Citrix XenApp “Iron Cove” 6.5 Tech. Preview (Part.2)

Citrix XenApp “Iron Cove” 6.5 Tech. Preview (Part.1)
Citrix XenApp “Iron Cove” 6.5 Tech. Preview (Part.2)
Citrix XenApp “Iron Cove” 6.5 Tech. Preview (Part.3)

In this blog, I will cover the new features, some are visual, some are not, I would like to go deeper on those change but I cannot find a lot of detailed information about Multi-Stream technology for example, I think I need to catch up with he product designer to know everything about everything. There are a lot of cool stuff and you need to think what it can bring you regarding your production, real life, experience.

First, when you’re done with the installation, when you check what’s in the start menu, you will find some new items :

  • Citrix Receiver is installed by default
  • Application Definition Tool is installed by default as well
  • The new migration tool Citrix XenApp Migration Center
  • And Citrix AppCenter, the new name for the Citrix Delivery Service Console

The new management console name is now Citrix AppCenter, it’s shorter than Citrix Delivery Service Console but it remain the same look and feel, by using it, I think it’s a faster than the previous one :

A number of PowerShell scripts are installed by default but not run to make the published desktop look like a Windows 7 desktop. You can find the script here : “C:\Program Files (x86)\Citrix\App Delivery Setup Tools\New-CtxManagedDesktopGPO.ps1”

<#
 
.SYNOPSIS
Creates four Group Policy objects which control access to a user's desktop preferences.
Desktop preferences are defined to be managed centrally by an administrator or to be
user configurable.
 
.DESCRIPTION
Allows users to customize their workspace with background images, different mouse
pointers, etc., while restricting access to Computer Management, Task Manager, Scheduler,
and other system components. Part of a collection of PowerShell scripts
that provide a Windows 7 desktop look and feel in a XenApp environment.
 
A total of four Group Policy objects are created when the script is run:
CtxStartMenuTaskbarUser, CtxPersonalizableUser, CtxRestrictedComputer and CtxRestrictedUser.
 
Note that both success and failure of this script is recorded in the Windows Event log
under the event source CtxDesktopExperience. 
 
.PARAMETER Domain
Name of the Windows domain in which the Group Policy objects are created.
 
.PARAMETER ThemeFile
Full path to a Windows Theme file to use for new users. This parameter defaults to
the NewBasic.theme file created when the Install-CtxDesktopExperience.ps1 script is run.
 
.PARAMETER WallpaperFile
Full path to the Windows wallpaper that is applied to all users linked to the
CtxRestrictedUser GPO. By default, the wallpaper is set to a file containing the Citrix logo.
 
.PARAMETER InstallPath
Full path to the root of the Citrix install directory. The path stored at HKLM:\Software\Citrix\Roles\ConfigurationToolLocation (Note: Software\Wow6432Node is referenced on a 64-bit OS) is used if no value is provided.
 
.PARAMETER Domain
Windows domain in which to store the Group Policy object. The domain to which the current computer
belongs is used if no value is provided.
 
.PARAMETER NameStartMenuTaskbarUserGPO
Name given to the GPO which contains Start Menu and Taskbar configuration.
The GPO is named CtxStartMenuTaskbarUser if an alternate name is not provided.
 
.PARAMETER NameRestrictedComputerGPO
Name given to the GPO that contains tight restrictions for a computer.
The GPO is named CtxRestrictedComputer if an alternate name is not provided.
 
.PARAMETER NamePersonalizableUserGPO
Name given to the GPO that contains moderate restrictions for a user.
The GPO is named CtxPersonalizableUser if an alternate name is not provided.
 
.PARAMETER NameRestrictedUserGPO
Name given to the GPO that contains tight restrictions for a user.
The GPO is named CtxRestrictedUser if an alternate name is not provided.
 
.EXAMPLE
New-CtxManagedDesktopGPO.ps1
 
.EXAMPLE
New-CtxManagedDesktopGPO.ps1 -Domain DomainName
 
.EXAMPLE
New-CtxManagedDesktopGPO.ps1 -ThemeFile "C:\Windows\resources\Ease of Access Themes\corp.theme" -WallpaperFile "c:\Program Files (x86)\Citrix\App Delivery Setup Tools\corp.jpg" -InstallPath "c:\Program Files (x86)\Citrix\App Delivery Setup Tools"
 
.EXAMPLE
New-CtxManagedDesktopGPO.ps1 -NameStartMenuTaskbarUserGPO CorpStartMenuTaskbarUser -NameRestrictedComputerGPO CorpRestrictedComputer -NamePersonalizableUserGPO CorpPersonalizableUser -NameRestrictedUserGPO CorpRestrictedUser
 
.NOTES
    KEYWORDS: powershell, terminal services, CSP, Desktop Experience
    REQUIRES:
    1. GroupPolicy Module
    2. Windows 2008 R2 or Windows 7
    3. PowerShell Version 2.0
    4. Computer joined to a Domain
 
    Microsoft Wallpaper defect:
    Windows Server 2008 R2 has a defect which, in some scenarios, prevents the wallpaper policy
    setting from being applied properly. Please see the following Microsoft Knowledge Base
    article for additional details:
       http://support.microsoft.com/kb/977944
 
    'Do not allow pinning to Taskbar' Policy Setting defect:
    The policy setting that prevents pinning to the taskbar will not work unless the
    hotfix described below is applied. Note that if the hotfix is installed the taskbar cannot
    be modified to look like a Windows 7 Desktop.
    http://support.microsoft.com/kb/981177
 
   GroupPolicy Module Installation:
   The New-CtxManagedDesktopGPO.ps1 script requires the GroupPolicy module be installed. If this module is
   not currently installed, perform one of the following procedures: 
 
   1. Windows Server 2008 R2 Domain Controller --or-- Windows Server 2008 R2 Member Server
   Install Group Policy Management Feature.
 
   2. Windows 7
   Install Remote Server Administration Tools (RSAT).
 
   Please see the following Microsoft article for additional details:
   http://technet.microsoft.com/en-us/library/ee461027.aspx
 
   Copyright © 2011 Citrix Systems, Inc. All rights reserved.
 
.LINK
     http://community.citrix.com/p/csp
#>
 
Param(
  [Parameter(Mandatory=$false, HelpMessage="Full path to Windows theme file.")]
  [Alias("Theme")]
  [string]$ThemeFile = "%windir%\resources\Ease of Access Themes\NewBasic.theme",
  [Parameter(Mandatory=$false, HelpMessage="Full path to Windows wallpaper.")]
  [Alias("Wallpaper")]
  [string]$WallpaperFile = "%ProgramFiles(x86)%\Citrix\App Delivery Setup Tools\citrix_logo.jpg",
  [Parameter(Mandatory=$false, HelpMessage="Full path to the root of the Citrix install directory.")]
  [Alias("Install")]
  [string]$InstallPath,
  [Parameter(Mandatory=$false, HelpMessage="Windows domain to store Group Policy object.")]
  [string]$Domain = $env:USERDNSDOMAIN,
  [Parameter(Mandatory=$false, HelpMessage="Name given to the GPO that contains Start Menu and Taskbar configuration for a user.")]
  [Alias("StartMenuGPO")]
  [string]$NameStartMenuTaskbarUserGPO = "CtxStartMenuTaskbarUser",
  [Parameter(Mandatory=$false, HelpMessage="Name given to the GPO that contains moderate restrictions for a computer.")]
  [Alias("RestrictedComputerGPO")]
  [string]$NameRestrictedComputerGPO = "CtxRestrictedComputer",
  [Parameter(Mandatory=$false, HelpMessage="Name given to the GPO that contains moderate restrictions for a user.")]
  [Alias("PersonalizableUserGPO")]
  [string]$NamePersonalizableUserGPO = "CtxPersonalizableUser",
  [Parameter(Mandatory=$false, HelpMessage="Name given to the GPO that contains tight restrictions for a user.")]
  [Alias("RestrictedUserGPO")]
  [string]$NameRestrictedUserGPO = "CtxRestrictedUser"
) #end param
 
<#
.DESCRIPTION
Determine if the administrator wishes to correct the issue or abort the script. Called if an error is detected when trying to create the GPO.
#>
Function Read-GPOName
{
Param (
[string]$Caption,
[string]$Message,
[REF]$Name
)
    New-Variable cancelSelection -Value 0 -Option ReadOnly
    New-Variable overwriteSelection -Value 1 -Option ReadOnly
    New-Variable alternateNameSelection -Value 2 -Option ReadOnly
 
    $retry = $TRUE
 
    $choices = [System.Management.Automation.Host.ChoiceDescription[]] @("&Cancel", "&Overwrite", "&New Name")
    [int]$defaultChoice = $alternateNameSelection
    $selection = $host.ui.PromptForChoice($caption, $message, $choices, $defaultChoice)
 
     switch ($selection) {
        $cancelSelection {
           Write-Host "Canceling ..."
           $retry = $FALSE
        }
        $overwriteSelection {
           Write-Host "Overwriting $nameTemp ..."
           Remove-GPO -Domain $Domain -KeepLinks  -Name $Name.Value
        }
        $alternateNameSelection {
           $newName = Read-Host "New name for GPO $nameTemp." -ErrorAction Continue
 
           $Name.Value = $newName
        }
     }
 
     return $retry
}
<#
.DESCRIPTION
Provides extended New-GPO functionality including confirmation and validation.
#>
Function New-GPOEx
{
Param (
[REF]$Name,
[string]$Domain = $env:USERDNSDOMAIN,
[string]$Comment = "Citrix GPO"
)
   New-Variable gpo -Value $null
   $retry = $true
 
   do {
      try {
          $nameTemp = $Name.Value
 
          $gpo = new-gpo -Domain $Domain -Name $Name.Value -Comment $Comment
          Write-Host "Created New GPO $nameTemp." 
 
          $retry = $false
       } catch [System.Runtime.InteropServices.ExternalException] {
          # Domain couldn't be contacted
          if ($_.Exception.ErrorCode -eq 0x8007054B) {
              $exception = new-object System.ApplicationException("Domain $Domain could not be contacted.", $_.Exception)
              Write-Error -Exception $exception -Category ResourceUnavailable -ErrorId System.ApplicationException.DomainNotAvailable
          } else {
              throw
          }
      } catch [System.SystemException] {
          # GPO Already Exists
          if ($_.FullyQualifiedErrorId -eq "GpoWithNameAlreadyExists,Microsoft.GroupPolicy.Commands.NewGpoCommand") {
              $caption = "Group Policy Object Already Exists"
              $message = "GPO $nameTemp already exists. $Comment"
 
              $retry = Read-GPOName -Caption $caption -Message $message -Name $Name
          # GPO Name not provided
          } elseif ($Name.Value -eq "" -or $Name.Value -eq $NULL) {
              $caption = "No Name Provided for Group Policy Object"
              $message = "Please provide a name for the GPO. $Comment"
 
              $retry = Read-GPOName -Caption $caption -Message $message -Name $Name
          } else {
              throw
          }
      } catch {
         throw
      }
   } while ($retry)
 
   return $gpo
}
 
<#
.DESCRIPTION
Provides extended Copy-GPO functionality including confirmation and validation.
#>
Function Copy-GPOEx
{
Param (
[string]$SourceName,
[REF]$TargetName,
[string]$Domain = $env:USERDNSDOMAIN,
[string]$Comment = "Citrix GPO"
)
 
   [string]$targetNameTemp = $TargetName.Value
   Write-Host "Copying GPO $SourceName to $targetNameTemp."
 
   $gpo = New-GPOEx -Domain $Domain -Name $TargetName -Comment $Comment
 
   if ($gpo -ne $null) {
      $gpo = $null
      Remove-GPO -Domain $Domain -KeepLinks -Name $TargetName.Value
      $gpo = Copy-GPO -SourceName $SourceName -TargetName $TargetName.Value
   }
 
   return $gpo
}
 
<#
.DESCRIPTION
Provides extended Import-GPO functionality including confirmation and validation.
#>
Function Import-GPOEx
{
Param (
[string]$SourceName,
[REF]$TargetName,
[string]$BackupGpoName,
[string]$Path,
[string]$Domain = $env:USERDNSDOMAIN,
[string]$Comment = "Citrix GPO"
)
 
   [string]$targetNameTemp = $TargetName.Value
   Write-Host "Importing GPO $SourceName to $targetNameTemp"
 
   $gpo = New-GPOEx -Domain $Domain -Name $TargetName -Comment $Comment
 
   if ($gpo -ne $null) {
      $gpo = $null
      Remove-GPO -Domain $Domain -KeepLinks  -Name $TargetName.Value
      $gpo = Import-GPO -BackupGpoName $BackupGpoName -CreateIfNeeded -Domain $Domain -TargetName $TargetName.Value -Path $Path
   }
 
   return $gpo
}
 
<#
.DESCRIPTION
Provides extended Set-GPRegistryValue functionality including validation.
#>
Function Set-GPRegistryValueEx
{
Param (
   [string]$Key,
   [psobject]$Type,
   [psobject]$Value,
   [string]$ValueName,
   [psobject]$GPO
)
 
   Write-Host "Setting Policy Value Key:$Key Name:$ValueName Type:$Type Value:$Value"
   $GPO | Set-GPRegistryValue -Key $Key -Type $Type -Value $Value -ValueName $ValueName | Out-Null
}
 
<#
.DESCRIPTION
Provides extended Remove-GPRegistryValue functionality including validation.
#>
Function Remove-GPRegistryValueEx
{
Param (
   [string]$Key,
   [string]$ValueName,
   [psobject]$GPO
)
 
   Write-Host "Removing Policy Value Key:$Key Name:$ValueName"
   $GPO | Remove-GPRegistryValue -Key $Key -ValueName $ValueName | Out-Null
}
 
<#
.DESCRIPTION
Provides extended Set-GPPrefRegistryValue functionality including validation.
#>
Function Set-GPPrefRegistryValueEx
{
Param (
   [psobject]$Action,
   [psobject]$Context,
   [string]$Key,
   [psobject]$Type,
   [psobject]$Value,
   [string]$ValueName,
   [psobject]$GPO
)
 
   Write-Host "Setting Policy Preference Action:$Action Key:$Key Type:$Type Value:$Value Name:$ValueName"
   $GPO | Set-GPPrefRegistryValue -Action $Action -Context $Context -Key $Key -Type $Type -Value $Value -ValueName $ValueName | Out-Null
}
 
<#
.DESCRIPTION
Add over 60 policy settings to three different group policy objects.
#>
Function Set-PolicySettings
{
   # ######################
   # GPO Restrictions
   Write-Host "Setting policy settings for $NamePersonalizableUserGPO."
 
   # set desktop theme which can be changed by the user
   Set-GPRegistryValueEx -Key "HKCU\Software\Policies\Microsoft\Windows\Personalization" -Type String -ValueName ThemeFile -Value $ThemeFile -GPO $gpoPersonalizableUser
 
   # Prevent Users from Reconfiguring the Server
   # Hide some control panels (all except personalization)
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "RestrictCpl" -Type DWORD -Value 4  -GPO $gpoPersonalizableUser
   # WARNING if you change the IDs for 2,5, 14, 15, 16 to another number you will need to update the code for the restricted user below which removes the itemes
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "2" -Type String -Value "Taskbar and Start Menu"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "3" -Type String -Value "Default Programs"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "4" -Type String -Value "Keyboard"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "5" -Type String -Value "Notification Area Icons"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "6" -Type String -Value "Sound"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "7" -Type String -Value "Text to Speech"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "8" -Type String -Value "Ease of Access Center"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName  "9" -Type String -Value "Internet Options"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "10" -Type String -Value "Mouse"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "11" -Type String -Value "Region and Language"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "12" -Type String -Value "Folder Options"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "13" -Type String -Value "Credential Manager"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "14" -Type String -Value "Personalization"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "15" -Type String -Value "Devices and Printers"  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "16" -Type String -Value "User Accounts"  -GPO $gpoPersonalizableUser
 
   # Remove Add or Remove Programs
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall" -ValueName "NoAddRemovePrograms" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall" -ValueName "NoAddFromCDorFloppy" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall" -ValueName "NoAddFromNetwork" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall" -ValueName "NoChooseProgramsPage" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall" -ValueName "NoRemovePage" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall" -ValueName "NoWindowsSetupPage" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Hide "Programs and Features" page
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs" -ValueName "NoProgramsAndFeatures" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Prevent access to registry editing tools
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "DisableRegistryTools" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Prevent Access to Windows Automatic Updates
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" -ValueName "DisableWindowsUpdateAccess" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" -ValueName "DisableWindowsUpdateAccessMode" -Type DWORD -Value 0  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ValueName "NoAUShutdownOption" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
   Set-GPRegistryValueEx -Key "HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ValueName "NoAUAsDefaultShutdownOption" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Remove Shutdown from Start Menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoClose" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Remove Run Menu From The Start Menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoRun" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # * Remove links and access to Windows Update
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoWindowsUpdate" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # * Remove Help menu from Start Menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoSMHelp" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # * Remove Access to Task Manager
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "DisableTaskMgr" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Restrict Access to Internet Explorer and the Internet
   # * Disable Changing Proxy Settings
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" -ValueName "Proxy" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # * Disable The Advanced Page security settings?
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" -ValueName "AdvancedTab" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # * Disable The Connections Page  VPN? Proxy?
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" -ValueName "ConnectionsTab" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # * Disable The Programs Page browser plugins?
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" -ValueName "ProgramsTab" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Disable Security Page
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" -ValueName "SecurityTab" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Remove Windows Explorer Security Tab  This policy removes the Security tab from Windows Explorer. If users can open the Properties dialog box for file system objects, including folders, files, shortcuts, and drives, they cannot access the Security tab. It is recommended that you enable this policy to prevent users from changing the security settings or viewing a list of all users who have access to the object
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoSecurityTab" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Hides the Manage item on the Windows Explorer shortcut menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoManageMyComputerVerb" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Remove Hardware tab  This policy removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel.
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoHardwareTab" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # MMC
   # Restrict users to the explicitly permitted list of snap-Ins
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\MMC" -ValueName "RestrictToPermittedSnapins" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Task Scheduler
   # Prohibit Task Deletion
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0" -ValueName "Task Deletion" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Prevent Task Run or End
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0" -ValueName "Execution" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Prohibit New Task Creation
   Set-GPRegistryValueEx  -Key "HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0" -ValueName "Task Creation" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Desktop
   # Remove Network Icon
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "HideSCANetwork" -Type DWORD -Value 1 -GPO $gpoPersonalizableUser
 
   # Remove Action Center Icon
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "HideSCAHealth" -Type DWORD -Value 1 -GPO $gpoPersonalizableUser
 
   # Remove Properties from My Documents shortcut menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoPropertiesMyDocuments" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Remove Properties from My Computer shortcut menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoPropertiesMyComputer" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   # Remove Properties from Recycle Bin shortcut menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoPropertiesRecycleBin" -Type DWORD -Value 1  -GPO $gpoPersonalizableUser
 
   Write-Host "Setting policy settings for $NameRestrictedComputerGPO."   
 
   # Prevent addition of printers
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "DomainADprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "DomainIPprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "DomainWSDprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "DomainBluetoothprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "DomainShareprinters"  -GPO $gpoRestrictedComputer
 
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "NonDomainIPprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "NonDomainWSDprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "NonDomainBluetoothprinters"  -GPO $gpoRestrictedComputer
   Set-GPPrefRegistryValueEx -Action Delete -Context Computer -Key "HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard" -Type String -Value "" -ValueName "NonDomainShareprinters"  -GPO $gpoRestrictedComputer
 
   # Prevent Access to Windows Automatic Updates
   Set-GPRegistryValueEx -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoMSAppLogo5ChannelNotify" -Type DWORD -Value 1  -GPO $gpoRestrictedComputer
   Set-GPRegistryValueEx -Key "HKLM\Software\Policies\Microsoft\Windows\DriverSearching" -ValueName "DontPromptForWindowsUpdate" -Type DWORD -Value 1  -GPO $gpoRestrictedComputer
   Set-GPRegistryValueEx -Key "HKLM\Software\Policies\Microsoft\Windows\DriverSearching" -ValueName "DontSearchWindowsUpdate" -Type DWORD -Value 1  -GPO $gpoRestrictedComputer
 
   # * Disable Help and Support Center service
   Set-GPRegistryValueEx  -Key "HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc" -ValueName "Headlines" -Type DWORD -Value 0  -GPO $gpoRestrictedComputer
   Set-GPRegistryValueEx  -Key "HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc" -ValueName "MicrosoftKBSearch" -Type DWORD -Value 0  -GPO $gpoRestrictedComputer
 
   # * Restrict Access to CD-ROM and Floppy Drives
   Set-GPRegistryValueEx  -Key "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices" -ValueName "AllowRemoteDASD" -Type DWORD -Value 0  -GPO $gpoRestrictedComputer
   Set-GPRegistryValueEx  -Key "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices" -ValueName "Deny_All" -Type DWORD -Value 1  -GPO $gpoRestrictedComputer
 
   # #######################
   # GPO Restricted
   $gpoRestrictedUser = Copy-GPOEx -SourceName $NamePersonalizableUserGPO -TargetName ([REF]$NameRestrictedUserGPO)
 
   Write-Host "Setting policy settings for $NameRestrictedUserGPO."
   # Prevent user from changing Theme
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoThemesTab" -Type DWORD -Value 1 -GPO $gpoRestrictedUser
 
   # Prevent Changes To Taskbar And Start Menu Settings
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoSetTaskbar" -Type DWORD -Value 1 -GPO $gpoRestrictedUser
 
   # Remove The Pinned Programs List From The Start Menu
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoStartMenuPinnedList" -Type DWORD -Value 1 -GPO $gpoRestrictedUser
 
   # * Remove Drag And Drop Context Menus On The Start Menu
   Set-GPRegistryValueEx  -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoChangeStartMenu" -Type DWORD -Value 1 -GPO $gpoRestrictedUser
 
   # Enforce Wallpaper Selection
   Set-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "Wallpaper" -Type String -Value $WallpaperFile -GPO $gpoRestrictedUser
 
   # Delete the group policy setting which shows Taskbar and Start Menu from Control Panel
   Remove-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "2" -GPO $gpoRestrictedUser
 
   # Delete the group policy setting which shows Notification Area Icons from Control Panel
   Remove-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "5" -GPO $gpoRestrictedUser
 
   # Delete the group policy setting which shows Personalization from Control Panel
   Remove-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "14" -GPO $gpoRestrictedUser
 
   # Delete the group policy setting which shows Devices and Printers from Control Panel
   Remove-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "15" -GPO $gpoRestrictedUser
 
   # Delete the group policy setting which shows User Accounts from Control Panel
   Remove-GPRegistryValueEx -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl" -ValueName "16" -GPO $gpoRestrictedUser
}
 
<#
.DESCRIPTION
Retrieve install path from registry location
 
   HKLM:\Software\Citrix\Roles\XenApp\ConfigurationToolLocation (Note: Software\Wow6432Node is referenced on a 64-bit OS)
#>
Function Get-ConfigurationToolLocation() {
Param (
[REF]$ConfigurationToolLocation
)
    # 64-Bit machine?
    if(Test-Path "HKLM:\Software\Wow6432Node\Citrix\Roles\XenApp")
    {
        $registryValue = Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Citrix\Roles\XenApp" -Name ConfigurationToolLocation
        $ConfigurationToolLocation.Value = $registryValue.ConfigurationToolLocation
    }
    # Check if we're installed properly on 32-bit machine
    elseif(Test-Path "HKLM:\Software\Citrix\Roles\XenApp")
    {
        $registryValue = Get-ItemProperty -Path "HKLM:\Software\Citrix\Roles\XenApp" -Name ConfigurationToolLocation
        $ConfigurationToolLocation.Value = $registryValue.ConfigurationToolLocation
    }
    # Time for a friendly exception message
    else
    {
        $exception = new-object System.ApplicationException("Failed to retrieve the installtion path from the registry. It appears that the MSI was not used to install the scripts. Either specify the install path using the InstallPath parameter or install the scripts using the EnhancedDesktopSetup.msi.")
        Write-Error -Exception $exception -Category ResourceUnavailable -ErrorId System.ApplicationException.ConfigurationToolLocationRegistryValueNotFound
    }
} 
 
# *** ENTRY POINT TO SCRIPT ***
Set-StrictMode -version 2
$ErrorView = "CategoryView"
$errorActionPreferenceOld = $errorActionPreference
$errorActionPreference = "Stop"
 
$exitCode = 0
$success = $FALSE
$abortScript = $FALSE
 
Write-Host "Creating the Group Policy objects for the Enhanced Desktop Experience feature."
 
try {
   New-EventLog -Logname application -Source CtxDesktopExperience -ErrorAction SilentlyContinue
 
   [string]$cmdLine = $myInvocation.Line
   Write-EventLog -LogName application -Source CtxDesktopExperience -EntryType information -EventId 5005 -Message "Creating GPOs to manage Enhanced Desktop Experience: $cmdLine"
 
   try
   {      import-module grouppolicy   }
   catch
   {
       # Test to see if the Exception is Wrapped within an Error Record
	   $errorException = Get-Member -InputObject $_ -Name Exception
 
	   if($errorException -and $_.Exception.GetType().Name -eq "FileNotFoundException")
	   {
            $exception = new-object System.IO.FileNotFoundException("The GroupPolicy PowerShell Module is not installed. Please see the Notes within section `"GroupPolicy Module Installation`" of the script help (Get-Help New-CtxManagedDesktopGPO.ps1 -Full).", $_.Exception)
      		Write-Error -Exception $exception -Category ResourceUnavailable -ErrorId System.IO.FileNotFoundException.GroupPolicyPowerShellModuleNotFound
	   }
       else # someother fatal error
       { throw $_ }
   }
 
   if ($InstallPath -eq "") {
      Get-ConfigurationToolLocation ([REF]$InstallPath)
   }
 
   # ###############
   # Check various supporting files and directories (install and gpo backup) are valid
   # Note: Wallpaper and theme file names are checked for proper format; but their existence is not; since these paths are only valid in the policy consumer's session and
   # in many cases only after windows command processor has interpreted the command.
   Write-Host "Validating install and GPO backup paths provided."
 
   if (!(Test-Path -LiteralPath $ThemeFile -PathType Leaf -IsValid)) {
      $exception = new-object System.FormatException("Theme File name is invalid: $ThemeFile")
      Write-Error -Exception $exception -Category InvalidArgument -ErrorId System.FormatException.ThemeFileArgumentInvalid
   }
 
   if (!(Test-Path -LiteralPath $WallpaperFile -PathType Leaf -IsValid)) {
      $exception = new-object System.FormatException("Wallpaper File name is invalid: $WallpaperFile")
      Write-Error -Exception $exception -Category InvalidArgument -ErrorId System.FormatException.WallpaperFileArgumentInvalid
   }
 
   if (!(Test-Path -LiteralPath $InstallPath -PathType Container)) {
      $exception = new-object  System.IO.DirectoryNotFoundException("Citrix Enhanced Desktop Experience install path is not accessible: $InstallPath")
      Write-Error -Exception $exception -Category ResourceUnavailable -ErrorId System.IO.DirectoryNotFoundException.EnhancedDesktopExperienceInstallPathNotFound
   }
 
   if (!(Test-Path -LiteralPath $InstallPath\GroupPolicyObjects\CtxStartMenuTaskbarUser -PathType Container)) {
      $exception = new-object System.IO.DirectoryNotFoundException("The path containing the CtxStartMenuTaskbarUser GPO is not accessible: $InstallPath\GroupPolicyObjects\CtxStartMenuTaskbarUser")
      Write-Error -Exception $exception -Category ResourceUnavailable -ErrorId System.IO.DirectoryNotFoundException.CtxStartMenuTaskbarUserPathNotFound
   }
 
   Write-Host "Changing working directory $InstallPath."
   Push-Location
   Set-Location $InstallPath
 
   # ###############
   # Create all GPO Objects early to ensure we have the right permissions and that the GPOs don't already exist
   Write-Host "Testing if GPOs ($NamePersonalizableUserGPO, $NameRestrictedUserGPO, $NameRestrictedComputerGPO, and $NameStartMenuTaskbarUserGPO.) can be created."
 
   $gpoStartMenuTaskbarUser = Import-GPOEx  -BackupGpoName CtxStartMenuTaskbarUser -Domain $Domain -TargetName ([REF]$NameStartMenuTaskbarUserGPO) -Path $InstallPath\GroupPolicyObjects\CtxStartMenuTaskbarUser -Comment "This GPO configures a user's Start Menu."
   if ($gpoStartMenuTaskbarUser -eq $null) {
      $abortScript = $TRUE
   } else {
      $gpoStartMenuTaskbarUser = $null
   }
 
   if (!$abortScript) {
      $gpoRestrictedUser = New-GPOEx -Domain $Domain -Name ([REF]$NameRestrictedUserGPO) -Comment "This GPO provides tight restrictions for a user's desktop configuration."
      if ($gpoRestrictedUser -eq $null) {
         Write-Warning "Aborting Script"
         $abortScript = $TRUE
      } else {
         Remove-GPO -Domain $Domain -KeepLinks  -Name $gpoRestrictedUser.DisplayName
         $gpoRestrictedUser = $null
      }
   }
 
   if (!$abortScript) {
      $gpoRestrictedComputer = New-GPOEx -Domain $Domain -Name ([REF]$NameRestrictedComputerGPO) -Comment "This GPO provides tight restrictions for a computer's configuration."
      if ($gpoRestrictedComputer -eq $null) {
         $abortScript = $TRUE
      }
   }
 
   if (!$abortScript) {
      $gpoPersonalizableUser = New-GPOEx -Domain $Domain -Name ([REF]$NamePersonalizableUserGPO) -Comment "This GPO provides moderate restrictions for a user's desktop configuration."
      if ($gpoPersonalizableUser -eq $null) {
         $abortScript = $TRUE
      }
   }
 
   if (!$abortScript) {
      Set-PolicySettings
      $success = $TRUE
   }
} catch {
   $success = $FALSE
   $errorRecord = $_
} finally {
   $errorActionPreference = $errorActionPreferenceOld
   Pop-Location
}
 
Write-Host "`n"
 
if ($success) {
   Write-Host "The Group Policy objects, which manage a user's desktop configuration, have been successfully created."
   Write-Host "The following GPOs will need to be linked to the appropriate OUs:"
   Write-Host "$NamePersonalizableUserGPO, $NameRestrictedUserGPO, $NameRestrictedComputerGPO, and $NameStartMenuTaskbarUserGPO"
 
   Write-EventLog -LogName application -Source CtxDesktopExperience -EntryType information -EventId 5000 -Message "New-CtxManagedDesktopGPO: The Group Policy objects, which manage a user's desktop configuration, have been successfully created."
} else {
   # Note that the GPOs created during the session are not removed if an error is detected
   # since their contents may aid in determining the cause of the failure. Also, removal may
   # change the interaction between the administrator and the script causing confusion.
 
   if ($abortScript) {
      $exitCode = 0
      Write-Host "The script was canceled by the user."
      Write-EventLog -LogName application -Source CtxDesktopExperience -EntryType information -EventId 5002 -Message "New-CtxManagedDesktopGPO: The script was canceled by the user."
   } else {
 
      if ($errorRecord) {
         [string]$exceptionMsg = "Details of the error detected can be found below: `n"
                $exceptionMsg += "------------------------------------------------- `n"
 
         $exceptionMsg += "FullyQualifiedErrorId: "
         $exceptionMsg += $errorRecord.FullyQualifiedErrorId
         $exceptionMsg += "`n`n"
         $exceptionMsg += "Exception:`n"
         $exceptionMsg += $errorRecord.Exception
         $exceptionMsg += "`n`n"
         $exceptionMsg += "InvocationInfo:`n"
         $exceptionMsg +=  $errorRecord.InvocationInfo.PositionMessage
         $exceptionMsg += "`n`n"
         $exceptionMsg += "BoundParameters:`n"
         $exceptionMsg +=  $errorRecord.InvocationInfo.BoundParameters
         $exceptionMsg += "`n`n"
         $exceptionMsg += "UnboundArguments:`n"
         $exceptionMsg +=  $errorRecord.InvocationInfo.UnboundArguments
         $exceptionMsg += "`n`n"
         $exceptionMsg += "TargetObject:`n"
         $exceptionMsg += $errorRecord.TargetObject
 
         Write-Host "Not all of the Group Policy objects which manage a user's desktop could be successfully created." -ForegroundColor Red
         Write-EventLog -LogName application -Source CtxDesktopExperience -EntryType error -EventId 5001 -Message "New-CtxManagedDesktopGPO: Not all of the Group Policy Objects which manage a user's desktop could be successfully created. `n`n$exceptionMsg"
         throw $errorRecord.Exception
      } else {
         Write-Warning "Not all of the tasks could be completed successfully."
 
         Write-Host "The Group Policy objects, which manage a user's desktop configuration, have been successfully created."
         Write-Host "The following GPOs will need to be linked to the appropriate OUs:"
         Write-Host "$NamePersonalizableUserGPO, $NameRestrictedUserGPO, $NameRestrictedComputerGPO, and $NameStartMenuTaskbarUserGPO"
 
         Write-EventLog -LogName application -Source CtxDesktopExperience -EntryType warning -EventId 5003 -Message "New-CtxManagedDesktopGPO: Not all of the tasks could be completed successfully."
         Write-EventLog -LogName application -Source CtxDesktopExperience -EntryType information -EventId 5000 -Message "New-CtxManagedDesktopGPO: The Group Policy objects, which manage a user's desktop configuration, have been successfully created."
      }
 
      $exitCode = 2
   }
}
 
Exit $exitCode
 
# SIG # Begin signature block
# MIIXsAYJKoZIhvcNAQcCoIIXoTCCF50CAQExDjAMBggqhkiG9w0CBQUAMGgGCisG
# AQQBgjcCAQSgWjBYMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYp
# fvNRAgEAAgEAAgEAAgEAAgEAMCAwDAYIKoZIhvcNAgUFAAQQxtdDevVbnWVM8zZf
# Hy4nuaCCEvYwggN6MIICYqADAgECAhA4Jdf6+GGvnvSQ5ya11lrVMA0GCSqGSIb3
# DQEBBQUAMFMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEr
# MCkGA1UEAxMiVmVyaVNpZ24gVGltZSBTdGFtcGluZyBTZXJ2aWNlcyBDQTAeFw0w
# NzA2MTUwMDAwMDBaFw0xMjA2MTQyMzU5NTlaMFwxCzAJBgNVBAYTAlVTMRcwFQYD
# VQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UEAxMrVmVyaVNpZ24gVGltZSBTdGFt
# cGluZyBTZXJ2aWNlcyBTaWduZXIgLSBHMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
# gYkCgYEAxLXyUhW8iIZgKRZKWy9LkWuHkfM1VFg16tE2XmJNUlE0ccJ7Zh2JyN0q
# xGoK9jfZmHSR9pKusLV2lvGpSmNFRy5rC5JOSyuM7lhKi9QH5Bos+IKqWNnNQvMt
# wHXejavHjh2abEwIlR7e2+9n4XLCScKeYDzh4r4Wo2N4aRR7rS0CAwEAAaOBxDCB
# wTA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
# aWduLmNvbTAMBgNVHRMBAf8EAjAAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9j
# cmwudmVyaXNpZ24uY29tL3Rzcy1jYS5jcmwwFgYDVR0lAQH/BAwwCgYIKwYBBQUH
# AwgwDgYDVR0PAQH/BAQDAgbAMB4GA1UdEQQXMBWkEzARMQ8wDQYDVQQDEwZUU0Ex
# LTIwDQYJKoZIhvcNAQEFBQADggEBAFDFS8gkgN/kDSTC3hqxoQKhpoItDIMVgTcK
# gg4ssFoXYbXYBf6I2/GRkbNWGkCm65K+ODmwdTZ0OphP5De6mYnKlUIdsLnHoI1X
# 4PrVZARCNU4B0TOiF8hNqifH8uGGTAI4TYN4xvxT4OvgBofdpJaeXgyY4qW+v4KF
# w2Dh360o2MelS2Taxxtbvaw5CNU4IqEziy+Kmuu8ByE/REEJB7VlHCS8SNNEgOuh
# z8kCtBTPVMcWo4Bc+Xk+XXJ9iBeeLEOiylPOfT32Kjq4T5QApW0Kg135XlP0GLNX
# D3DD+/WtlaAOF97EFoBgyQ8rboYE8ev0eCfRBcXuNFteuUky8jMwggPEMIIDLaAD
# AgECAhBHvxmV341SRkP3221IDTGkMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQG
# EwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxs
# ZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRUaGF3dGUgQ2VydGlmaWNhdGlv
# bjEfMB0GA1UEAxMWVGhhd3RlIFRpbWVzdGFtcGluZyBDQTAeFw0wMzEyMDQwMDAw
# MDBaFw0xMzEyMDMyMzU5NTlaMFMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJp
# U2lnbiwgSW5jLjErMCkGA1UEAxMiVmVyaVNpZ24gVGltZSBTdGFtcGluZyBTZXJ2
# aWNlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnKsqTMzSCv
# Cn2JrId18LRO8d/BD79nYb2jZBzau/nKM6uEMIlYfozba902ng+/0ex48nemfm88
# v5OvDbpo9GyUyr1SLatIPfW21V1fGwKf+i9rHqT3o5qmGsgC4X9MUuMOYOxAHH65
# Dd4/x7Tfh71femoxLgOZgROoRyDOMXMNVy3NeDQzlRKZErneaC+q5uPCiowqw4sh
# h2a9g1hXb3W/PKomh13KEBU8n4TqVMEKbsT+xUrduQcRlyJ82z4n0R547J8xyfHm
# IhnbxLNHQ5oaX6AekORe9e588X2rYgGP9U0L3tAiVqiVza6Idq7uug3z5E3ZoPto
# oK4UO7OHwbsCAwEAAaOB2zCB2DA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGG
# GGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMEEG
# A1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1RoYXd0ZVRp
# bWVzdGFtcGluZ0NBLmNybDATBgNVHSUEDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8E
# BAMCAQYwJAYDVR0RBB0wG6QZMBcxFTATBgNVBAMTDFRTQTIwNDgtMS01MzANBgkq
# hkiG9w0BAQUFAAOBgQBKa/nqWMJEHDGJeZkrlr+CrAHWHEzNsIpYbt8IKaNeyMqT
# E+cEUg3vRycvADiw5MmTTprUImIV9z83IU9wMYDxiziHs+jolwD+z1WWTiTSqSdO
# eq63YUHzKs7nydle3bsrhT61nbXZ4Vf/vrTFfvXPDJ7wl/4r0ztSGxs4J/c/SjCC
# BZ4wggSGoAMCAQICEAKwvampcdmNj50+dqQJK0owDQYJKoZIhvcNAQEFBQAwgbQx
# CzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMW
# VmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0
# IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMTAxLjAsBgNVBAMTJVZl
# cmlTaWduIENsYXNzIDMgQ29kZSBTaWduaW5nIDIwMTAgQ0EwHhcNMTAxMTEyMDAw
# MDAwWhcNMTExMTEyMjM1OTU5WjCB4TELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zs
# b3JpZGExGDAWBgNVBAcTD0ZvcnQgTGF1ZGVyZGFsZTEdMBsGA1UEChQUQ2l0cml4
# IFN5c3RlbXMsIEluYy4xPjA8BgNVBAsTNURpZ2l0YWwgSUQgQ2xhc3MgMyAtIE1p
# Y3Jvc29mdCBTb2Z0d2FyZSBWYWxpZGF0aW9uIHYyMSgwJgYDVQQLFB9YZW5BcHAg
# RW5naW5lZXJpbmcgKFBvd2VyU2hlbGwpMR0wGwYDVQQDFBRDaXRyaXggU3lzdGVt
# cywgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4sEF8hrrhR
# bCm066Npsfd4SiFkiFWYsISQ5RFFM9zPY6qqYRuU0EmBvwcF02tv16gLvqFUkFgC
# +yIfvtKLVr6reQfjRTzxBTgD2UY9SDXWxqFEBq11Iyk3GGPke0aGMFbbiQ/x5Q5f
# C6aqZGoCcIbB7ZskPLj37Ew5Qxchr04rnapLCH9190Hw96ckDRHi5GZKdRatLXkA
# hyCv8XdZU5SZBlwEzZ8v0pJmRKratdh9zj75AgxW7SgrO1/jJwVq27SgDmCAWIRb
# e48aJ0oIN2oWAo2th4c4IxJUcnXFLPHZz4YrIp+mPGoBD8oAQm/cSgpE1lUNJYGV
# DOTjOKwUfMkCAwEAAaOCAXswggF3MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA
# MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jc2MzLTIwMTAtY3JsLnZlcmlzaWdu
# LmNvbS9DU0MzLTIwMTAuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAo
# BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTATBgNVHSUE
# DDAKBggrBgEFBQcDAzBxBggrBgEFBQcBAQRlMGMwJAYIKwYBBQUHMAGGGGh0dHA6
# Ly9vY3NwLnZlcmlzaWduLmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2NzYzMtMjAx
# MC1haWEudmVyaXNpZ24uY29tL0NTQzMtMjAxMC5jZXIwHwYDVR0jBBgwFoAUz5mp
# 6nsm9EvJjo/X8AUm7+PSp50wEQYJYIZIAYb4QgEBBAQDAgQQMBYGCisGAQQBgjcC
# ARsECDAGAQEAAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQDsbQW8HPFdhqd3PeV4kV51
# QsnLde+RqFaYBc5BJ6S26ay5mam37Vm9tORuIv9xT3vxStdMuaB6FyOAmYJlE7B/
# DuhqxDESjQy987xZoVOwwGM/SvvRmNyRONjjslsprwBHIpczG4G5dle7RF0oqrfU
# 9sU2RqXQNjboc6NAZeDp4RQ2We1t6EiH7Cg2bg1IPeXBh8eFN3L1nqlbhfP1LMO/
# X5U9eJkS4/UrZJ5BHeBxzIv3eUr43liRNV0ixagI1TzfS7/IIJoCIcl57QPUYKrq
# gFk5be6BziwwBQqceVN7e1vEM12ygkZBvPTU8bO5/47LY7w3xG0YJTNMB0oTvcq3
# MIIGCjCCBPKgAwIBAgIQUgDlqiVW/BqG7ZbJ1EszxzANBgkqhkiG9w0BAQUFADCB
# yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
# ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
# U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
# ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
# aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtDEL
# MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
# ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
# aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVy
# aVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcN
# AQEBBQADggEPADCCAQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZr
# ENd1gTB/BGh/yyt1Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzin
# jGOdF6MIpauw+81qYoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkF
# vBtInGnnwKQ8PEEAPt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W
# +uWHd8a1VrJ6O1QwUxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4
# GXLYLjQaprSnTH69u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAf4wggH6
# MBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBW
# MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsG
# AQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/
# BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w
# BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl
# cmlzaWduLmNvbS92c2xvZ28uZ2lmMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
# cmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
# BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMB0GA1UdJQQWMBQGCCsG
# AQUFBwMCBggrBgEFBQcDAzAoBgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNp
# Z25NUEtJLTItODAdBgNVHQ4EFgQUz5mp6nsm9EvJjo/X8AUm7+PSp50wHwYDVR0j
# BBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQEFBQADggEBAFYi
# 5jSkxGHLSLkBrVaoZA/ZjJHEu8wM5a16oCJ/30c4Si1s0X9xGnzscKmx8E/kDwxT
# +hVe/nSYSSSFgSYckRRHsExjjLuhNNTGRegNhSZzA9CpjGRt3HGS5kUFYBVZUTn8
# WBRr/tSk7XlrCAxBcuc3IgYJviPpP0SaHulhncyxkFz8PdKNrEI9ZTbUtD1AKI+b
# EM8jJsxLIMuQH12MTDTKPNjlN9ZvpSC9NOsm2a4N58Wa96G0IZEzb4boWLslfHQO
# WP51G2M/zjF8m48blp7FU3aEW5ytkfqs7ZO6XcghU8KCU2OvEg1QhxEbPVRSloos
# nD2SGgiaBS7Hk6VIkdMxggQiMIIEHgIBATCByTCBtDELMAkGA1UEBhMCVVMxFzAV
# BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO
# ZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVy
# aXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBD
# b2RlIFNpZ25pbmcgMjAxMCBDQQIQArC9qalx2Y2PnT52pAkrSjAMBggqhkiG9w0C
# BQUAoIGoMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsx
# DjAMBgorBgEEAYI3AgEVMB8GCSqGSIb3DQEJBDESBBBYOmcGOCKg9ZHaIfI7hXH7
# MEwGCisGAQQBgjcCAQwxPjA8oCiAJgBDAGkAdAByAGkAeAAgAFMAeQBzAHQAZQBt
# AHMALAAgAEkAbgBjoRCADnd3dy5jaXRyaXguY29tMA0GCSqGSIb3DQEBAQUABIIB
# ACVGHGIMNclHwI6ToFVnpdMfvsgtb1b92dmUl72rT1+ZOy6S6/PeOTAhUbXhVMW0
# gzP5VXAy1Ai1WzG+ns9yHykD6BmWvVKNmO8M/zReTmUGcIN/6jGx78pK0nMc5rwI
# /JIoA3rvuUzTTft231S/01scxsVeC87WW3aHf1UHD6si0D00yYM9kVvuCcUEK9OZ
# kgVu1F2AlyVL/RnRlD8X0AsbEwjmuA2BdIftl6uGCIZdgWZ7L7P0lRlFmT8QwROC
# Sy/sQWYFkoyNBoIq/GEPhs3EU6oDFLMBEK6Zsrgs7U54h5UlrpVYp1X0dd6TQ/bt
# 1ZRuD7ONmt0PXgLT17ivHXOhggF/MIIBewYJKoZIhvcNAQkGMYIBbDCCAWgCAQEw
# ZzBTMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xKzApBgNV
# BAMTIlZlcmlTaWduIFRpbWUgU3RhbXBpbmcgU2VydmljZXMgQ0ECEDgl1/r4Ya+e
# 9JDnJrXWWtUwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
# HAYJKoZIhvcNAQkFMQ8XDTExMDMzMDE5MzI0MFowIwYJKoZIhvcNAQkEMRYEFEM5
# ifBb4/DnOa4nw0nr/uMk3JpJMA0GCSqGSIb3DQEBAQUABIGALqLdbtkitP/lV0f0
# eFEnt0l7W57C/CJRVLm1qR5wG2S4baRcr9Eo2dulQrflQyxNe4mGsGEF1Pj0pNfw
# SoFnDR1D7Pi7u8UsvllIXVx3YqCwMnTA3B8nGU8FCUXZ7UuyM9jKtuUfbPp3BFnW
# 96ywBz8AESHxS+bwZPdNiG27zj4=
# SIG # End signature block

Ensure to follow the next step if you want to try it :

  1. Run the New-CtxManagedDesktopGPO.ps1 script at the PowerShell command line. This script creates the following GPOs:
    • CtxStartMenuTaskbarUser enables the Windows 7 look and feel for published desktops. It also changes the pinned shortcuts on the Taskbar and configures the user’s Start menu to match the Windows 7 environment. This GPO includes a script that executes when a user logs on to the server for the first time. To ensure the script executes correctly, the PowerShell execution policy on the server must be set to AllSigned.
    • CtxPersonalizableUser configures the user account that is accessing the XenApp server. It configures Windows policies to limit the available Control Panel applets and restricts users from installing programs, viewing properties, scheduling tasks, or shutting down the server.
    • CtxRestrictedUser includes most of the policies from the CtxPersonalizableUser GPO. Additionally, this GPO configures the Desktop wallpaper policy to prevent users from personalizing their desktops and prevents users from modifying settings for the Start menu and Taskbar.
    • CtxRestrictedComputer configures certain restrictions on the XenApp servers allocated to the tenant. This GPO restricts users from accessing Windows Update or removable server drives.
  2. In the Active Directory Users and Computers console, link the User GPOs to the OU containing the tenant’s user accounts.
  3. Link the CtxRestrictedComputer GPO to the OU containing the XenApp servers allocated to the tenant.
  4. In the Group Policy Management Editor, for each User GPO, add the user accounts to the GPO’s scope.
  5. Add the XenApp servers to the scope of the CtxRestrictedComputer GPO.

Before the script execution :

After Execution and configuration as explained :

I’m glad to see Citrix went a bit further with desktop personalization and give us a very useful script, feel free to adapt and change it, I already made several change.

Several changes have been made around new policies and a new tab appear here template

Policy templates allow you to configure Citrix policies quickly and deploy them to your XenApp environment. Templates consist of pre-configured settings that can apply to a server or to a user session. You can use templates in the following ways:

  • As a source for creating other policies
  • As a tool with which to compare existing policies
  • As a method for delivering or receiving policy configurations from Citrix Support or trusted third parties
You can perform the following tasks with policy templates:

  • Create new templates using existing templates or policies
  • Create new policies using existing templates
  • Import and export templates
  • Compare settings, including default values, of selected policies and templates

then a lot of new computer and user policies appear to integrate what we were force to script before like Capacity and Power Management options, and some other to configure the new options available with XenApp 6.5 :

I didn’t screenshot ALL the new policies available, I just took the most important one (for me) and by reading all these policies, we can find some interesting information : A new service pack for XenApp 6 seems to be on the way (SP1) and a XenDesktop 5 Feature Pack 1.

Another new feature is the Multi-Stream : The ICA protocol has long had virtual channels that enable prioritization of different types of traffic to get the absolute best performance given available bandwidth and latency. Now, the ICA protocol can be divided into 5 separate network streams enabling network administrators to prioritize virtual desktop traffic types along side the rest of the network traffic to deliver enterprise grade Quality of Service. Multi-Stream ICA divides virtual desktop traffic into RealTime, Interactive, Bulk, Background, and UDP/RTP Voice streams that can be individually monitored and managed by standard QoS networking tools. This option can be enable by using policies (user and computer) and this option is disable by default. You must enable the computer policy to be able to use the Multi-Stream user policy, and enabling Multi-Stream on a XenApp server require a reboot before being effective. The Multi-Stream Connections section contains policy settings for managing Quality of Service (QoS) prioritization for multiple ICA connections in a session.

Several new options regarding session behave are now available, Session Prelaunch, Session Linger, and Fast Reconnect, some idea are very simple and change the end user experience a lot… Session Linger for example, provide a better user experience by eliminating the launch delay between applications.

To use session linger for named user sessions, configure the following Citrix User policy settings:

  • Linger Terminate Time specifies the number of minutes a session remains active after the last application terminates. If a new application starts during this time, the user session returns to the active monitoring state. If no application starts during this time, the session ends.If this policy setting is not used, session linger is disabled.
  • Linger Disconnect Time specifies the number of minutes to wait after lingering begins before disconnecting the session. If a new application starts during this time, the user session returns to the active monitoring state. It is possible that other factors may cause a session to be disconnected before the Linger Disconnect Time.If this policy setting is not used, a lingering session will not disconnect.

You can check the screenshot I made to configure Session Linger through policies (user) :

And I made a short video to show you how does it work :

[flash http://vimeo.com/24558909 w=601 h=338]

I haven’t cover everything yet, this blog is already big, so I’ll continue in a 3rd and last one.

Post author