Manager
  • SoftEther VPN Command-Line Admin Tool

Disable DDNS registration of your VPN. In unnecessarily “calls home”.

  • Stop the SoftEther VPN Server service and edit the configuration file “vpn_server.config”
  • In the DDnsClient section, set Disabled to true
  • In the ServerConfiguration section, set DisableNatTraversal to true
  • Start the SoftEther VPN Server service
Client Settings Split Tunneling

Split tunneling refers to a configuration where only those packets are sent from a client to the VPN, that are destined for the VPN’s subnet. Everything else (including internet connections) go through the client’s regular default gateway.

On Windows VPN clients:


The post How to Configure SoftEther, a Free VPN Server for macOS & Windows appeared first on Helge Klein.

UK Citrix User Group Spring 2019 meeting

Citrix UK User Group - Mon, 02/18/2019 - 17:54

Our 27th meeting will be held in Manchester in March

Read more »

The post UK Citrix User Group Spring 2019 meeting appeared first on UK Citrix User Group.

Don’t Miss HIMSS 2019!

Theresa Miller - Tue, 02/12/2019 - 06:30

This week is HIMSS 2019, and if you are in the healthcare field or a related field, be sure to pay special attention to coverage of this year’s conference. What is HIMSS 2019? HIMSS is the Healthcare Information and Management Systems Society, who has a conference annually.  Interestingly, HIMSS the organization is a non for […]

The post Don’t Miss HIMSS 2019! appeared first on 24x7ITConnection.

Hardware-Encode Video in H.265 with Free Tools to Save Disk Space

Helge Klein - Mon, 02/11/2019 - 20:37

Many web meeting services have a recording functionality. Most recordings are provided as MP4 files with the video encoded in H.264 because that offers the most universal compatibility. However, it also needs a lot of disk space. H.264 has a successor, H.265, which only requires half the space for the same visual quality. This post shows how to use StaxRip, a free tool, to re-encode H.264 video into H.265 quickly by making use of GPU hardware encoding.

  • Download and extract StaxRip. I used the current stable version 1.7 x64
  • Start StaxRip
  • When opening the first video file, StaxRip may ask you to install AviSynth. Do so by clicking Install AviSynth+.
Configuring the Conversion Settings
  • Click x264 and choose one of the following depending on your GPU vendor: NVIDIA H.265, Intel H.265 or AMD H.265
  • Click MKV and select MP4 (mp4box) instead
  • Click the Opus entry next to the first audio stream field and select copy/mux
  • Click the Opus entry next to the first audio stream field and select no audio

The result should look like this:

Performing the Conversion
  • Right-click Source > Open > File Batch and select the files you want to convert
  • Click Next to start the conversion
  • The output files are placed in the same directory as the input files with the extension _new
Conversion Performance

The Nvidia GTX 1060 GPU in my desktop PC encoded H.265 at the impressive rate of approximately 420 frames per second (full HD, 1920×1080).

The Intel HD Graphics 620 (Core i7-7500U) in my laptop only reached about 113 frames per second for the same content. Still impressive, but a lot less fast.

An interesting difference between the two GPUs: while the Nvidia encode used the GPU’s dedicated video encoding engine, the Intel encode used the GPU’s generic 3D engine.

Another noteworthy difference: the file generated by the Intel encode was 38% smaller than the file generated by the Nvidia encode.

Space Savings

The original videos of a four-day training recorded with Skype had a size of 7.6 GB. Converted to H.265 the size was reduced to 2.4 GB, which amounts to 68% savings!

GPU Performance Monitoring

If you are interested in monitoring your GPU’s performance and find out how its various engines are used, take a look at our uberAgent product. During the Nvidia encoding, for example, the GPU’s video encoding engine was nearly at 100% load and its generic compute engine at approximately 20%:

The post Hardware-Encode Video in H.265 with Free Tools to Save Disk Space appeared first on Helge Klein.

The ultimate Citrix Synergy survival guide – 2019 Atlanta edition

From the Architect - Neil Spellings' blog - Sat, 02/09/2019 - 16:40

I’ve published this Ultimate Synergy Survival guide now for seven years running and it’s always popular with both regulars and newbies. Now updated with 2019 links,  content and Atlanta-specific information. It’s a living document, so will be subject to updates as we get nearer the conference. Hope you find it useful (and if you end […]

The post The ultimate Citrix Synergy survival guide – 2019 Atlanta edition appeared first on From the Architect.

Categories: , Citrix, Virtualisation

Ensuring Quality Outcomes by Reducing EHR system Downtime

Theresa Miller - Thu, 02/07/2019 - 06:30

EHR implementations are typically a huge undertaking for the healthcare organizations.  In some cases, deployments can take more than a year, and the cost implication is millions of dollars.  No small task of any kind, but when it comes down to monitoring sometimes only standard monitoring tools are deployed to reduce cost.  Today we will […]

The post Ensuring Quality Outcomes by Reducing EHR system Downtime appeared first on 24x7ITConnection.

Free and Powerful Equalizer for Windows 10

Helge Klein - Tue, 01/29/2019 - 07:23

Windows 10 does not come with an equalizer. That can be annoying when you have headphones that are too heavy on the bass, like the Sony WH-1000XM3. Enter the free Equalizer APO with Peace, its UI.

What You Get

Peter’s Equalizer API Configuration Extension (Peace) is pretty easy to use while offering powerful features:

  • Slider changes have an immediate effect
  • Settings can be applied to invididual devices only
  • Great flexibility
  • Saved configurations
  • Easy backup and restore of configurations
  • Can be started at logon so that configured settings are always applied

The UI looks like this (showing my adjustments for the Sony WH-1000XM3):


Installation is straightforward. Just make sure to install in the following order

  1. Engine: Equalizer APO
  2. UI: Peace Equalizer


The post Free and Powerful Equalizer for Windows 10 appeared first on Helge Klein.

Modern Multi-Process Browser Architecture

Helge Klein - Tue, 01/22/2019 - 17:26

An architecture overview of current browsers on Windows: Chrome, Firefox and Internet Explorer.

In case you are wondering: I did not include Edge because it is currently being transitioned to the Chromium rendering engine, which might change a few things. I did include Internet Explorer because it is still the default browser in many enterprises.

Looking for a way to monitor web app performance? Take a look at uberAgent, our user experience & application performance monitoring product.

Chrome Architecture

Chrome was the first browser with a multi-process architecture. Put simply, it encapsulates all logical functions in separate processes. More specifically:

  • One main (browser) process
  • One GPU process
  • Each tab: dedicated process
  • Each extension: dedicated process

Chrome is the only browser with a useful task manager. It can be opened with the keyboard shortcut SHIFT+ESC. As you can see below, Task Manager lists all active Chrome processes with their designated functions. For each process, it shows CPU, network and memory resource usage. It also indicates whether frames are hosted in their page’s process or in dedicated processes (more on that below). Finally, Task Manager shows the Windows OS process ID, which makes it possible to correlate data with other system information tools.

Frames and Site Isolation

Frames share a process with their page if the frame and the page are from the same site (based on the URL).

Starting with Chrome 67, frames from different sites are put into different processes. This is called site isolation and aims to mitigate certain types of attacks. Chrome’s Process Internals page (chrome://process-internals/) lists the current status of each frame.

IE Architecture

IE’s multi-process architecture was introduced with IE8. It makes use of two types of processes:

  • One main (frame) process
  • Zero or multiple tab processes

Note the zero above. Depending on configuration, IE may be limited to just one process – in which case a bug in any component or add-on crashes all opened tabs. Keep in mind that IE add-ons are binary Win32 DLLs that are loaded into the tab process(es). A crash in an add-on also crashes the tab process(es) that host it. This is not the case with modern browsers (i.e., all other browsers), where extensions are basically web apps, built with JavaScript and HTML.

IE Tab Process Count

By default, the number of tab processes is auto-managed depending on the amount of RAM. This can be overridden by setting the TabProcGrowth registry value. It can either be a number (REG_DWORD) or a string (REG_SZ) – which is rather unusual.

A Microsoft blog post explains the TabProcGrowth value. It boils down to this:

Value Type Description 0 REG_DWORD single process for frame+tabs no matter what 1 REG_DWORD single process for frame+tabs per bitness (important for 32-bit add-ons on 64-bit machines) >1 REG_DWORD sets the maximum number of tab processes small REG_SZ max. 5 tabs per session medium REG_SZ max. 9 tabs per session large REG_SZ max. 16 tabs per session

Some notes and caveats:

Firefox Architecture

Historically, Firefox has been a single-process browser. As it turned out, running the browser UI plus the HTML rendering and JavaScript for all tabs in a single process is a bad idea. It easily freezes the UI, and it might not be optimal from a security point of view, either.

Mozilla started project Electrolysis as a gradual move to a multi-process architecture. This took 9 versions, from Firefox 48 to 56. The current architecture looks like this:

  • One main process
  • One GPU process
  • One extension process
  • Up to 4 content (tab) processes

The current default of 4 content processes might be changed in future versions. At this point, it can be increased to a maximum value of 7 content processes. Work is underway to encapsulate extensions in dedicate processes.


Browsers are evolving quickly – except for IE, of course. Microsoft is focusing on Edge. To be very clear: IE will not get any new features. It’s security updates only for the former world’s most popular browser who once had a market share of approximately 95% (in 2003).

It seems there is no way around the multi-process type of architecture. Benefits include increased stability and security. On the downside, we have an increased overhead.

The post Modern Multi-Process Browser Architecture appeared first on Helge Klein.

What’s on the Edge?

Theresa Miller - Tue, 01/22/2019 - 06:54

This year many organizations will kick off edge projects. Since this is a hot space, the terms and content you come across may seem contradictory and confusing. What are the terms you’ll need to know to get started with Edge Computing? Defining Edge Computing It’s always good to define terms, so when you’re discussing projects […]

The post What’s on the Edge? appeared first on 24x7ITConnection.

Office 365 Basics: Office 365 New User and Exchange Online Mailbox

Theresa Miller - Tue, 01/22/2019 - 06:30

While Office 365 has been out for some time, the interface is always changing.  We also need to start somewhere with knowledge and so what you will find is that I will be doing a series of posts called Office 365 Basics.  The goal is to start at the beginning to create a full understanding […]

The post Office 365 Basics: Office 365 New User and Exchange Online Mailbox appeared first on 24x7ITConnection.

Bluetooth Audio Quality & aptX on Windows 10

Helge Klein - Tue, 01/15/2019 - 19:43

Bluetooth is a flexible standard. It defines various profiles that operate on top of the Bluetooth networking protocol stack and implement specific services, such as hands-free communications. Bluetooth devices each support a small subset of profiles, typically only one or two, according to their designated function.

Bluetooth headphones and speakers implement the advanced audio distribution profile (A2DP). The A2DP profile transports encoded audio streams from one device to another. To guarantee compatibility between devices, any device implementing the A2DP profile needs to offer a common codec, SBC. However, A2DP supports additional codecs that may increase audio quality or reduce latency compared to SBC. One of those optional codecs is aptX. In this article, I am looking at aptX benefits and I am describing how to get aptX on Windows 10.

What is aptX?

aptX is an alternative codec for the Bluetooth A2DP protocol. It comes in multiple flavors:

  • aptX
  • aptX LL (low latency)
  • aptX HD
Is aptX better than SBC?

Qualcomm, who acquired the aptX company CSR in 2015, claims that aptX offers “superior audio”. Figuring out whether that is actually true is harder than expected. Let’s break this quality question down into two different aspects: fidelity and latency.

Audio Fidelity

As this overview shows, the technical specifications of the base aptX code are similar to that of SBC. Specifically, the maximum bitrate of 352 kb/s is not much higher than SBC’s 320-345 kb/s (SBC depending on implementation).

The bitrate by itself does not tell us anything about a codec’s fidelity, however. Different codecs can be very different in encoding efficiency, as are H.264 and its successor H.265 for video (the latter only needs about half as many bits for the same visual quality). Fidelity can only be determined by double-blind listening tests. Unfortunately, nobody seems to have performed such listening tests in a scientific, reproducible manner (at least I could not find any information). Please let me know by commenting below if you know of any publications.

Another aspect influencing fidelity is that implementations do not always use a codec’s maximum bitrate. SBC, for example, comes with three quality modes, low (201 kb/s), middle (229 kb/s) and high (328 kb/s). Devices may select lower-quality modes to favor a stable connection over sound quality (example: these Sony headphones).

Audio Latency

When watching a video, you do not want the audio to lag behind. In other words: the audio latency should ideally be small enough to not be noticeable. Unfortunately, that is often not the case.

Bluetooth audio introduces significant latency, the exact amount of which depends on the codec as well as its implementations in the sending and receiving devices. Most Bluetooth headphone reviews do not include latency measurements, with the notable exception of They even have a list with latencies for all the headphones they ever tested. Plain aptX seems to be slightly better than SBC, but only aptX LL seems to be good enough to not be noticeable.

While, however, the number of devices supporting base aptX is steadily growing, support for aptX LL is still extremely rare (see or

Audio Quality Summary

There do not seem to be any objective comparisons between the aptX variants and SBC. From my experience it should be safe to say the following:

  • SBC offers pretty good fidelity at maximum bitrate.
  • aptX might be slightly better than SBC at maximum bitrate.
  • Both SBC and aptX introduce significant latency in the range of 150-200 ms.
  • aptX LL drastically reduces latency but is only supported by a handful of devices.
aptX on Windows 10 OS Support

If Microsoft wanted to hide this piece of information, they could not be doing a better job. A single page on mentions aptX. Apparently, Windows 10 has supported the aptX codec since the first release (1507). According to this Reddit thread, Windows 10 aptX support does not require any drivers in addition to what is part of the OS. I am mentioning that because numerous forum posts state you need to install special drivers. That does not seem to be true.

As for aptX HD or aptX LL (low latency): those codecs do not seem to be supported. If you would like to have them in Windows – especially aptX LL would be great when watching video – make sure to vote for this item in Feedback Hub: please add aptX Low Latency codec support to the Bluetooth A2DP driver.

For a list of supported Bluetooth versions and profiles see this page.

External USB Adapter

The Avantree Audicast is a flexible Bluetooth transmitter that can be connected to a PC (via USB) or a TV (via optical input or headphone jack). The Audicast has several neat features:

  • Support for aptX LL (low latency) in addition to regular aptX and, of course, SBC
  • LEDs indicate which codec is being used
  • Two receiving headphones can be connected
  • Small and light
  • No additional power source except for USB required
  • All cables are included

Please note that when connected to a PC, the Audicast does not work as a generic Bluetooth adapter (in which case the OS drivers would be used). Instead, it registers as a USB audio device. No drivers are required.

Which Codec and Bitrate are Being Used?

Amazingly, Windows does not provide any tool or API for monitoring the codec used by A2DP. Whether it is SBC, aptX or something different – users are left completely in the dark. To help change that and encourage Microsoft to provide more visibility, please vote for please let users see what Bluetooth A2DP codec is used.

For the sake of completeness I sent several hours capturing and analysing ETW logs as indicated at the following source, but none of the generated logs seemed to indicate the A2DP codec being used.

The post Bluetooth Audio Quality & aptX on Windows 10 appeared first on Helge Klein.


Wag the real - Alain Assaf blog - Tue, 01/15/2019 - 17:11
Intro Another season, another WEM version. The version numbering system in now in line with other newly released Citrix products. This version is 1811. You can now download the new version here (requires Platinum licenses and login to I’ve provided the release notes below. I also have it on good authority that Citrix added […]
Categories: , Citrix, Virtualisation

Cool New Windows 2019 Features

Theresa Miller - Tue, 01/15/2019 - 06:30

After a rocky start in October due to a bad Windows Update that impacted the brand new Windows 2019 platform, Windows 2019 is available and being deployed. With every new Windows version comes a host of new features and functionality. Let’s take a look at some of the coolest new features in Windows 2019, broken […]

The post Cool New Windows 2019 Features appeared first on 24x7ITConnection.

2019 Annual Technology Predictions for the Upcoming Year

Theresa Miller - Tue, 01/08/2019 - 06:30

We are hoping that everyone had a wonderful holiday season which has brought upon us the brand New Year of 2019!  When that happens we all start reflecting on the past year, and what the New Year will bring.  Here is a list of predictions from many great leaders at great companies in the industry […]

The post 2019 Annual Technology Predictions for the Upcoming Year appeared first on 24x7ITConnection.

Saving & Restoring Total Commander Tab Sets

Helge Klein - Mon, 01/07/2019 - 17:18

Total Commander’s custom start menu is a great place to quickly launch all kinds of tools and programs that are otherwise hard to get to. However, TC’s start menu is not limited to external tools. It can be used to run internal TC commands, too. In this article, I am using that capability to build a simple solution for saving and restoring sets of Total Commander tabs to and from files.

Why Save and Restore Tab Sets?

The most common use case for multiple tab sets I can think of is people working in different environments or on different projects. Being able to switch the tabs needed at customer A for the tabs needed at customers B, C, or D should be very helpful.

End Result

This is what I am going to build:

The Tabs submenu has entries for loading and saving all tabs from/to a file called This is a simple solution designed as a tab backup. It can easily be extended to a solution that loads and saves multiple different tab sets.

Getting There

Click Start > Change Start Menu… to bring up the dialog that configures Total Commander’s start menu. You might or might not already have entries in your start menu. We are not going to touch them in any way. Instead, we are adding a new section with a Tabs submenu. Instructions:

  1. Navigate to the last of your existing start menu entries.
  2. Add an item with a dash (-) as the title. This creates a dividing horizontal line, separating your existing start menu entries from the new tabs functionality.
  3. Add a submenu with the title Tabs.
  4. In the submenu, add two items.
    • Item 1 title: Load from
    • Item 1 command: OPENTABS d:\Data\Total Commander\
    • Item 2 title: Save to
    • Item 2 command: SAVETABS2L d:\Data\Total Commander\

The result should look like this:

Please note:

  • The path used in the commands above must not be enclosed quotes even if it contains spaces.
  • As you can see in the examples, environment variables can be used.
  • The path used above, “d:\Data\Total Commander”, should be adjusted as needed.

That’s it – enjoy!

The post Saving & Restoring Total Commander Tab Sets appeared first on Helge Klein.

Citrix User Group XXVII review

Citrix UK User Group - Fri, 12/21/2018 - 15:26

To use the terminology of our CUGC colleagues from the left of “the pond”, this was the UK User Group’s 27th “XL” event (which means we, as always, dedicate a full day to our community sharing, and not just an …

Read more »

The post Citrix User Group XXVII review appeared first on UK Citrix User Group.

Default Start Menu Customisation via Intune

Aaron Parker's stealthpuppy - Tue, 12/18/2018 - 11:47

The promise of a modern management approach to deployment and management of Windows 10 is that you no longer create and manage a custom SOE image. User experience is still important though and a large part of that experience in an enterprise environment, is the default Start menu.

The default Start menu, especially on Windows 10 Pro, is far from enterprise ready right? Take a look at this mess:

Windows 10 Pro 1809 default Start menu

Over-the-air provisioning of PCs via Windows AutoPilot & Microsoft Intune (or insert your MDM solution here), limits the possibilities of customising the target PC before the user logs on. Users then have to live with the default Start menu or one that is defined by the administrator – neither is ideal.

UWP / Microsoft Store apps can be targeted for removal, but those apps won’t be removed until well after login. Compounding the issue of default apps pinned to the Start menu is that some of them aren’t actually installed, so removal won’t occur until the Store downloads and installs updates. That can sometimes be hours after the user has provisioned the PC.

Customise with PowerShell?

PowerShell scripts can be used to remove user and system provisioned Store apps (I have a couple of scripts in my Intune GitHub repository); however, PowerShell scripts in Intune can only be targeted to users and don’t fire until after the first logon. Additionally, I’ve had a crack at using PowerShell to pin and unpin tiles from the Start menu, but found that I can’t interact with the shell (or at least the pin / unpin has no effect) when the script is delivered via Intune.

Looking for Alternatives

With the availability of the Windows Autopilot Enrolment Status page in Windows 10 1803 and above, plus the recent addition of the feature to ‘Block device use until these required apps are installed‘, we might have an opportunity to deploy a customised default Start menu.

The Enrolment Status page tracks security policies and line-of-business (MSI) applications, so a custom default Start menu will have to be packaged into an MSI. Fingers and toes crossed then that this approach works.

Packaging a Start menu Customisation

To package a customised Start menu, we need to create the desired layout and export it with theExport-StartLayout command. Nothing new there – you’ve likely done that before. The next step is to create a custom Windows Installer package to deliver the layout file.

I’m using Advanced Installer to create my deployment package. For this particular project, the Freeware version of Advanced Installer provides all of the features you’ll need to deploy the custom layout file.

Create a Windows Installer Package

Advanced Installer makes short work of creating the package – create a new Simple Installer package and configure the product name, version and publisher. Note that if you want to update the package, save your project and update the version number each time you produce an updated installer.

Add the Start menu layout file to the project under Files and Folders. The project must define the correct target path and file name because it will be deployed into the default profile. Use this path:

Windows Volume\Users\Default\AppData\Local\Microsoft\Windows\Shell

And add the LayoutModification.xml file that you’ve exported with Export-StartLayout into this path. If your target path and file name aren’t correct, this won’t work so ensure your package looks the same as the screenshots here.

For this package, I’ve configured the following install parameters:

  • Package type – 64-bit package
  • Installation type – Per-machine only
  • Reboot behaviour – Suppress all reboots and Reboot prompts

Configure the default build to produce a Single MSI file and define the name. In the example below, I’ve used DefaultStartMenuLayout.msi.

Build your package and add the MSI into Microsoft Intune as a line-of-business application. Assign the new application as Required for All Devices, so that the Enrolment Status Page can track the installation before the user logs on.

Configure the Enrolment Status Page

To ensure that the package is delivered to the target PCs before the user logs on, we’ll leverage the Enrolment Status Page (ESP). The ESP is supported on Windows 10 1803 and above, so if you’ve gotten this far into the article and haven’t yet updated to 1803 or higher, you should stop reading and update those machines.

Configure the ESP and enable the ‘Block device use until these required apps are installed if they are assigned to the user/device’ feature. Here select at least the applications whose shortcuts you have configured in your Start layout customisation. This list must include the MSI package containing the customisation itself.

Here’s the applications that I’ve configured in my test environment:

Today the ESP tracks specific application deployments – Microsoft Store apps and single MSI files, while Office 365 ProPlus applications are tracked on Windows 10 1809 and above.

User Experience

Most of my testing is on Windows 10 1809 – with a PC enrolled into Azure AD and Microsoft Intune during the out of box experience, the Enrolment Status Page tracks the installation of policies and applications, including our Start menu customisation. 

After the enrollment and deployment is complete, the user sees a customised Start menu after first logon. There’s a few tiles that didn’t remain pinned from the default customisation, but this is much cleaner and enterprise ready than what we end up with out of the box.

Wrapping Up

Provisioning PCs via Windows AutoPilot and Microsoft Intune is a rapidly changing landscape. So what may not be possible today, is likely to be addressed quickly. In the meantime, there’s usually a custom approach to achieving the end-user experience that you need and this is a great example. 

This article by Aaron Parker, Default Start Menu Customisation via Intune appeared first on Aaron Parker.

Categories: Community, Virtualisation

Product Releases – Soft is OK but don’t be Squidgy

Rachel Berrys Virtually Visual blog - Mon, 12/17/2018 - 11:33
What is a soft product launch?

Wikipedia has a definition of a soft product launch – here; which says: “A soft launch is the release of a website, hotel, or other Product (business) or service to a limited audience. Soft-launching is a method for gathering data on a product’s usage and acceptance in the marketplace, before making it generally available as a hard launch or grand opening. Companies may choose a soft launch to test the viability of a product or to fine-tune a product before implementing a larger marketing effort.”

Note this says – “limited audience”, “gathering data”, “test the viability”, “fine-tune” etc…. later on elaborated on “a small release being made to a limited group of individuals for beta testing.

Often soft launches take the form of “unsupported features” or “early access programs”. In my experience though I have seen a lot of something which I’m going to call “squidgy launches”.

What is a “squidgy” launch?

A squidgy launch is something where the product is released to the whole audience and market but a lot of the information and marketing around it is held back for a grand announcement at a big corporate event or to tie in with a product or financial announcement. The product surreptitiously appears as a new version on an Akamai or similar download site, available for the mass user base to download. This is typically because there isn’t a high-profile announcement opportunity and/or the product can’t be delayed until there is one because of financial constraints (revenue recognition, customer commitment), other product dependencies (i.e. it _has_ to be released in this release to allow another product to release, there’s no other release vehicle before the big show or because of a commitment to certain customers or sales).

Soft launches can be really useful

As a Product Manager, soft launches can be incredibly useful in many ways:

  • Quality control
  • Testing the viability
  • Getting quality feedback from selected customers
But I’m not a fan of “Squidgy” launches

These are technically full product releases, of the technical bits, but missing a lot of the overall _product_ whether that’s doc, feedback mechanisms and marketing explaining the positioning of the feature/product.

There is now this thing called the INTERNET…. if you haven’t heard of it…. It’s a mechanism by which your customers and partners can communicate directly with each other, cutting you out of the conversation. It also gives all those folk interested in your product a mechanism to broadcast whatever message they think is suitable about your product and a way of filling any “voids”.

Typically, a product will have a large number of independent consultants, partners, bloggers, channel partners and analysts with a significant interest in your product, keen to blog, tweet and communicate about it as soon as possible. These folk often have a strong vested interest in filling any information voids left by a launch to establish themselves as the de-facto expert in the field on _your_ product, to answer their customer inquiries when those customers get wind of a new release and to pick up traffic from google searches to their own company and personal websites and blogs, from searches like “is new product version xxx compatible with product yyy”, “should I upgrade to product version ddd.fff”.

It’s not unusual for a product manager/solution architect to get an email enquiry about something not well-documented/obscure and subsequently see the reply repackaged by an internet expert on their own blog! The illusion is convincing but the only real expertise is a knowledge of who to ask alongside cut-n-paste.  This also means that potential traffic, leads and customer conversations are diverted away from your own website.

Additionally, once the sales, marketing departments have negotiated a “squidgy” launch it can have the effect of refocusing deadlines and efforts on the “real”, “hard” launch. So much of the material is not actually available even internally let alone publicly when the product actually becomes available.

Freelancers: Couriering laptops safely and why separating client hardware from your clean underwear supply is a good thing…

Rachel Berrys Virtually Visual blog - Mon, 12/17/2018 - 11:24

From an article I published on LinkedIn:

Sending Laptops by courier. As a freelancer in the UK, I’m increasingly finding clients prefer to issue me with a laptop they have configured, dedicated to just their work, which means I’m always having to triple check if I have the right laptops with me and I’ve got to buy a new laptop bag as the current one has split as a result of optimistically cramming three in it when probably designed for one – oops!

BUT it also means I’m frequently sending/collecting laptops to/from base by motorcycle courier (some don’t trust postal couriers) or FedEx/DHL etc. This process puts some legal obligations on the sender, sometimes me and sometimes the company/organisation and there are a few things to be aware of.


Usually for me the client pays and if they are underinsured it is their problem but occasionally it’s my responsibility. Things that I would be aware of and clear up with the client / contractor in writing include:

·       Insurance value; often this is the customs value of the hardware at present day value – this is what you will get if it falls of the back of a lorry; are you underinsured?

·       Insurance liability – unless you specifically arrange it most shipping contracts do not cover indirect loss e.g. if that laptop has your customer database on it and it falls into a competitor’s hands the courier is only on the hook for the hardware costs.

If the client expects you to ship and reclaim, it is probably wise to get written instruction from them on the exact details of the shipping conditions they desire.

Hazardous Labelling

Laptops usually contain Lithium Ion batteries. Although a rare occurrence, they do occasionally spontaneously combust and for the couriers’ staff protection – legally have to be labelled as hazardous and often declared as such in advance on the paperwork (I’ve had some clients not realise that technically a laptop is hazardous). Here’s a frightening CCTV recording from an office in Letchworth, UK where a laptop set fire to a plastics factory.

The best scenario is that you ship hardware around in its original box. Unfortunately, it’s fairly common for the original box to have long since gone to the big recycling centre in the Sky (probably Peterborough). To work around this, I have luckily found a local company who gets through a lot of laptops and when I need a box I just ask them – figuring the hazard labels for a similar laptop should suffice.

The main DHL “Guide to Shipping Dangerous Goods” web pages are a super source of information. The include a summary of shipper’s responsibilities with this key phrase:

·       The shipper is responsible for declaring, packaging and labelling Dangerous Goods. DHL Express will accept Dangerous Goods but with certain restrictions for the different products & services offered and only under certain conditions.

This is where it gets a bit grey for me and I could do with investigating further, often a client will submit the paperwork and my role is putting it in a box and handing it to a courier who turns up at the door. I generally don’t get instructions from the client so it’s a bit vague to me if I’m the shipper or the person filling in the courier forms.

Hazardous Labelling in the UK is changing Dec 2018

In 2017 the regulation on labelling Lithium Ion batteries changed. UK company, Hibiscus PLC have an excellent overview.

Many of the big couriers are very clued up (vs your dodgy bloke in a van like outfit) and luckily I generally only deal with them. DHL have a very good website covering shipping regulation including hazard labelling for Lithium Ion batteries, see here.

The DHL site notes this:

·       As of January 1, 2018 new rules have been introduced for packages containing lithium batteries that are packed and shipped as individual items (loose/bulk), in accordance with Section IA, IB and II of packing instruction 965 or 968.

·       The Class 9 Miscellaneous Dangerous Goods hazard label can still be used, as part of the transitional period, until the end of December 2018 for packages containing lithium batteries prepared in accordance with Section I, IA or IB of the lithium battery packing instructions.

Having investigated – those second hand laptop boxes often seem to have a Class 9 label so using the original box may not suffice. Another one I will have to think about. Thankfully most major couriers have a dangerous goods helpline (often called the Restricted Commodities Group).

There is plenty advice and opportunity to buy the correct hazard labels online. A google on “lithium ion battery warning label” should suffice. Typically laptops fall under the “contained within” regulation UN3481 (FedEx have some good info) .

Basically if in doubt – ask whoever is arranging the courier to specify the exact contents of the shipment and ask the Courier for appropriate labelling.

International Shipping

It gets even more complicated particularly if the insured value doesn’t match the tax man’s opinion and the laptop gets impounded, but a good courier can talk you through the options. Including anything else in the shipment can also cause impoundment, as a dear friend found when he decided to ship a spare pair of underpants and tube of toothpaste to save on hand-luggage… keep your hardware shipment processes separate from your knicker supply is all the advice I can offer! The rules on shipping Lithium batteries are even more stringent if air freight is involved.

VAT on components such as GPUs

Because of the fields I work in occasionally I handle/test GPUs mostly shipped from abroad. The VAT custom rules are pretty strict and if a card ends up in a retail use or as a sales demo enabler the higher rates are payable; if a card is shipped for R&D or marketing purposes e.g. to a blogger who isn’t going to buy just to write about a lower rate applies. This can cause all sorts of confusion and issues if a card ends up being repurposed and nobody is clear who is on the hook for the VAT. As a freelancer, check the paperwork and make sure the designated use is correct and VAT paid (preferably by someone else) and keep yourself away from tax evasion.

Other best practices when sending freelancers laptops

Some clients are quite good at sensible dos/don’t and you may want to consider

·       Stickers with your company logo identify the hardware and likely whose data is on it making your staff/contractors targets for opportunist overheard conversations or thefts. If a corporate laptop gets left on a train it is instantly identifiable to a dishonest person as to whose data is on it.

·       Labelling machines with their network names renders hiding them on untrusted networks a bit pointless

·       Some clients ship lockable laptop bags – some branded / some unbranded (see above on logo stickers), I’m particularly keen on the unbranded lockable rucksacks when travelling on the London tube/subway.

·       I’d estimate that 80% of my clients have moved to locked down encrypted hard disks, so even if the laptop goes walkies it’s not possible to extract data from the hard disk. If the laptop might have sensitive customer or client data on it is probably the best option. Usually on boot you’ll have to type in a password to access the encrypted disk and then the OS will boot and you use your normal windows password to access the OS.

·       There’s a Citrix employee blog with an anecdote of how he left a laptop on a tram in Amsterdam which then fell into competitive hands containing sensitive data, including confidential project details and sales databases. A good read on how human failure can be the weak point in security.

·       Freelancers probably should consider including a section in their contracts regarding laptop failure and return to base/for repair processes. Contractor laptops seem to be less reliable than most, or are the hardware equivalent of a 1987 Mini Metro (I guess like rental cars they’ve borne the brunt of travel and numerous drivers) and there are a lot of questions you need to know the second a client’s hardware fails – how do you carry on working, how do you get a replacement/repair, do you get paid if can’t work etc




Subscribe to aggregator - Virtualisation