Unidesk for Hyper-V

Transcription

1 Unidesk for Hyper-V Sep 08, 2017 This pdf file includes the Unidesk documentation. You can save a local copy of this file and use it offline. Use the built-in Search and Bookmark features to find what you need. Avoid using the links in this file, as they refer back to the landing page. Plan Unidesk infrastructure Unidesk appliances and disks Unidesk 3.4 for Hyper-V platform support Unidesk Layer storage Deploy About this release Unidesk appliances OS Layer Create Unidesk Collections Collections for Desktops Collections for Session Hosts Desktops and Session Hosts Application Layers Administer Unidesk Management Console Unidesk Layers Desktops, Session Hosts, and Collections Hosts and appliances Appliance health Brokers Users Troubleshoot Citrix Systems, Inc. All rights reserved. p.1

2 Plan Jun 28, 2017 Unidesk infrastructure Unidesk appliances and disks Unidesk 3.4 for Hyper-V platform support Unidesk Layer storage Citrix Systems, Inc. All rights reserved. p.2

3 Unidesk infrastructure Jun 28, 2017 The Unidesk solution provides simplified management, significant storage efficiency, performance, operational agility, and persistent personalization or customization of Unidesk Machines (Desktops or Session Hosts). The Unidesk environment includes a collection of virtual appliances that run on your existing virtual infrastructure. These appliances work together to dynamically composite Unidesk Machines that look and feel just like ordinary virtual machines. The following diagram shows the logical infrastructure of the Unidesk environment. The Unidesk environment is a grid of virtual appliances that replicate the operating system, application, and user workspace layers across an enterprise network. This environment uses the Unidesk Composite Virtualization technology to synthesize the Layers into complete, personalized Unidesk Machines. For the latest information about what platforms Unidesk supports, see Platform Support. Unidesk Layers A Unidesk Machine is a composite of Layers that provide the operating system, applications, and user data. Unidesk stores all layers as Hyper-V Virtual Hard Disk (VHDX) files in the Windows server file system. Unidesk uses the following types of layers to create a virtual machine: Citrix Systems, Inc. All rights reserved. p.3

4 Layer Description Operating System An Operating System Layer contains an imported copy of the operating system from a gold image. Application An Application Layer contains one or more applications that you assign to a Unidesk Machine. Personalization A Layer that behaves similarly to an Application Layer. T his Layer collects all of the user's changes to a Unidesk Machine and persists those changes through restarts of the virtual machine, and changes to Application Layer and Operating System Layer changes. T he Unidesk software creates this Layer when you create a Unidesk Machine. Unidesk storage tiers Unidesk stores content in tiers. Tier Description Boot T he Boot tier contains boot images and page files for your Unidesk Machines (Desktops or Session Hosts). T he boot image serves as the kernel for this virtual machine. Once a boot image exists for a particular machine, this tier retains the image as a VHDX file. If a particular Unidesk Machine becomes corrupted or lost, Unidesk can simply recreate the boot image for that machine. T he performance of this tier can affect the performance of Unidesk Machines. CachePoint and Layers he CachePoint and Layers tier contains the CachePoint Appliances as well as Operating System, Application, and Personalization Layers for your Unidesk Machines. Each Layer exists as a discrete VHDX file. A boot image created from the Boot tier draws Layers from this tier to finish creating a Unidesk Machine. T he majority of Input/Output activities take place on this tier. T he performance of this tier can affect the performance of Unidesk Machines Citrix Systems, Inc. All rights reserved. p.4

5 Unidesk appliances and disks Jun 28, 2017 The Unidesk appliances include software for managing the Unidesk environment, master copies of all Layers, and the configuration data for your Unidesk Machines (Desktops or Session Hosts). Management Appliance The Management Appliance is a virtual appliance that coordinates the communication between the Unidesk Management Console, the CachePoint Appliances, and the virtual infrastructure. The Management Appliance includes these components. Component Description Unidesk Management Console T he Web-based application that administrators use to manage the following components: Unidesk Machines Operating System Layers Application Layers Directory service integration points T he Unidesk infrastructure Management infrastructure T he software that controls the workflow required to manage virtual machines. It includes a database that stores the following information: Data about all of the Operating System and Application Layers that exist in the system. All data from the Unidesk Management Console. Schemas that implement back-end storage in the virtual infrastructure. Master CachePoint Appliance The first CachePoint Appliance that you provision in the Unidesk environment becomes the Master CachePoint Appliance. This virtual appliance maintains the master copy of all of the Operating System and Application Layers in the Unidesk environment. The Master CachePoint Appliance stores the Layers as VHDX files. The Master CachePoint Appliance automatically replicates Operating System and Application Layers to secondary CachePoint Appliances that manage Unidesk Machines (Desktops or Session Hosts) that use these Layers. Layer replication to secondary CachePoint Appliances occurs only if one or more Unidesk Machines associated with a specific CachePoint Appliance needs the Layers. The Master CachePoint Appliance also manages the Installation Machines that you use to create and modify Operating System and Application Layers. An Installation Machine is a special type of Unidesk Machine that you use as a staging area for creating Application Layers or add versions to existing Operating System and Application Layers. The Master CachePoint Appliance stores the VHDX files for Installation Machines Citrix Systems, Inc. All rights reserved. p.5

6 Secondary CachePoint Appliance(s) The Secondary CachePoint Appliances are responsible for: The initial deployment of Unidesk Machines. Deployment of Unidesk Machine configuration changes. CachePoint Appliances maintain copies of the Layers that the Unidesk Machines need in their configured storage tiers. They also store the VHDX files associated with the Unidesk Machines deployed in the same storage tiers. All Unidesk Machines associated with a specific CachePoint Appliance share the same Layers. The CachePoint file system Each CachePoint Appliance (including the Master CachePoint Appliance) creates a folder in the selected CachePoint storage location. That folder, which will have the same name as your CachePoint, contains the CachePoint virtual machine and the Unidesk Layers folder. The Unidesk Layers folder has subfolders for the Operating System Layer(s), Application Layers, and User (Personalization) Layers for the Unidesk Machines that the CachePoint Appliance manages. Here s a screen shot of a typical CachePoint file system after creating an Operating System Layer (OS folder), an Application Layer (App folder), and a Desktop (User folder). For each Desktop or Session Host, the User folder contains two VHDX files, which together make up the user's Personalization Layer: One for the Desktop or Session Host configuration data, for example, data for user-installed application and system settings. One for the user data. The CachePoint Appliances and Unidesk Machines (Desktops or Session Hosts) operation As long as one of the servers in a cluster has an active CachePoint Appliance on storage accessible by the whole cluster, you can create Desktops on the other servers in the cluster. And, because the Unidesk Machine connects directly to its Layers, the state of the CachePoint Appliance has no effect on Unidesk Machine operation. For example, you can shut down a CachePoint Appliance without affecting active users. To your users, Unidesk Machines appear as standard computers Citrix Systems, Inc. All rights reserved. p.6

7 Unidesk 3.4 for Hyper-V platform support Jun 28, 2017 Unidesk 3.4 for Hyper-V supports the following third-party software. Inf rastructure sof tware Unidesk supports the following virtual infrastructure software, US-English language pack only. For the best Unidesk experience, we recommend running the first of these configurations. Microsoft Windows Server 2012 R2 (Standard, Datacenter) with Hyper-V role and the Remote Desktop Connection Broker (RDCB) service enabled in the Remote Desktop Services (RDS) role Microsoft Windows Server 2012 R2 (Standard, Datacenter) with the Hyper-V role installed Microsoft Hyper-V Server 2012 R2 (This server does not include a graphical user interface) Unsupported features The "Move the virtual machine's storage" option in the Move Wizard of the Hyper-V Manager The "Migrate Storage" option in the System Center Virtual Machine Manager (SCVMM) Internet browser The Unidesk Management Console (UMC) supports any standards-based browser that supports Silverlight 4.0. Desktop operating system Unidesk Desktops support these operating systems as Generation 1 virtual machines: Microsoft Windows bit (Professional, Enterprise, Education) Windows Server 2012 R2 64-bit (Datacenter, Standard) Microsoft Windows 8.1 Update, 64-bit (Professional, Enterprise) Microsoft Windows 7 SP1, 64-bit (Professional, Ultimate, Enterprise) Session host operating system Unidesk Session Hosts support these operating systems as Generation 1 virtual machines: Windows Server 2012 R2 64-bit (Datacenter, Standard) Windows Server 2008 R2 64-bit (Standard, Enterprise and Datacenter) Note Windows Server 2008 is supported on Unidesk Session Hosts, not on Unidesk Desktops. Directory service Microsoft Active Directory Virtualization connection brokers f or Unidesk Desktops Citrix Systems, Inc. All rights reserved. p.7

8 The following brokers are directly integrated with Unidesk: Remote Desktop Connection Broker (RDCB) (See Infrastructure software above.) Citrix XenDesktop 7.6 Virtualization connection brokers f or Unidesk Session Hosts Remote Desktop Connection Broker (RDCB) (See Infrastructure software above.) Citrix XenApp Citrix Systems, Inc. All rights reserved. p.8

9 Unidesk Layer storage Jun 28, 2017 Unidesk Application and Operating System Layers are stored as separate differencing disks on parent VHDX files in the Windows server file system. Unidesk Machines (Desktops or Session Hosts) mount these differencing disks directly from the file system in a many-to-one fashion. Master CachePoint Appliance The following image shows the file structure of a Master CachePoint Appliance on the disk. Note the folders for the Application (App) Layers, Operating System (OS) Layer(s), and Users' Personalization Layers. Each deployed Unidesk Machine also has a folder with files, which includes the VM s XML files, boot drive VMHD, and a differencing disk for each Layer attached to the machine. This file structure provides a great deal of information. For example it is easy to determine the space used by a particular layer. Each Unidesk Layer version starts as a full clone of the previous Layer. Changes are made to the Layer and saved. This means that versions are normally larger than the base Layer. Unidesk storage tiers Boot drives Tier: This tier includes just the files required to boot the Unidesk Machine. Use any type of storage for this tier, as speed is not an issue. CachePoint Appliance and Layer storage tier: This tier includes the Operating System Layer(s) and Application Layers that you can assign to your Unidesk Machines (Desktops or Session Hosts). It also includes a Personalization Layer for every Persistent Unidesk Machine. This tier should be kept on fast storage devices Citrix Systems, Inc. All rights reserved. p.9

10 Deploy Jun 28, 2017 About this release Unidesk appliances OS Layer Create Unidesk Collections Collections for Desktops Collections for Session Hosts Desktops and Session Hosts Application Layers Citrix Systems, Inc. All rights reserved. p.10

11 About this release Sep 08, 2017 This Unidesk release provides you with Unidesk's VDI Management product in a Microsoft Hyper-V environment. Unidesk Release Notes Unidesk Platform Support Citrix Systems, Inc. All rights reserved. p.11

12 Unidesk 3.4 Release Notes Sep 21, 2017 Welcome to Unidesk f or Hyper-V! This release provides more stability for your Windows 10 Layered Desktops. Several issues have been fixed, as described below under Issues fixed. Links in the UI now bring you to the Unidesk documentation on the new Citrix site. Issues fixed in this release Unattend and Optimizer f iles no longer f lagged by some virus scanners. The Unattend.exe and Optimize.exe files are now only delivered as.hta file types, because the.exe files were getting flagged by some virus scanners. To use these.hta files, execute them from an admin cmd prompt. The Of f iceactivate.cmd script has been modif ied to reorder how the script executes. After you resolve bad WPA keys, affected desktops now start and Windows is successfully activated. This is because the Software Protection service (SPPsvc) now starts as expected. Affected desktops need to be republished after upgrading to the release. (UNI-58506) On Windows 10 LTSB installation machines, WindowsTrustedRT.sys driver is present and no longer contains a critical error. Newly created desktops that use OS Windows 10 version 1607 no longer have broken Metro Apps. Upgrading f rom Win10 version 1511 to version 1607 no longer results in broken tiles or Store apps. You can now turn off Windows 10 Store downloads and updates without issue. After upgrading from Windows 10, version 1511 to version 1607, you can finalize the OS layer as expected. You no longer receive the message, "An.msi install operation is in progress please check the packaging machine." Microsof t Hot f ix KB no longer causes driver store problems f or new desktops. When you install this hot fix on an OS layer version, desktops that use this layer now function without driver store problems. Installing Unidesk You can download the Unidesk 3.4 package from our download page for the Hyper-V environment. Platf orm Support For details about supported server software, desktop operating systems, and directory services, see the Unidesk 3.x for Hyper-V Platform Support. Considerations Clusters and load balancing. Virtual machine load balancing is done outside of Unidesk. In a Hyper-V role, you can set up Desktops to float between hosts. Please note however, that you should not configure Unidesk Appliances to float Citrix Systems, Inc. All rights reserved. p.12

13 between hosts. When you set up Clusters in your Hyper-V environment you must use Cluster Shared Volumes (CSV). For details about how to achieve load balancing in this release, click here. Microsof t RemoteFX 3D Video Adapter. You must turn on this feature using the settings in Hyper-V manager in either your gold image or in the user's vm. Please be sure to restart the gold vm so this setting can take effect. Known issues in this release Windows 10 upgrade Compatibility of Unidesk sof tware with Windows Creators Edition is being tested, and what appear to be compatibility issues have been f ound. Using the WIndows Creators Edition at this time. If you want to upgrade to Windows 10, version 1607 (Anniversary Update edition), you must do this one-time step. After upgrading to this Windows 10 version, you must add a new Layer Version to each App Layer, and republish the updated Image Template with the new OS and App Layer Versions. (UNI-54892). After a Windows 10 upgrade, you must allow all scheduled tasks to finish. After a Windows 10 upgrade, for example after upgrading from 1511 to 1607, you must allow any scheduled system tasks to complete. This allows existing desktops to gather the networking information required to ensure that the change in the OS Layer Version does not loose the network. Simply let the virtual machines finish their task or edit them immediately to ensure that they are completed before you upgrade your OS Layer to Windows and assign it to desktops. Windows updates may cause issues on persistent desktops. If Windows updates are causing issues on persistent desktops in your environment, disable Windows Updates via a local GPO. Win 10 upgrade may result in new Recovery Volume partition. During a major upgrade, for example when upgrading from 1511 to 1607, Windows 10 sometimes creates a Recovery Volume as a new partition on the same disk as the OS Layer Version. This volume should always be removed before you finalize the OS Layer Version. Otherwise, the recovery volume can cause desktops to fail to boot correctly. For the steps to safely remove a recovery volume, click here. General The first Desktop that you create in a Collection can fail. If the first Desktop that you create in a Collection fails with the error "Broker error: One of the specified user groups, group-name, could not be mapped to a valid SID," the Active Directory group may have been created pre-windows 2000, so it doesn't match the group name in RDS. For details about how to diagnose and fix this problem, click here. (UNI-30270) When editing a large number of desktops, a single desktop cannot be viewed in the visualization panel. If you select a large number of Desktops for editing, performance is slow when you attempt to select a single desktop in the visualization panel. (UNI-37936) Remote Desktop Services not ref reshing the Desktop. In approximately 5-10% of the cases per 300 desktops on a single host, RDS does not detect that a user has logged out and consequently does not refresh the Desktop. (UNI ) Conf iguring the Citrix Xen Delivery Groups Access Policy. Once you integrate with XenDesktop and create Unidesk Citrix Systems, Inc. All rights reserved. p.13

14 Collections and Desktops, you will receive an error message if you attempt to edit the Access Policy directly in Citrix Studio. To make any changes to Group Access Policy, use the Unidesk Management Console to edit the Collection Entitlements. (UNI-31613) RDS Remote App collections become unusable if Session Hosts are deleted f rom the Unidesk Management. Console. If Session Hosts that were manually added to RDS RemoteApp programs are deleted from the Unidesk Management Console, then the entire collection becomes unusable in RDS. The workaround is to delete the servers from the RemoteApp session collection on RDS Connection Brokers first before deleting them from the Unidesk Management Console. (UNI-35810) RDS User prof ile disks not supported. RDS User profile disks are not supported, but Unidesk is compatible with profile management tools, such as roaming profiles and folder redirection, that you can use to give Non-persistent Desktops some personalization. (UNI-29231) A Desktop may end up in an Active or Disconnected state after a user or Hyper-V administrator shuts down, restarts, or powers off the Desktop. If a user issues a restart or shutdown from their Desktop, the RD Connection Broker may not recognize the event. A restart of the Desktop via the Unidesk Management Console will clear the issue and allow the Desktop to be accessed through RDS. (UNI-30191) Setting up deduplication on any storage accessed by Unidesk is not supported. Running a deduplication process on a storage accessed by Unidesk can produce an error message that reads, "Access to the path... is denied." (UNI-38062) Citrix Systems, Inc. All rights reserved. p.14

15 Unidesk 3.4 Platform Support Jun 28, 2017 Unidesk 3.4 for Hyper-V supports the following third-party software. Infrastructure software Unidesk supports the following virtual infrastructure software, US-English language pack only. For the best Unidesk experience, we recommend running the first of these configurations. Microsoft Windows Server 2012 R2 (Standard, Datacenter) with Hyper-V role and the Remote Desktop Connection Broker (RDCB) service enabled in the Remote Desktop Services (RDS) role Microsoft Windows Server 2012 R2 (Standard, Datacenter) with the Hyper-V role installed Microsoft Hyper-V Server 2012 R2 (This server does not include a graphical user interface) Unsupported features The "Move the virtual machine's storage" option in the Move Wizard of the Hyper-V Manager The "Migrate Storage" option in the System Center Virtual Machine Manager (SCVMM) Internet browser The Unidesk Management Console (UMC) supports any standards-based browser that supports Silverlight 4.0. Desktop operating system Unidesk Desktops support these operating systems as Generation 1 virtual machines: Microsoft Windows bit (Professional, Enterprise, Education) Windows Server 2012 R2 64-bit (Datacenter, Standard) Microsoft Windows 8.1 Update, 64-bit (Professional, Enterprise) Microsoft Windows 7 SP1, 64-bit (Professional, Ultimate, Enterprise) Session Host Operating System Citrix Systems, Inc. All rights reserved. p.15

16 Unidesk Session Hosts support these operating systems as Generation 1 virtual machines: Windows Server 2012 R2 64-bit (Datacenter, Standard) Windows Server 2008 R2 64-bit (Standard, Enterprise and Datacenter) Note: Windows Server 2008 is supported on Unidesk Session Hosts, not on Unidesk Desktops. Directory service Microsoft Active Directory Virtualization connection brokers for Unidesk Desktops The following brokers are directly integrated with Unidesk: Remote Desktop Connection Broker (RDCB) (See Infrastructure software above.) Citrix XenDesktop 7.6 Virtualization connection brokers for Unidesk Session Hosts Remote Desktop Connection Broker (RDCB) (See Infrastructure software above.) Citrix XenApp Citrix Systems, Inc. All rights reserved. p.16

17 Unidesk appliances Jun 28, 2017 You can get started with your Unidesk deployment by installing the Unidesk Management Appliance and Master CachePoint Appliance. What you need to deploy Unidesk for Hyper-V You can use this checklist as a reference when setting up your environment. Checklist: What you need Install Unidesk appliances Refer to these detailed steps while running the installer. Install Unidesk appliances Create Secondary CachePoint Appliances Create additional CachePoints to manage Unidesk Machines (Desktops or Session Hosts) Citrix Systems, Inc. All rights reserved. p.17

18 What you need to deploy Unidesk in a Hyper-V environment Jun 28, 2017 Whether you are setting up a Proof of Concept (POC) or deploying a pilot (production) version, you'll need to meet some basic requirements. Basic Requirements To get started with Unidesk, you'll need these hardware and software basics: Unidesk-supported Windows Server with specific roles enabled (see details below) 500+ GB of storage Unidesk-supported Operating System for your Desktops or Session Hosts A single network time source for your Desktops, Session Hosts, and Appliances Detailed Requirements A POC requires much of the same software, accounts, and credentials as a full pilot deployment. However, for a full pilot, you'll need more servers, storage, and network addresses. Server requirements Servers POC Pilot Unidesk-supported Windows Server Microsoft Windows Server 2012 R2 (Standard, Datacenter) with Hyper-V role and the Remote Desktop Connection Broker (RDCB) service enabled in the Remote Desktop Services (RDS) role Xs Xs Microsoft Windows Server 2012 R2 (Standard, Datacenter) with the Hyper-V role installed Microsoft Hyper-V Server 2012 R2 (This server does not include a graphical user interface) Roles configurer Hyper-V Virtualization Host role Xs Xs RD Connection Broker role RD Web Access role Citrix Systems, Inc. All rights reserved. p.18

19 RD Licensing role (even if it is in trial mode) Other requirements f or the server The.NET Framework 4.5 Features selected on the server. Xs Xs Two DNS servers are required when installing the Management Appliance. The operating system (gold image) for your Desktops or Session Hosts available on the server. (You will prepare this OS for the Unidesk environment when creating the Operating System Layer.) Credentials required You need the credentials for the server Administrator. You can either log in as Administrator or as a User with Administrator privileges. Xs Xs Port opened by the Unidesk Installer The Unidesk Installer opens a port on the local server's firewall for the TCP protocol. This port is used for communications between the Hyper-V Agent service and the Unidesk Appliances. By default this is port 8014, but you can change the port number during installation. Xs Xs Register the Hyper-V server with DNS You must register the Hyper-V server with DNS so that the Management Appliance can communicate with it. Xs Xs Requirements f or running the Unidesk Management Console A standards-based browser on the Management Appliance that supports Silverlight 4.0. Xs Xs Network setup Routing, DHCP, DNS and IP addresses POC Pilot Basics The network must be able to route between server and Desktop vlan Xs Xs 2 IP addresses required: One address for the Management Appliance, and one for the Master CachePoint Appliance vlan with DHCP for Desktops DNS entries for appliances Citrix Systems, Inc. All rights reserved. p.19

20 Additional Additional IP addresses for the number of Secondary CachePoint Appliances you need to support the number of virtual Desktops planned. Xs Active Directory AD accounts POC Pilot Single service account or multiple accounts Xs Xs An account that can join computers to the domain/ou An account that can read from Active Directory If using Citrix XenDesktop, an account that is both: Local administrator on the DDC XenDesktop administrator Storage Drives required POC Pilot Type of drives Supported drive types: Fixed disks, Network (cluster shared volumes). Xs Xs Unsupported drive types: CD-ROM, Removable, RAM, NoRootDirectory, and Unknown. Minimum amount of disk space 500+ GB of storage - Assuming 5-10 Desktops with average Personalization Layer size of 10 GB Xs Desktop and Session Host Operating System Supported Windows versions POC Pilot Desktop Operating System Xs Xs Unidesk Desktops support these operating systems as Generation 1 virtual machines: Microsoft Windows bit (Professional, Enterprise, Education) Windows Server 2012 R2 64-bit (Datacenter, Standard) Citrix Systems, Inc. All rights reserved. p.20

21 Microsoft Windows 8.1 Update, 64-bit (Professional, Enterprise) Microsoft Windows 7 SP1, 64-bit (Professional, Ultimate, Enterprise) Session Host Operating System Unidesk Session Hosts support these operating systems as Generation 1 virtual machines: Windows Server 2012 R2 64-bit (Datacenter, Standard) Windows Server 2008 R2 64-bit (Standard, Enterprise and Datacenter) Note: Windows Server 2008 is supported on Unidesk Session Hosts, not on Unidesk Desktops. Implementation Notes: Install Operating System from ISO (do not reuse an existing copy) If Windows 7, install Microsoft Integration Services Do not join the domain with the gold image Xs Xs Do not run optimization tools from outside utilities Connection Broker (for full Desktop broker integration) If you are using one of the supported desktop integration brokers for full broker integration, you'll need the software and associated requirements shown below. Supported brokers POC Pilot Citrix XenDesktop An account that is both a local administrator on the DDC and a XenDesktop administrator Xs Xs DDC FQDN Microsoft Remote Desktop Connection Broker (RDCB) Xs Xs Citrix Systems, Inc. All rights reserved. p.21

22 Install Unidesk appliances Oct 03, 2017 In the first stages of the Unidesk installation process, you: Install Unidesk Hyper-V Agent Deploy the Unidesk Management Appliance Copy the Unidesk CachePoint Template to the same location as the Management Appliance Manually deploy the Master CachePoint Appliance in two steps: Configure the CachePoint Template Configure the Master CachePoint settings Bef ore you start Whether you are deploying a proof of concept (POC), or a production pilot, be sure to meet the requirements detailed here. Deploy the Unidesk Appliances Download the Unidesk Installation package Download the Unidesk ZIP file from the Unidesk Support Download Center onto one of the local drives on your Server. Deploy the Unidesk Management Appliance (MA) This procedure installs the Unidesk Hyper-V Agent, and then the Management Appliance on your Hyper-V Server. It also copies the CachePoint Appliance Template onto your Hyper-V Server as the first step in deploying your Unidesk Master CachePoint Appliance (MCP): 1. Unzip the Unidesk for Hyper-V installation package. This contains the Unidesk Installer ZIP and other files. 2. Extract the installer Zip file to a folder on your local drive. 3. Double-click the Unidesk installer file (UnideskInstaller.exe). The Unidesk End User License Agreement is displayed. 4. Read the End User License agreement, and if you agree to the terms, check I Agree, and then click Accept. A window for installing the Unidesk Hyper-V Agent appears. 5. Note the Current version of the Hyper-V Agent (if any). If the agent is not yet installed, click Install or Upgrade if a newer version exists. Once the Hyper-V Agent installation is complete, a window for installing the Unidesk Management Appliance appears. 6. Specify the following settings for the Management Appliance, and click Install. This deploys the Management Appliance, copies the CachePoint Template to the same location, and opens the Next Steps window. Name A unique name for the Management Appliance. Location Virtual Switch Browse for a folder on the local server for the Management Appliance VM and CachePoint Template. Specify the virtual network to use for the Management Appliance and Master CachePoint Appliance. Time Zone The international Time Zone for the MA Citrix Systems, Inc. All rights reserved. p.22

23 NTP Server 1 and 2 The Network Time Protocol servers used to synchronize the time on the server. The URLs for recommended NTP servers are included. Type of IP address, Dynamic (DHCP) or Static. It is strongly recommended that you use a Static IP address for your Management Appliance, and Dynamic IP addresses for your CachePoint Appliances. IP Configuration If you must use a DHCP address for the Management Appliance, you'll need to set a Static MAC address for it. Refer to this article about how to set the Static MAC address: Microsoft Hyper-V Static MAC Address VLAN Tag The VLAN tag inserted into packet headers, indicating which logical network to use for this virtual machine. 7. When the Next Steps window opens, note the CachePoint Template path, so you can use this location to configure the CachePoint in the Management Appliance. 8. Click the Management Console link to open the Unidesk Management Console (UMC). Login using "administrator" and the password "Unidesk1". 9. Dismiss the message that appears, and change the UMC Administrator password. 10. Then, change the root password on the new Management Appliance and Master CachePoint Appliance. If you are comfortable using Linux, use the Hyper-V console or SSH to log into the appliance as root (password v9yx*6uj), and enter Linux commands to change the root password. If you are not familiar with the Linux commands for changing the root password, please contact the Unidesk Support team, and they will either walk you through the steps or change it for you. Next, you will configure the Master CachePoint Appliance, as described in the next section. If the MA is deployed to a UNC, set up the CachePoint Appliance Template When deploying a Management Appliance (MA) to a UNC path, the installer will attempt to configure the network storage location to allow you to setup the CachePoint Appliance template. If this fails, take the following steps: 1. Log into the Unidesk Management Console. 2. Select System, and click Manage Network Storage on the Action bar. This opens the Manage Network Storage wizard. 3. Click the New button, and enter the network share used to deploy the Management Appliance, where the entry is of the form: \\server\sharename 4. Click Add. By default, the new network share will be assigned to the Hyper-V host on which the Management Appliance was deployed, as well as any other hosts known by the Management Appliance. 5. From the Confirm and Complete wizard tab, review the changes and, if correct, click Submit Network Storage Changes. You should now be able to Edit the CachePoint Appliance Settings to browse to the location of the CachePoint template, as displayed in the Unidesk Installer Citrix Systems, Inc. All rights reserved. p.23

24 Configure the Master CachePoint Appliance Once you've deployed the Management Appliance, you can configure the CachePoint Template and create your first CachePoint Appliance, which will be your Master CachePoint Appliance. 1. In the Unidesk Management Console, select System > Settings and Conf iguration. 2. Click Edit next to the CachePoint Settings. 3. Browse for the CachePoint Template (the path you noted in Step #6 above), and click Save. Now you can create your first CachePoint. 4. Select System > Manage Appliances, and click Create CachePoint. 5. Enter a name for the CachePoint. If you are not planning to create a secondary CachePoint Appliance, make sure that Allow new machines to be deployed to this CachePoint is checked. 6. On the Storage Tiers tab, select a location on the server for the Boot Images, and for the Master CachePoint Appliance and Layers. 7. On the Virtual Switch tab, select the type of virtual switch (Network). Specify the VLAN Tag, if needed, and the IP configuration settings for the CachePoint Appliance. For the IP Configuration, choose DHCP if using a dynamic IP address, or Static if using a Static IP address. If Static, enter the additional values required. 8. On the Confirm and Complete tab, verify that the settings are correct, and click Create CachePoint. This deploys the Master CachePoint Appliance. 9. Then, change the root password on the new Master CachePoint Appliance. If you are comfortable using Linux, use the Hyper-V console or SSH to log into the appliance as root (password v9yx*6uj), and enter Linux commands to change the root password. If you are not familiar with the Linux commands for changing the root password, please contact the Unidesk Support team, and they will either walk you through the steps or change it for you. Refresh the Unidesk Management Console and deploy Unidesk machines Once you've deployed the appliances, you need to refresh the Unidesk Management Console, and follow the steps to: Create your Operating System Layer Create Collections Create a Unidesk Machine (either a Desktop or Session Host) To get started: 1. Refresh the Unidesk Management Console by logging out and logging back in again. A window pops up over the Management Console with the three steps required to deploy your Unidesk machines. 2. Click each of the step icons for instructions. Once you've created a Unidesk Machine, this window will no longer appear when you start the Management Console. Configure notifications Types of notifications you can set You can configure notifications to inform you in case there are issues with services running on your CachePoint Appliances. Events that can trigger an notice When you configure notifications, you will receive an for any of the following events: Citrix Systems, Inc. All rights reserved. p.24

25 Tests of the notification connection. An internal failure occurs on a CachePoint Appliance that requires an automatic restart. Log files are exported. Connection issues between Desktops or Session Hosts and CachePoint Appliances occur. Types of notifications notif ication CachePoint service failures Description The Management Appliance sends an message to the designated addresses when an internal service failure occurs and the affected CachePoint Appliance tries to restart the service or the CachePoint Appliance. Exporting log files When you export logs for Desktops or the virtual appliances, the software sends the specified recipients an notification that includes a link to the log files. For details, click here. If a Desktop or Session Host loses its connection to its assigned CachePoint Appliance, the Desktop or Session Host contacts the Management Appliance to either obtain a new IP address for the CachePoint Appliance or to confirm that it has the correct IP address. Connection issues If the Desktop or Session Host has the correct address but cannot communicate with its CachePoint Appliance, the Management Appliance sends an notification the first time it tries to communicate with the CachePoint Appliance. When you receive this message, verify that the CachePoint Appliance is operational and available on the network. Configure notifications To set up notifications 1. Select System > Settings and Configuration. 2. Navigate to Notifications Settings and click Edit. 3. In the Mail Server box, enter the name of your server or the name of the SMTP relay server. 4. In the Mail Server port, enter the number of the port that the server uses for communication. 5. In the User Name box, enter the user name for the account you want to use for sending notifications. For example, username@domain.com. 6. In the Password box, enter the password for the account. 7. In the From box, enter an address to identify the source of the message. For example, if you enter myaddress@mycompany.com, the message displays the following in the From box of the received notification: Citrix Systems, Inc. All rights reserved. p.25

26 Unidesk Management Appliance 8. In the Recipient List box, enter the addresses that should receive notifications. Use a comma or semicolon to separate the addresses. 9. Click Test Configuration to verify that the settings for the server and account work correctly. If the test succeeds, the software displays a success message and sends the recipients a confirmation Enter a comment, if necessary, and click Save to save the settings. If you enter comments, they appear in the Information view Audit History. Secure the appliances Make sure you've changed the Administrator and root passwords for each appliance Make sure you have changed the default Administrator password for the Management Appliance and Master CachePoint Appliances as described in Deploy the Unidesk Management Appliance (MA) and Configure the Master CachePoint Appliance above. You must also be sure to change the root password on each of the appliances, as described above. If you are not familiar with the Linux commands to change this password, please contact Unidesk Support for assistance. Set a session timeout for the UMC You can set a timeout for the Unidesk Management Console, so that if there is no user-initiated activity for a specified length of time, the console ends the session. Session activity includes user interaction with the console, for example, starting tasks and editing settings. Tasks in progress will not keep a session from timing out, nor will simply selecting an object or clicking inside the console window. If you have just installed Unidesk software, the Session Timeout is set to 15 minutes by default. If you have upgraded from an earlier version of Unidesk, the Session Timeout will be set to zero (0) by default, effectively leaving this function turned off. To set a session timeout 1. Select System > Settings and Configuration. 2. Scroll to Security Settings. 3. Select Session Timeout, and click the Edit button. 4. Enter the number of minutes after which the session will timeout. Valid values include numbers from (A value of 0 turns off this feature.) 5. Click Save Citrix Systems, Inc. All rights reserved. p.26

27 Upgrade Unidesk Oct 03, 2017 This release contains updates for the following components: Unidesk Management Appliance Unidesk Master CachePoint Appliance and Secondary CachePoint Appliances Unidesk Hyper-V Agent Unidesk for Hyper-V Broker Agent Unidesk Gold Image Tools Component upgrades This upgrade supports moving from Unidesk 3.x for Hyper-V to the current release. To see which Unidesk version is installed on each appliance, open the Unidesk Management Console, select System > Manage Appliances, and click the icon for each component to see the version. Upgrade Steps It's important to upgrade the Unidesk components in the order shown here. Upgrade Notes The Unidesk Hyper-V Agent must be upgraded on all Hyper-V servers in your Unidesk environment, and you must do these upgrades manually, as described in Step 2 below. The Unidesk Broker Agent must be upgraded on all broker servers (the XenDesktop Delivery Controller or RD Connection Broker server) in your Unidesk environment, and you must do these upgrades manually, as described in Step 3 below. Some new Unidesk features will not be available until the CachePoint Appliances have all been upgraded. Existing machines that had the Dynamic Memory option turned on before the upgrade process have that option turned off after the upgrade. STEP 1: Download the Unidesk Upgrade ZIP file 1. Download the Unidesk Upgrade ZIP from the Unidesk for Hyper-V Download Center, and unzip the files. 2. Check the Unidesk Management Console Taskbar for any pending Desktop configuration changes, and if there are any waiting to be processed as part of a Maintenance Schedule, override the schedule, as follows: 1. Select the affected Desktops and choose Edit Desktops. 2. In the Maintenance Schedule tab, select As soon as possible. 3. Complete the wizard. 3. Copy the Unidesk for Hyper-V Upgrade ISO image to a directory on the Hyper-V server that hosts the Management Appliance. 1. Copy the upgrade image (unidesk_hyperv_upgrade_3.x.x.iso) from the extracted upgrade package to a directory on the Hyper-V server that hosts the Management Appliance. 2. Use Hyper-V Manager to connect the CD/DVD device to the Unidesk ISO upgrade image (unidesk_hyperv_upgrade_3.x.x.iso.). You can do this by right-clicking the Management Appliance in the HyperV- Manager that runs on the Hyper-V server itself, and choosing Settings. The CD/DVD device must be inserted into the IDE Controller 1, Location Citrix Systems, Inc. All rights reserved. p.27

28 STEP 2: Upgrade the Unidesk Hyper-V Agent On every Hyper-V server where you've installed the Hyper-V Agent, you must upgrade the Unidesk Hyper-V Agent. To do this, you must be logged onto the Hyper-V Server with administrator privileges. 1. Log onto the Hyper-V Server with Administrator privileges. 2. Copy the Hyper-V Agent executable (unidesk_hyperv_agent_installer.exe) from the extracted upgrade package to a directory on the Hyper-V server. 3. Run the Upgrade executable and click through the screens to accept the default settings. 4. Click Finish to exit the wizard. 5. Repeat these steps for all of the installed Unidesk Hyper-V agents. STEP 3: Upgrade the Unidesk for Hyper-V Broker Agent You must be logged onto the broker server (the XenDesktop Delivery Controller or RD Connection Broker server) with administrator privileges. 1. Log onto the broker server (the XenDesktop Delivery Controller or RD Connection Broker server) with administrator privileges. 2. Copy the Unidesk Hyper-V Broker Agent executable (unidesk_hyperv_broker_agent_installer_3.x.x.exe) from the extracted upgrade package to a directory on the server. 3. Run the executable and click through the screens to accept the default settings. This upgrades the broker agent. 4. Click Finish to exit the wizard. 5. Repeat these steps for all of the installed Unidesk Hyper-V Broker agents. STEP 4: Upgrade the Management Appliance 1. In the Unidesk Management Console, select System > Upgrade. 2. In the next Upgrade tab, the CachePoint Appliances will remain deselected. 3. In the Confirm and Complete tab, click Upgrade. The upgrade process closes the current Unidesk Management Console session and starts upgrading the Management Appliance. During the upgrade, the process displays a status page. IMPORTANT! Do not refresh the Web browser before the upgrade completes, or the status page closes and you cannot navigate back to it. 4. After the Management Appliance upgrade completes, refresh the browser and log into the Unidesk Management Console (UMC) again. STEP 5: Upgrade the Master CachePoint Appliance and Secondary CachePoint Appliances This assumes you have upgraded the Unidesk Hyper-V Agent, Unidesk for Hyper-V Broker Agent, and Management Appliance. You'll begin by upgrading the CachePoint Appliance Template, and then upgrade the Master CachePoint Appliance itself. 1. Log into the Hyper-V server that hosts the Management Appliance, and delete the old CachePoint Appliance Template (the one currently selected in the System Settings) from the previous version of Unidesk Citrix Systems, Inc. All rights reserved. p.28

29 2. Copy the new CachePoint Appliance Template (CachePoint_3.x.x.x.unitemplate) to the directory where the previous version of the template is stored. 3. In the Unidesk Management Console select System > Settings and Configuration, and then edit the CachePoint Settings. Select the template that you just imported and click Save. This ensures that new CachePoint Appliances use the new template. 4. In the Unidesk Management Console, select System > Upgrade. 5. In the next Upgrade tab, select the Master CachePoint Appliance and any Secondary CachePoint Appliances. 6. In the Confirm and Complete tab, you can enter a comment that will appear in the Audit log, then click Upgrade. 7. Unmount the CD drive by editing the settings for the MA. Click the DVD drive under IDE 1 and select None. Note: CachePoint Appliances that have not been upgraded will disregard any Dynamic Memory settings. After the CachePoint has been upgraded, the next edit will apply the Dynamic Memory settings Citrix Systems, Inc. All rights reserved. p.29

30 Add Hyper-V hosts to the Unidesk environment Jun 28, 2017 You can add a Hyper-V host to the Unidesk environment, and then configure your CachePoint Appliances to use the new host. If this is a new Unidesk deployment, follow the instructions for Installing Unidesk appliances. Bef ore you start Unidesk requirements Once you have the required hardware in place, please be sure to meet the following detailed requirements before running the Unidesk Installer. Windows Server 2012 R2 system (with Hyper-V Role enabled), or Hyper-V Server 2012 R2 The.NET Framework 4.5 Features selected on the server. Credentials required You need the credentials for the server Administrator. You can either log in as Administrator or as a User with Administrator privileges. Port opened by the Unidesk Installer The Unidesk Installer opens a port on the local server's firewall for the TCP protocol. This port is used for communications between the Hyper-V Agent service and the Unidesk Appliances. By default this is port 8014, but you can change the port number during installation. Use host names in the Unidesk environment You can set up your environment to use host names in addition to IP addresses, so that a change in an IP address will not affect communications between the Management Appliance and its CachePoint Appliances. If you set the host name on your Hyper-V server, Unidesk will automatically use it instead of the IP address. Then the IP address can change without causing any problems, as long as the host name does not change. Similarly if you set a host name for you MA and use it when you register the host (via the Unidesk installer, or manually as described next) then you can change the IP address of the MA without issues, as long as the host name does not change. Add a Hyper-V host Add a new host to the environment You can add a new host to the environment by installing the Unidesk Hyper-V Agent on the server, and registering the host with your Management Appliance. 1. Download the Hyper-V Agent Installer from the Unidesk Hyper-V Download Center onto one of the local drives on your new Hyper-V server. 2. Run the installer and when prompted, enter the host name or IP address of your Management Appliance. This installs the Hyper-V agent on the host, and registers the host with the Management Appliance. 3. If the host is being added to a cluster, the Unidesk Management Appliance must be restarted to recognize the cluster configuration change Citrix Systems, Inc. All rights reserved. p.30

31 Citrix Systems, Inc. All rights reserved. p.31

32 Create Secondary CachePoint Appliances Jun 28, 2017 You can (and should) create one or more Secondary CachePoint Appliances in the Unidesk environment to manage Desktops and store Desktop User data, while the Master CachePoint Appliance maintains the master copy of all Layers in the environment. You can specify a host or cluster for the CachePoint Appliance. As long as there is one host in a cluster with a CachePoint on storage accessible by the whole cluster, you can create Unidesk Desktops on any of the clustered hosts that do not have CachePoints. This minimizes both the storage requirements and the need for more resources, allowing you to create Desktops across multiple hosts using fewer CachePoints. Bef ore you start You must have provisioned a Master CachePoint Appliance as part of the Unidesk installation. About CachePoint properties Allow or prevent new Desktops on a CachePoint Appliance You can allow or prevent a CachePoint Appliance to be used for new Desktops simply by editing the CachePoint Properties and deselecting this check box on the first wizard tab: Allow new Desktops to be deployed to this CachePoint. This feature is good for: Preventing Desktops from being added to the Master CachePoint Appliance, a best practice. Preparing to remove a Secondary CachePoint from the network. Reserving space on a Secondary CachePoint for a future project. Specify storage tiers used for this CachePoint You can choose where to store the images and Layers the CachePoint uses to manage Desktops, including: The Boot Images for Desktops managed by a CachePoint The Layers used by the CachePoint's Desktops Create a Secondary CachePoint Appliance 1. In the Unidesk Management Console, select System > Manage Appliances > Create CachePoint. This opens the Create CachePoint Wizard.. 2. In the Configuration tab specify the VM Name, the name of the CachePoint Appliance, and select the host where you want to create it. 3. Leave the Allow new desktops to be deployed to this CachePoint check box selected, unless you want to prevent new Desktops from being deployed to this CachePoint for reasons described above in Allow or prevent new Desktops on a CachePoint Appliance. 4. In the Storage Tiers tab, specify the locations in the virtual infrastructure where the CachePoint will store its Desktop Boot images and Layers. Select a Boot volume location for the Desktop s being managed by this CachePoint. Select a location for the Application Layers and the CachePoint virtual machine itself. 5. In the Virtual Switch tab, select a virtual switch (network). Specify the VLAN Tag, if needed, and the IP configuration Citrix Systems, Inc. All rights reserved. p.32

33 settings for the CachePoint Appliance. For the IP Configuration, choose DHCP if using a dynamic IP address, or Static if using a Static IP address (Static requires the IP address, gateway, and DNS information). 6. In the Confirm and Complete tab review the settings. If you want, enter a comment for the Audit History. 7. Click Create CachePoint. The Unidesk software begins creating the new CachePoint. You can monitor the progress of this task in the Management Console Tasks area. Change the root password on the new CachePoint Appliance If you are comfortable using Linux, log into the appliance as root (password v9yx*6uj), and enter Linux commands to change the root password. If you are not familiar with the Linux commands for changing the root password, please contact the Unidesk Support team, and they will either walk you through the steps or change it for you Citrix Systems, Inc. All rights reserved. p.33

34 Deploy Unidesk Appliances and Desktops in Clusters Jun 28, 2017 Unidesk supports High Availability and Failover in environments with multiple hosts and clustering. Note: On non-clustered hosts without shared storage, Unidesk does work, but failover and load balancing are not supported, and migrating Virtual Machines is more involved than it will be in the future. Bef ore you start Install the Unidesk Management Appliance and Master CachePoint Appliance Create Secondary CachePoint Appliances Create Desktops Migrate CachePoint Appliances You can migrate Unidesk Virtual Machines to different hosts, but no to different storage, using two kinds of migration that Hyper-V supports: Live migrate moves the Virtual Machine while it s running, and there is no interruption. Quick migrate moves powered down machines. If you choose to quick migrate a running machine, Hyper-V will 'save' and then move them. Note: A Unidesk Move Tool for migrating Virtual Machines to different storage is in development. Unidesk supports migrating the Unidesk Management Appliance or CachePoint Appliance as follows: While the Virtual Machine is powered OFF, you can quick migrate the VM. (recommended) While the Virtual Machine is powered ON: You can Live Migrate idle Appliances, but Unidesk recommends that you migrate while the machine is powered OFF. You cannot move Appliances that are running jobs You cannot quick migrate a VM that is in a saved or paused state, as it causes jobs on that VM to fail for several minutes after the migrate happens, and any jobs in progress will probably fail The preferred method of migrating VMs is to power down the machine, and migrate it using Hyper-V Quick Migrate. Configure load balancing For best results, configure Unidesk load balancing as follows: Configure each CachePoint to prefer only one host (the host it was originally deployed on). You can set the CachePoint s Possible Host to any reasonable choice. Desktops can be configured as you please, as long as your load balancing software does not migrate powered down Desktops (most do not). Configure failover of Unidesk Virtual Machines In this release, you'll need to manually configure failover of Unidesk Virtual Machines, including the Management Appliance, Master CachePoint Appliance, Secondary Appliances, and Desktops. WARNING: The MA should have a static IP address and/or a static mac, while the CachePoint Appliances can have Dynamic Citrix Systems, Inc. All rights reserved. p.34

35 IP addresses. To configure Failover: 1. Set up Hyper-V Roles for any Unidesk VM you want to fail over, whether it's an appliance, Installation Machine, or Desktop. 2. Configure a CachePoint Appliance on each host where you want to deploy Desktops. A host isn't eligible to get Desktops until a CP has been deployed to it. 3. (Recommended) Set CachePoint Appliances to Low priority for failover, so that Desktops failover first. 4. Your Gold Image VM(s) can be stored in one of two locations so that they can be accessed by Unidesk in the event of a failover: (Recommended) On the cluster shared storage. On local storage on the host for the Master CachePoint Appliance. On network storage. For network settings, configure your networks according to the Hyper-V requirements for a failover-capable cluster. For storage, you must use cluster shared volumes or network storage. Unidesk uses constant file system paths to VHDX files when VMs move from host to host. For memory, Desktops that are failing over from a failed host cannot boot on a new host unless there is enough free memory. You must take that into consideration when planning resources for your cluster. Notes on Cluster Configuration Changes If you add or remove hosts from a cluster, the MA must be restarted before Unidesk will recognize these changes. This is necessary if hosts are added or removed, but it is not required for other changes such as: Storage (including Cluster Shared Volumes) is added or removed The host is powered off or on CachePoints or Desktops are migrated between hosts Until the MA is restarted you will see the following behavior: If a new host has been added to the cluster, the new host will be listed under the cluster when you are selecting a host in the Desktop Create Wizard, but the new host may be marked "Unavailable" with a tool tip that says "There are no CachePoint Appliances that are capable of using this host for machine deployment" if there are no CachePoints on that host. You will not be able to select that host in the Create Desktop Wizard. If you select the cluster, that host will not be used and Desktops will only be deployed to the other hosts in the cluster. If a host has been removed from the cluster, the host does not display in the cluster. If you attempt to create a Desktop on that host or on the original cluster, the Desktop creation task may fail with the following error: "Could not find a CachePoint with storage locations accessible by the selected host." Citrix Systems, Inc. All rights reserved. p.35

36 OS Layer Jun 28, 2017 About the Operating System Layer What is the Unidesk Operating System Layer The Unidesk Operating System Layer contains the Windows Operating System that will be deployed to your virtual Unidesk Machines (Desktops or Session Hosts). Once created, you can use this gold image to build thousands of Desktops and Session Hosts. This Operating System Layer includes a gold image, a virtual machine in your infrastructure running the Unidesk-supported Windows Operating System that you want to use for your Unidesk Machines, whether they are Desktops or Session Hosts. It is best to use a freshly installed gold image. What you need to create the Unidesk Operating System Layer To build the Operating System Layer, you'll need to: Freshly install the gold image - A virtual machine in your infrastructure running the supported Windows Operating System version that you want to use for your Unidesk Machines (Desktops or Session Hosts). It is best to use a freshly installed gold image. Prepare the gold image for the Unidesk environment, so you can use it to create your Operating System Layer. Prepare the Gold Image Windows 10 gold image Steps: Prepare the Windows 10 Gold Image Windows 8.1 gold image Steps: Prepare the Windows 8.1 Gold Image Prepare a Windows 7 gold image Steps: Prepare the Windows 7 Gold Image Prepare a Windows Server 2012 R2 Gold Image Steps: Prepare a Windows Server 2012 R2 gold image Prepare a Windows Server 2008 R2 Gold Image Steps: Prepare a Windows Server 2008 R2 gold image Citrix Systems, Inc. All rights reserved. p.36

37 Create your Operating System Layer Next, you'll import your gold image into a new Operating System Layer. Import your gold image into a new Operating System Layer Citrix Systems, Inc. All rights reserved. p.37

38 Prepare the Gold Image Jun 28, 2017 About the gold image About preparing the gold image The gold image is a clean install of a supported Windows Operating System that you want to use on your Unidesk Machines (Desktops or Session Hosts). To prepare the gold image, you will install it on a virtual machine whose disk is accessible by the Unidesk Management Appliance. Then use Unidesk tools to both create a Windows answer file for unattended installation on new Unidesk Machines, and to optimize the image for use in Unidesk. Once you have prepared the gold image, you will use the Unidesk Management Console to import it into a new Operating System Layer. This topic explains how to prepare a gold image for the Unidesk environment, including how to: Set up a gold image on a virtual machine. Install the Unidesk Gold Tools on the image. This includes the Unidesk Unattend Builder and the Unidesk Optimization Script. Create an answer file for unattended operating system setup, using the Unidesk Unattend Builder. Optimize the operating system for the Unidesk environment, using the Optimization script. CAUTION: Using Third-party optimization scripts can have adverse effects in Unidesk, because they can change services and features that Unidesk uses, for example, Universal Plug and Play and the 8.3 file names setting. For Windows 2012, this also includes steps to: Configure the OS as either a desktop operating system, or a session host. Install the Citrix XenApp Broker Agent, if you plan to use XenApp to manage sessions. Before you start Prerequisites Make sure that the disk for the VM where you install the gold image is accessible by the Unidesk Management Appliance. You can enable domain join in the answer file, for unattended operating system setup on each Desktop. You can only have one network device in your gold image. Any applications that are account bound, such as Microsoft One Drive, should not be installed on the gold image Citrix Systems, Inc. All rights reserved. p.38

39 The gold image should not be in a domain The gold image should get its IP address from DHCP If you are using a language other than US-English, please see this article on how to add the required nls files to the boot image. Prepare a Gold Image Choose the operating system you are using for the gold image: Prepare a Windows 8.1, Windows 7, or Windows 10 gold image (Desktop) STEP 1: Set up a Windows gold image on a virtual machine In the Hyper-V client: 1. Create a new Generation 1 virtual machine. 2. Configure memory and networking. 3. Note: You can have just one network device in your gold image. 4. Configure a virtual hard disk that is large enough for a Windows operating system installation, and make sure it is accessible by the Unidesk Management Appliance. 5. Install the desktop operating system that you wish to use on the virtual machine. 6. Install the Hyper-V Integration Services in this virtual machine, using the Microsoft Windows Integration Services Setup Disk. (This is not necessary on Windows 8.1 or Windows 10, because these systems include those services.) This virtual machine is your gold image STEP 2: Copy the Unidesk Tools onto the gold image 1. Copy the unidesk_win_gold_image_tools_3.4.x.exe file onto the gold image. You can find these tools in the Unidesk Installer download, or in the Unidesk for Hyper-V Download Center. 2. Double-click the unidesk_win_gold_image_tools_3.4.x.exe to self-extract it to c:\windows\setup\scripts. STEP 3: Create an answer file for unattended installation on Unidesk Desktops Citrix Systems, Inc. All rights reserved. p.39

40 1. In the c:\windows\setup\scripts folder, right-click the unattend.exe tool and choose Run as administrator. The unattend builder form opens. 2. Complete the unattend form. Product key activation For KMS activation, select KMS Server. For KMS with a Multiple Activation Key (MAK), select KMS with MAK and enter the MAK. For Retail Licensing with a MAK, select Retail with MAK, and the MAK. Domain Join Select Enable if you want to configure the unattend.xml file to join Desktops to a specific domain. If you plan to use AD join scripts, ensure Enable is not selected. You can add Desktops to the Computer's container in Active Directory by deleting the OU entry. However, we recommend that you use an alternate OU for Unidesk Desktops, both to segregate the Desktop from other machines and to avoid applying virtual Desktop-specific GPOs to other types of machines. If you are supporting multiple OUs within one or more domains, you can join machines in different Domains or OUs by creating different unattend.xml files in different application layers. Local Administrator account You can enable the Administrator account on each Unidesk Desktop by selecting Enable. Remember to also enable this account in your gold image or Operating System Layer version. You can also enable the Administrator account for your gold image and then have it disabled in the deployed Desktops by clearing the check box. If you want to add an alternate Administrator account, select Enable and enter the account information. This account cannot be preconfigured in the gold image. You can create a Desktop where the Administrator is disabled and the alternate administrator is created and enabled. However for this to work, the Administrator account must be enabled in the gold image and it cannot be renamed. Time Zone If your time zone is not listed, you can add it to the Other box. Be sure to use the time zone, not the display setting. Disabling automatic activation Select this option if you plan to use the Microsoft Volume Activation Management Tool. 3. Click Save File. STEP 4: Optimize the gold image for the Unidesk environment 1. In the c:\windows\setup\scripts folder, right-click the Optimize64.exe tool and choose Run as administrator. This creates a.cmd file (optimizations.cmd) that will be run during Desktop creation to optimize the image. 2. Follow the instructions to run the optimizations.cmd file on the gold image. This removes installation-specific drivers and Citrix Systems, Inc. All rights reserved. p.40

41 settings. If you are using the Unidesk Optimizer script and you are enabling the View Persona feature, you must go to the section of the Optimizer script called Disable Unnecessary Services to Save Memory and CPU, deselect the option to Disable Of f line File Service, and click Save File. This is because View Persona folder redirection requires Offline files to be enabled, and by default, the Unidesk Optimizer turns off Offline files, which are not a requirement for Unidesk. STEP 5: Create a backup copy of the gold image Once the gold image is ready, create a copy of it so you can return to this state at any time. Important: It is critical to create a backup copy (checkpoint) before installing the Unidesk software onto the gold image. Without this backup copy, returning to this state requires rebuilding the image. STEP 6: Install the Unidesk software onto the gold image 1. Run setup_x64.exe from c:\windows\setup\scripts. Once this is done, you are ready to create a Unidesk Operating System Layer. STEP 7: Run NGen About Microsoft NGen operations NGen is the Microsoft "Native Image Generator". It is part of the.net system, and basically re-compiles.net byte code into native images and constructs the registry entries to manage them. Windows will decide when to run NGen, based on what is being installed and what Windows detects in the configuration. When NGen is running, you must let it complete. An interrupted NGen operation can leave you with non-functioning.net assemblies or other problems in the.net system. Force an NGen operation to the foreground Normally, NGen is a background operation and will pause if there is foreground activity. Bringing the task into the foreground can help the task to complete as quickly as possible. 1. Open a command prompt as Administrator. 2. Go to the Microsoft.NET Framework directory for the version currently in use: cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX 3. Enter the NGen command to execute the queued items: ngen update /force This brings the NGen task to the foreground in the command prompt, and lists the assemblies being compiled Citrix Systems, Inc. All rights reserved. p.41

42 4. Ensure that all NGen processes have run to completion. Optionally, you can now shut down the Gold Image VM. Once you have completed these steps, you are ready to create a Unidesk Operating System Layer. Windows 8.1 deployment tips Improving Windows 8.1 login times If you want to speed up login times for Windows 8.1 Desktops, you can disable some of the more costly and less necessary GUI actions. Turn off new user arrows You can turn off new user arrows, by making the following Registry edits: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EdgeUI DisableHelpSticker DWORD 0 = Enable help tips 1 = Disable help tips Deploying applications on Windows 8.1 Windows 10 deployment tips Removing Windows 10 built-in Applications When preparing the gold image for import into a Unidesk Operating System Layer, you can remove Windows 10 applications. If you do, we recommend removing these applications either on the gold image itself, or on the Operating System Layer. For the steps to remove Windows 10 Applications, click here. Prepare a Windows 2012 R2 gold image (Desktops) Use these steps to prepare a gold image for Desktops that will run in the Unidesk environment. Note: Unidesk Desktops are supported on Windows Server 2012 R2, but not on Windows 2008 R2. STEP 1: Set up a Windows Server 2012 R2 gold image on a virtual machine In the Hyper-V client: 1. Create a new Generation 1 virtual machine. 2. Configure memory and networking, for example, the NIC and video memory Citrix Systems, Inc. All rights reserved. p.42

43 Note: You can have just one network device in your gold image. 3. Configure a virtual hard disk that is large enough for a Windows operating system installation, and make sure it is accessible by the Unidesk Management Appliance. 4. Install the operating system and patches to bring it up-to-date. 5. Install the Hyper-V Integration Services in this virtual machine, using the Microsoft Windows Integration Services Setup Disk. STEP 2: Configure Windows Server as a desktop operating system (f or Desktops) Use this section as a guide to configuring Windows Server 2012 R2 as a desktop operating system for your users. This section is not required. It is included for your convenience. Disable Shutdown event tracker The shutdown event tracker asks for the reason the system is being shut down before it allows the shutdown to continue. To disable this feature, follow these steps. Important: You must run the Group Policy Editor as Administrator, or it will appear as if the values are being changed, but the Desktops will remain the s 1. Run the group policy editor as Administrator. 1. Click Start. 2. Type gpedit.msc in the Search box. 3. Right-click gpedit.msc and choose Run as Administrator. Running the editor this way ensures that you are running it as Administrator. 2. Browse to Computer Configuration /Administrative Templates/System. 3. Scroll down to, then double-click Display Shutdown Event Tracker. 4. Select Disabled and click OK. Stop Server Manager from running automatically at logon 1. Run the group policy editor as Administrator. 1. Click Start. 2. Type gpedit.msc in the Search box. 3. Right-click gpedit.msc and choose Run as Administrator. Running the editor this way ensures that you are running it as Administrator. 2. Browse to Local Computer Policy/Computer Configuration/Administrative Templates/System/Server Manager Citrix Systems, Inc. All rights reserved. p.43

44 3. Scroll down to, then double-click Do not display Server Manager automatically at logon. 4. Select Enabled and click OK Grant users shutdown rights By default, only administrators will have the right to shut down or restart the machine. By following the steps below, other users and/or groups can be granted the right to shut down the machine. Important: You must run the Group Policy Editor as Administrator, or it will appear as if the values are being changed, but the Desktops will remain the same. 1. Run the group policy editor as Administrator. 1. Click Start. 2. Type gpedit.msc in the Search box. 3. Right-click gpedit.msc and choose Run as Administrator. Running the editor this way ensures that you are running it as Administrator. 2. Browse to Computer Configuration /Windows Settings/Security Settings/Local Policies/User Rights Assignment. 3. Double click Shut down the system. 4. Click Add User or Group. 5. Click Object Types. 6. Select Groups. 7. Click OK in the Object Types dialog. 8. Type Users for the object name. 9. Click OK in the Select Users or Groups dialog. 10. Click OK in the Shut down the system Properties dialog. Change the function of the Power button on the Start menu By default, the Power button on the start menu is set to Log Off. If you would like a different setting for the desktops, follow the steps below to change it. Important: You must run the Group Policy Editor as Administrator, or it will appear as if the values are being changed, but the Desktops will remain the same Citrix Systems, Inc. All rights reserved. p.44

45 Group Policy method This method sets the button for all users and does not let individual users override the setting. 1. Run the group policy editor as Administrator. 1. Click Start. 2. Type gpedit.msc in the Search box. 3. Right-click gpedit.msc and choose Run as Administrator Running the editor this way ensures that you are running it as Administrator. 2. Browse to User Configuration /Administrative Templates/Start Menu and Taskbar. 3. Double click Change Start Menu Power Button. 4. Change the setting to Enabled. 5. Select which option to display on the start menu and click OK. Copy Profile method This method will set the button for all users and allow individual users to override the setting. This will only work if copy profile is selected when creating the unattend file. 1. Right click on the task bar and select properties. 2. Click the Start Menu tab. 3. Select the desired Power button action in the drop down. 4. Click OK. Disable IE Enhanced Security configuration The IE Enhanced Security feature severely limits what can be done with IE with sites that are not part of the trusted sites zone. To disable this feature, follow the steps below. 1. Open the Server Manager (right-click This PC on the start menu and select Manage). 2. Choose Local Server. 3. In the Properties panel, scroll to the right to find IE Enhanced Security Conf iguration. 4. Select Of f for both Administrators and Users. 5. Click OK. Note that the Properties panel refreshes slowly, so the change may not be visible immediately Citrix Systems, Inc. All rights reserved. p.45

46 Install.Net 3.5 f eature The.Net feature is installed by default on workstation operating systems, but not on Windows Server 2012 R2. It is a software framework provided by Microsoft that is required for many 3rd party applications to run. To install this feature, follow the steps below. 1. On the Start menu, right-click This PC, and select Manage. 2. Select Add Roles and Features. If this opens the Bef ore you begin page, select Next. 3. Select Role-based or f eature-based installation, then select Next. If not already selected, select the correct local server from the server pool. 4. In the right panel, select Features. 5. Click Add Features. 6. Expand.NET Framework 3.5 Features. 7. Check.NET Framework Click Next. 9. Click Install. 10. When the installation is done, click Close. Install Desktop Experience Feature The Desktop Experience feature includes several options that are installed by default on workstation operating systems. These features include, among others, Themes, audio and video support, Windows Media player, and phone management. Use these steps to install the Desktop Experience feature. Installation Here's how to install the Desktop Experience feature. 1. Open the Server Manager (right-click This PC on the start menu and select Manage). 2. In the left panel select Features. 3. In the right panel, click Add Features. 4. Scroll down the Features list to User Interf aces and Inf rastructure (2 of 3 installed), and expand that entry Citrix Systems, Inc. All rights reserved. p.46

47 5. Check Desktop Experience. 6. If you are prompted to add features that are required by the Desktop Experience feature, click Add Required Features. 7. Click Next, and then Install. 8. When the installation is done, click Close. 9. Restart when prompted. Enable themes The following steps describe how to enable themes after the Desktop Experience feature is installed. 1. Click Start > Control Panel > Administrative Tools > Services. 2. Double click the Themes service. 3. Set Startup type to Automatic. 4. Click OK. Assign default theme It is possible to assign the default theme for new users by performing the following steps. Individual users will be able to override the default theme. Important: You must run the Group Policy Editor as Administrator, or it will appear as if the values are being changed, but the Desktops will remain the same. 1. Run the group policy editor as Administrator. 1. Click Start. 2. Type gpedit.msc in the Search box. 3. Right-click gpedit.msc and choose Run as Administrator. Starting the editor this way ensures that you are running it as Administrator. 2. Browse to User Configuration /Administrative Templates/Control Panel/Personalization. 3. Double click Load a specif ic theme. 4. Select Enabled. 5. Enter the path to the theme file. %windir%\resources\themes\aero.theme is the path to the aero theme. More themes can be downloaded from the Microsoft website Citrix Systems, Inc. All rights reserved. p.47

48 6. Click OK. Install Windows Search service The Windows Search service is not installed by default in Windows Server Microsoft Outlook depends on this service for searching s. To install this service, follow the steps below. 1. Open the Server Manager (right-click This PC on the start menu and select Manage). 2. In the left panel select Features. 3. In the right panel, click Add Features. 4. In the Features list, scroll down to Windows Search Service, and select it. 5. Click Install on the Confirmation page. 6. Once the installation has completed, click Close. Enable audio By default, audio is not enabled. To enable audio, follow the steps below. 1. Click Start > Control Panel > Administrative Tools > Services. 2. Double click the Windows Audio service. 3. Set Startup type to Automatic. 4. Click OK. Adjust perf ormance f or programs By default, the operating system is optimized to run background services rather than user programs. To change this, follow the steps below. 1. On the Start menu, right click This PC and select Properties. 2. Click Advanced system settings in the left pane. 3. Click the Settings button in the Performance section. 4. Click the Advanced tab Citrix Systems, Inc. All rights reserved. p.48

49 5. Select Programs. 6. Click OK. STEP 3: Mount or copy the Unidesk Tools onto the gold image 1. Mount the Unidesk_Gold_Image_Tools ISO or copy the Unidesk_Gold_Image_Tools ZIP file onto the gold image. You can find these tools in the Unidesk Installer download. 2. Open the ISO or extract the ZIP. 3. In the extracted Unidesk_Gold_Image_Tools_x.x.x folder, extract Unidesk_Windows_Gold_Image_Tools.zip to c:\windows\setup\scripts. STEP 4: Create an answer file for unattended installation on Unidesk desktops 1. In the c:\windows\setup\scripts folder, right-click the unattend.exe tool and choose Run as administrator. The unattend builder form opens. 2. Complete the unattend form 1. Product key activation a. For KMS activation, select KMS Server. b. For KMS with a Multiple Activation Key (MAK), select KMS with MAK and enter the MAK c. For Retail Licensing with a MAK, select Retail with MAK, and the MAK. 2. Domain Join a. Select Enable if you want to configure the unattend.xml file to join desktops to a specific domain. If you plan to use AD join scripts, ensure Enable is not selected. b. You can add desktops to the Computer's container in Active Directory by deleting the OU entry. However, we recommend that you use an alternate OU for Unidesk desktops, both to segregate the desktop from other machines and to avoid applying virtual desktop-specific GPOs to other types of machines. c. If you are supporting multiple OUs within one or more domains, you can join machines in different Domains or OUs by creating different unattend.xml files in different application layers. d. For information about domain join scripts,see the following Support articles: Debugging Domain Join Problems 3. Local Administrator account Citrix Systems, Inc. All rights reserved. p.49

50 a. If you want to use the unattend.xml file to enable the Administrator account on each Unidesk desktop, select Enable. Remember to also enable this account in your gold image or Operating System Layer revision. It is possible to enable the Administrator account for your gold image and then have it disabled in the deployed desktops by clearing the check box. b. If you want to add an alternate Administrator account, select Enable and enter the account information. This account cannot be pre-configured in the gold image. c. You can create a desktop where the Administrator is disabled and the alternate administrator is created and enabled. However for this to work, the Administrator account must be enabled in the gold image and it cannot be renamed. 4. Time zone a. Select the time zone. If your time zone is not listed, you can add it to the Other box. Be sure to use the time zone, not the display setting. A list of time zone settings can be found here. 5. Disabling automatic activatio a. Select this option if you plan to use the Microsoft Volume Activation Management Tool. 3. Click Save File STEP 5: Optimize the gold image for the Unidesk environment 1. In the c:\windows\setup\scripts folder, run the Optimize executable to create a.cmd file (optimization.cmd) that will be run to optimize the image during desktop creation. STEP 6: Create a checkpoint of the gold image Once the gold image is ready, create a Hyper-V checkpoint of it, so that you can return to this state at any time. Important: It is critical to create a checkpoint before installing the Unidesk software onto the gold image. Without this checkpoint, returning to this state requires rebuilding the image. STEP 7: Install the Unidesk tools onto the gold image 1. In the c:\windows\setup\scripts folder, run the Unidesk setup_x64.exe (64-bit). 2. The installation prompts for the location of the Management Appliance IP address and the location of the unattend.xml file (the default location is c:\windows\panther). Once this is done, you are ready to create a Unidesk Operating System Layer Citrix Systems, Inc. All rights reserved. p.50

51 Prepare a Windows 2012 R2 or Windows 2008 R2 gold image (Session Host) Use these steps to prepare a gold image for Session Hosts that will run in the Unidesk environment. If you are building Desktops rather than Session Hosts, see the previous steps to Prepare a Windows 2012 R2 gold image (Desktop). Note: Unidesk Desktops are not yet supported on Windows Server STEP 1: Set up a Windows Server gold image on a virtual machine In the Hyper-V client: 1. Create a new Generation 1 virtual machine. 2. Configure memory and networking, for example, the NIC and video memory. Note: You can have just one network device in your gold image. 3. Configure a virtual hard disk that is large enough for a Windows operating system installation, and make sure it is accessible by the Unidesk Management Appliance. 4. Install Windows Server 2012 R2, and patches to bring it to the most current. Note: The machine is not joined to the domain. 5. Install the Hyper-V Integration Services in this virtual machine, using the Microsoft Windows Integration Services Setup Disk. STEP 2: Add the RD Session Host Role Using Server Manager, add the RD Session Host Role to the machine. IMPORTANT: This should be done as a Role-based or Feature-based installation, not as a Remote Desktop Services installation. 1. In the Hyper-V Server Manager, select Add roles and f eatures. 2. For the Installation Type, select Role-based or Feature-based installation. 3. For the Server Role, select Remote Desktop Services > Remote Desktop Session Host (Installed). 4. Complete the process of adding the Server Roles. STEP 3: Copy the Unidesk Tools onto the gold image 1. Copy the Unidesk_Gold_Image_Tools RAR file onto the gold image. You can find these tools in the Unidesk Installer download Citrix Systems, Inc. All rights reserved. p.51

52 2. Run the RAR file. This copies the tools to the C:windows\setup\scripts directory. STEP 4: Create an answer file for unattended installation on Unidesk desktops 1. In the c:\windows\setup\scripts folder, right-click the unattend.exe tool and choose Run as administrator. The unattend builder form opens. 2. Complete the unattend form 1. Product key activation a. For KMS activation, select KMS Server. b. For KMS with a Multiple Activation Key (MAK), select KMS with MAK and enter the MAK c. For Retail Licensing with a MAK, select Retail with MAK, and the MAK. 2. Domain Join a. Select Enable if you want to configure the unattend.xml file to join desktops to a specific domain. If you plan to use AD join scripts, ensure Enable is not selected. b. You can add Session Hosts to the Computer's container in Active Directory by deleting the OU entry. However, we recommend that you use an alternate OU for Unidesk Session Hosts, both to segregate the Session Host from other machines and to avoid applying specific GPOs for Session Hosts to other types of machines. c. If you are supporting multiple OUs within one or more domains, you can join machines in different Domains or OUs by creating different unattend.xml files in different application layers. d. For information about domain join scripts,see the following Support articles: Debugging Domain Join Problems 3. Local Administrator account a. If you want to use the unattend.xml file to enable the Administrator account on each Unidesk desktop, select Enable. Remember to also enable this account in your gold image or Operating System Layer revision. It is possible to enable the Administrator account for your gold image and then have it disabled in the deployed desktops by clearing the check box. b. If you want to add an alternate Administrator account, select Enable and enter the account information. This account cannot be pre-configured in the gold image. c. You can create a desktop where the Administrator is disabled and the alternate administrator is created and enabled. However for this to work, the Administrator account must be enabled in the gold image and it cannot be renamed Citrix Systems, Inc. All rights reserved. p.52

53 4. Time zone a. Select the time zone. If your time zone is not listed, you can add it to the Other box. Be sure to use the time zone, not the display setting. A list of time zone settings can be found here. 5. Disabling automatic activatio a. Select this option if you plan to use the Microsoft Volume Activation Management Tool. 3. Click Save File STEP 5: Optimize the gold image for the Unidesk environment 1. In the c:\windows\setup\scripts folder, run the Optimize executable to create a.cmd file (optimization.cmd) that will be run to optimize the image during Session Host creation. STEP 6: Create a checkpoint of the gold image Once the gold image is ready, create a Hyper-V checkpoint of it, so that you can return to this state at any time. Important: It is critical to create a checkpoint before installing the Unidesk software onto the gold image. Without this checkpoint, returning to this state requires rebuilding the image. STEP 7: Install the Unidesk tools onto the gold image 1. In the c:\windows\setup\scripts folder, run the Unidesk setup_x64.exe (64-bit). 2. The installation prompts for the location of the Management Appliance IP address and the location of the unattend.xml file (the default location is c:\windows\panther). Once this is done, you are ready to create a Unidesk Operating System Layer Citrix Systems, Inc. All rights reserved. p.53

54 Create the OS Layer Jun 28, 2017 An Operating System Layer includes the software and settings for the operating system that you deploy to Unidesk Machines (Desktops or Session Hosts). Once you have prepared the gold image for deploying to your Unidesk Machines, you can create a Unidesk Operating System Layer by importing the gold into a new Layer. Bef ore you start The disk for the VM where the gold image is installed must be accessible by the Unidesk Management Appliance. The gold image must not be in the domain. Import the gold image onto a Unidesk Operating System Layer 1. Apply all Windows updates to the image, so that it is at the most current Microsoft patch level. 2. In the Unidesk Management Console, select Layers > OS Layers. 3. Click Create OS Layer. This opens a wizard. 4. Layer Details tab: Layer Name - Enter a name for the Layer, for example, Win81_64gold. Version - You can create many versions of the Operating System Layer, for example, to add updates from Microsoft. Name this version (the date can be useful). Gold Image - Select the gold image you've prepared for your Unidesk Machines from the list of images on your Management Appliance. 5. Icon Assignment tab - Choose an icon for this Layer. 6. Confirm and Complete tab - Verify your settings and click Create Layer. Creating a Windows Operating System Layer can take up to minutes to complete. You can then create a Unidesk Machine to verify that the Layer works as intended Citrix Systems, Inc. All rights reserved. p.54

55 Create Unidesk Collections Jun 28, 2017 Unidesk Collections are containers for organizing Unidesk machines. Each Collection is intended for either Desktops or Session Hosts, not both. You'll need to create a Collection before you can create either a Desktop or a Session Host. To get started, choose the type of Collection you're creating: Get started creating a Collection for Desktops Get started creating a Collection for Session Hosts Citrix Systems, Inc. All rights reserved. p.55

56 Collections for Desktops Jun 28, 2017 Unidesk Collections are containers for organizing Session Hosts or Desktops. You'll need to create a Desktop Collection before you can create your first Desktop. A Collection is where you specify the Operating System Layer to use for your Desktops. With Desktop Collections, you'll also specify the connection broker (if you have integrated with one of the Unidesk-supported brokers). Once integrated with a broker, your Desktop Collections will mirror the groupings already established in the broker, so you should integrate with a broker before setting up any Desktop Collections. If you're using a supported desktop connection broker, like the Remote Desktop Connection Broker (RDCB) or Citrix XenDesktop, you'll start by integrating with the broker, so that when you create Unidesk Collections they'll mirror the groupings used by your broker Citrix Systems, Inc. All rights reserved. p.56

57 Integrate with Microsoft Remote Desktop Connection Broker Jun 28, 2017 To simplify Desktop management, Unidesk supports full integration with selected virtualization connection brokers, including supported versions of Microsoft Remote Desktop Connection Broker (RDCB). Once you set RDCB as the broker for Unidesk Collections, any Desktops you create in the Collection are assigned to Desktop groupings in the broker that mirror the Unidesk Collections. Install or upgrade the Unidesk Broker Agent The first step to integrate Unidesk with RDCB is to install the UnideskBroker Agent on the connection broker server. The first step to integrate Unidesk with RDCB is to install the UnideskBroker Agent on the connection broker server. Privileges required Ensure you have access to an account with administrator privileges on the connection broker server. Roles required Remote Desktop Services must be configured as prescribed by Microsoft. The Virtualization Host role for RDS must be enabled on every server that hosts Unidesk Desktops. When setting up a High Availability connection broker, install the Unidesk Broker Agent on each of the connection broker servers. To inst all or upgrade t he Unidesk Broker Agent 1. Log into the connection broker server by using an account with administrator privileges. 2. Download the unidesk_hyperv_broker_agent_setup_3.3.0.exe file from the Unidesk Download Center to a convenient location on the server. 3. Double click unidesk_hyperv_broker_agent_setup_3.3.0.exe, and when prompted, enter the location where you want to install the Unidesk Broker Agent. The default is C:\Program Files (x86)\unidesk Corporation\Unidesk Connection Broker Agent\. 4. Set the communications port number by either accepting the default (8015) or by specifying a different port for the Unidesk Broker Agent. 5. Click Finish to exit the wizard. If you need to change the port number later. (needs a link) Citrix Systems, Inc. All rights reserved. p.57

58 Integrate with Microsoft Remote Desktop Connection Broker (RDCB) If more than one broker server is set up for High Availability, determine which is the current active management server. 1. Log onto the Hyper-V host. 2. Open Server Manager, and select Remot e Deskt op Services on the left. 3. Note the server listed under Deployment Overview. This is the current active management server, required for the following procedure. Integrating with the Remote Desktop Connection Broker (RDCB), enables Unidesk to: Create RDCB Virtual Desktop Collections. Add Unidesk Desktops to the RDCB Collections. Note RDCB allows one Desktop per user in a Collection. You can integrate with RDCB by configuring the Unidesk broker agent connection settings in the Unidesk Management Console. 1. In the Unidesk Management Console (UMC), select Syst em > Set t ings and Conf igurat ion. 2. Scroll to Broker Set t ings and then click Add. 3. For Broker Set t ings, type the broker server information. If you have a High Availability broker setup, type the information for the active management server (determined by using the steps in the previous section): * Broker Name * Broker Description *Broker Address * Broker Port (suggested port number is 8015) 4. Click T est Connect ion to ensure that Unidesk can communicate with the broker. 5. Once the connection is validated, click Apply. 6. Save this new broker by entering a comment, if needed, and then click Save. If the active management broker server fails If the active management server fails, users can still connect to Desktops through RDWeb, and Unidesk's scheduled maintenance of those Desktops continues. However, you cannot create new Desktops or edit Collection entitlements until Citrix Systems, Inc. All rights reserved. p.58

59 the broker settings in the Unidesk Management Console are updated with the new active management server. To update the RD connection broker settings, you can wait for RDS to detect that the server has gone down and change the active management server, which may take several minutes. Or, you can manually change the active management server. If you don't want to wait for RDS to detect that the server failed and change to the active management server, you can change the active RD Connection broker server as follows. 1. Log into the Hyper-V host. 2. Open Server Manager and select Remot e Deskt op Services on the left. 3. Choose a new server from the list and then click the Set Act ive button. When there is a new active management server, connect to the Unidesk Management Appliance and update the server information. 1. Log into the Unidesk Management Console (UMC). 2. Click the Syst em tab and then the Set t ing and Conf igurat ion tab. 3. Click Edit next to the Broker Set t ings section. 4. Select the broker server from the list and click the Modif y button. 5. Update the Broker Address to the FQDN of the new active management server and click Apply. 6. Click Save to commit the change Citrix Systems, Inc. All rights reserved. p.59

60 Integrate with XenDesktop Jun 28, 2017 You can integrate Unidesk for Hyper-V with Citrix XenDesktop, so that your Unidesk Collections specify that you want new Desktops to belong to a XenDesktop group. This article lays out what you need to integrate with XenDesktop, and explains the steps in detail. Requirements to integrate Unidesk for Hyper-V with XenDesktop What you need to integrate with Citrix XenDesktop Hyper-V servers in an SCVMM environment For users to access Unidesk Desktops hosted on Hyper-V servers via XenDesktop, the HyperV servers must be part of a Microsoft System Center 2012 Virtual Machine Manager (SCVMM) environment. Not e: If you do not have an SCVMM environment, Microsoft provides a downloadable appliance in the form of a VHD (Virtual Hard Disk) file for evaluation purposes. This VHD may be deployed as a virtual machine on any HyperV server. You may also install the SCVMM software directly on any Windows Server 2012 system (physical or virtual) in your environment. Cit rix XenDeskt op Sit e XenDesktop Desktop Site must have the following software installed and configured: A supported version of the Citrix XenDesktop software and Citrix Studio, Delivery Controller(s), Citrix License Server, and Citrix StoreFront. The XenDesktop Site, Hyper-V Servers, and SCVMM Console(s) must all be in the same domain. Windows PowerShell 4.0 must be installed on the Citrix XenDesktop host, and the PowerShell execution policies must be set to either Unrestricted or Bypass. You can set this by running the PowerShell script set-executionpolicy unrestricted. You must run this script as a user with local admin rights on the server. You must have access to an account with administrator privileges. Firewall Port open for t he Unidesk Broker Agent A port in your firewall is opened by the Unidesk Broker Agent installer. By default, the broker agent uses Port You can change this port in the Unidesk Management Console by selecting System > Settings and Configuration > Broker Settings, and then editing the broker. Unidesk Layer Unidesk Unidesk Operating System Layer on which to install the agent. You can install the agent on: The Operating System Layer, or on a new Version of the Layer. An Application Layer or Layer version, unless you are integrating XenDesktop with App-V. If Microsoft.NET Framework 4 is not yet installed, it must be installed before you install the XenDesktop agent on this Layer. You must have Admin privs on the server that is running the Cirtix XenDesktop Delivery Controller. This requires editing the service. This is required for the Agent. Integrate with XenDesktop Citrix Systems, Inc. All rights reserved. p.60

61 Once installed on your XenDesktop Controllers, the Unidesk Broker Agent lets you add Unidesk Desktops to XenDesktop groups by creating Unidesk Collections and Desktops. To install or upgrade the Unidesk Broker Agent: 1. Determine which port to use for communication between Unidesk and XenDesktop. By default, the installer configures the Broker Agent to use port 8015, but you can choose a different port. Not e: If you select a different port during installation, you must also edit the port in the Unidesk Management Console, using Syst em > Set t ings and Configurat ion > Broker Set t ings. 2. Log into the XenDesktop host using an account that has full administrator privileges on the XenDesktop Controller.(The user must be a member of fulladministrators Role in Citrix.) 3. Download the Unidesk Broker Agent setup file from the Unidesk for Hyper-V Download page. 4. Run the Broker Setup, unidesk_hyperv_broker_agent_installer_3.3.0.exe. 5. Click Finish to exit the wizard. 6. Make sure that the logon user for the Unidesk Broker Agent is in the administrators group on the DDC and in the XenDesktop Administrators in Desktop Studio as a Full Administrator. Give t he Unidesk Broker Agent access t o t he XenDeskt op service Using the Windows Administration Tools, make sure that the Unidesk Service running as Domain User is both an Administrator for Citrix and a Local Administrator on the machine. Set up a connect ion t o a Cit rix XenDeskt op Sit e 1. Log into the Unidesk Management Console. 2. Select System > Settings and Configuration. 3. Next to Broker Settings, click Edit. 4. Click Add. 5. Enter the connection details for a XenDesktop Controller: 1. Enter a name and description for the broker. 2. Enter the IP address or Fully Qualified Domain Name (FQDN) for the XenDesktop Controller. 3. Enter the firewall port that the Unidesk Management Appliance and the XenDesktop Controller can use for communication purposes. Not e: By default, the Unidesk Broker installer opens port 8015 in the firewall for this purpose. If a different port was set during installation, enter that port number, and make sure the port is open in the firewall. 6. Click Test Connection to verify that the connection to the Controller is valid. If you created catalogs before you configured the settings for the XenDesktop Controller, clicking Test Connectionallows Unidesk to retrieve a list of Existing catalogs. 7. Click Apply to add the Controller to the list of brokers. 8. Repeat this procedure for each Controller that you want to add to the configuration. 9. Click Save to save the Broker settings and exit Edit mode Citrix Systems, Inc. All rights reserved. p.61

62 If you want to configure Unidesk to communicate with more than one XenDesktop Controller, you can add another one after this one is saved. Configure Cit rix XenDeskt op t o work wit h t he Unidesk Hyper-V servers You can configure Citrix XenDesktop to work with the Unidesk Hyper-V servers by creating a new Host Connection, and selecting Microsoft SCVMM as the connection type. This assumes that your Hyper-V servers are part of a Microsoft System Center 2012 Virtual Machine Manager (SCVMM) environment, as described in the requirements. 1. Log into the XenDesktop host. 2. Run Citrix Studio. 3. Select Citrix Studio > Configuration > Hosting. 4. In the Actions, select Add Connection and Resources. 5. On the Connection tab, select Create a new Connection. 6. In the Connection Type field, select Microsoft System Center Virtual Machine Manager as a connection type. 7. Finish completing the Connection wizard. Install the XenDesktop Virtual Desktop Agent (VDA) on a Unidesk Layer About installing the Virtual Desktop Agent Next, you need to deploy the Citrix XenDesktop agent to the Desktops that will belong to the Citrix XenDesktop group. You can install the agent by adding it to a version of the Unidesk OS Layer, though you could also install it on the gold image. The steps vary based on the version of Windows the Desktop will be running. Windows 7 or Windows Run the XenDesktop VDA installer. Windows Server 2012 R2 - Run the XenDesktop VDA Command Line installer. Not e: If you run the regular VDA installer on Windows Server 2012, the Virtual Desktop Agent for the Server OS will be installed, instead of the agent for the Desktop OS, and the Operating System will be used as a Desktop OS. Install VDA on Windows 7 or Windows 8.1 When you install XenDesktop 7.6, there are several settings you must choose for the software to work correctly with Unidesk. Please use the instructions in this section when doing the installation. You can install Citrix XenDesktop 7.6 on the Operating System Layer or on a Version of the Layer that you ll deploy to Desktops. Microsoft.NET Framework 4 must be installed before you install XenDesktop If.NET Framework 4 is not yet installed, install it on a Layer or Layer Version. (.NET Framework 4 is required by Citrix XenDesktop 7.6.) 2. Start the Citrix XenDesktop 7.6 installer and choose Virt ual Delivery Agent f or Windows Deskt op OS Citrix Systems, Inc. All rights reserved. p.62

63 3. On the Environment step, choose Enable Remot e PC Access. 4. On the HDX 3D Pro step, choose the appropriate type for your graphics hardware. For example: 5. On the Delivery Controller step, enter the fully qualified domain name (FQDN) of your XenDesktop 7.6 server. (You must use the FQDN rather than the IP address.) For example: 6. On the Features step, disable both Opt imize perf ormance and Personal vdisk. Optionally, select the Remote Assistance, if it is something that you will be using with your Xen Desktops. 7. Continue to the end of the installer steps and start the installation. 8. If at any point during the installation a window pops up requesting a reboot and gives you the choice to reboot later, choose Reboot lat er. Otherwise, restart and continue the installation when the Desktop comes back up. 9. When the installation completes, select Rest art machine and click Finish. 10. Now either finalize the layer (if you were building an OS version) or shutdown the gold and use it to create an OS layer. Install VDA on Windows Server 2012 R2 When you install XenDesktop 7.6, there are several settings you must choose for the software to work correctly with Unidesk. Please use the instructions in this section when doing the installation. You can install Citrix XenDesktop 7.6 on the Operating System Layer or on a Version of the Layer that you ll deploy to Desktops. Microsoft.NET Framework 4 must be installed before you install XenDesktop 7. To install the XenDesktop Agent as a desktop OS, you need to run it from the command line. 1. If.NET Framework 4 is not yet installed, install it on a Layer or Layer Version. (.NET Framework 4 is required by Citrix XenDesktop 7.6.) 2. Run the Citrix XenDesktop 7.6 command line installer. XenDesktopVdaSetup.exe /quiet /servervdi /controllers where /quiet - Set the installation process to run without the user interface appearing during the installation. If you want to check the process status, check the Windows Task Manager Citrix Systems, Inc. All rights reserved. p.63

64 /serverdi - Install a VDA for Windows Desktop OS on the Windows Server. /controllers - Specify the fully qualified domain name (FQDN) of your XenDesktop 7.6 server. You must use the FQDN rather than the IP address. For example: server.domain.com. 3. When the installation completes, select Rest art machine and click Finish. 4. Now either finalize the layer (if you were building an OS version) or shutdown the gold and use it to create an OS layer. Deploy Unidesk Desktops in XenDesktop Groups and Catalogs About Deploying Unidesk Collections and Desktops Unidesk creates Persistent Collections in a XenDesktop Dedicated Catalog, and Non-persistent Collections in a Pooled- Random Catalog. For each Collection you create, Unidesk creates a corresponding XenDesktop Delivery Group. The Desktops you create in a Collection go into the corresponding XenDesktop Group. Deploy Desktops in a XenDesktop Group To deploy Desktops in a XenDesktop Group: 1. Log into the Unidesk Management Console. 2. Select Deskt ops > Creat e Deskt op. 3. Follow the steps to Create a Desktop, and when you get to the User Assignment tab of the Create Desktop wizard, select the connection broker and the users or groups to assign to the Desktop. 1. For the broker integration, select XenDesktop Group. 2. Then select the actual XenDesktop group. 3. Select a user assignment option: Select Assigned to user and select an Active Directory user. Select Assigned to group and select an Active Directory group. You must specify the number of Desktops that are available to the group when you select this option. Select Assigned by broker to allow the XenDesktop Controller to assign users to the Desktops. You must specify the number of Desktops to create when you select this option. 4. In the Desktop Details tab, follow the usual Desktop creation instructions and select the Desktop Type. 5. Finish creating the Desktop(s). Make sure the Windows Firewall is configured to allow the Desktops to communicate with the XenDesktop Controller. You can use a GPO for this purpose after adding the Desktops to a domain. For additional details about firewall configuration, see the Citrix XenDesktop documentation. Activate Citrix XenDesktop on the Desktops Citrix Systems, Inc. All rights reserved. p.64

65 Activating Citrix XenDesktops on your Unidesk Desktops allows users to connect to their Desktops using RDP. Configure the Web Storefront(s) to use HTTPS 1. Log onto the Citrix Receiver. Citrix Receiver lets you see the collections in the Web Storefront. 2. Configure the Web Storefront(s) to use HTTPS Citrix Systems, Inc. All rights reserved. p.65

66 Create Desktop Collections Jun 28, 2017 Unidesk Collections are groupings of Desktops that you can manage easily. Desktop Collections have settings associated with them that all of the Desktops in the collection inherit, for example, the operating system and connection broker, if applicable. About Desktop Collections You must create one or more Desktop Collections before you create your first Desktop, and when creating each Collection you are required to specify which Users and Groups are entitled to be assigned to Desktops in the Collection. All Desktops are created in a Collection, and you can only assign them to Users and Groups specified in the Collection's Entitlements. Typically, a Collection of Desktops is associated with a connection broker, and the Desktops in that Collection are deployed as a group to that broker. You can specify no broker in your Collection, and the Desktops in that Collection will be created without a broker integration. There are several settings you must specify when creating a Desktop Collection: Ent it lement s - select the Users and Groups that are entitled to have Desktops in this Collection T ype of Deskt ops - that this Collection contains, either Persistent (private/personal) or Nonpersistent (shared/pooled). A Persistent Desktop retains all user customizations, including settings and data files, while a Non-persistent Desktop returns to its original state when the users logs off. Operat ing Syst em Layer - that is assigned to the Desktops. Create a Unidesk Desktop Collection 1. In the Unidesk Management Console, select Deskt ops > Collect ions, based on which Desktops you'll be putting in the Collection. 2. Click Creat e Collect ion. 3. Type a name for the Collection and select an icon (or create a custom icon) for the Collection. 4. (Desktop collection only) On the Broker and Ent it lement s tab, choose a connection broker for this Collection, or select No Broker. Then select the Groups and Users entitled to access this collection. 5. (Desktop collection only) On the Collect ion Det ails tab, choose the Collect ion T ype, either Persist ent or Non- Persist ent. 6. OS Assignment tab: Select the Operat ing Syst em Layer and version. If there is more than one version of this Layer, the latest version is selected by default. If you want a different version, expand the Layer and change your selection. 7. On the Conf irm and Complet e tab, type a comment about this Collection, if needed, and click Creat e Collect ion Citrix Systems, Inc. All rights reserved. p.66

67 Collections for Session Hosts Jun 28, 2017 Unidesk Session Host Collections are containers for organizing Session Hosts. You'll need to create a Collection before you can create your first Session Host. A Collection is where you specify the Operating System Layer to use for your Session Hosts. You can add your Session Hosts to either RDCB or Citrix XenApp, as described below. Before you add Session Hosts to the broker, you'll need to create all of the Unidesk Session Host Collections, and create a Session Host in each Collection. Create Unidesk Collections for Session Hosts The Session Host module has a Collection tab where you can create the Session Host Collection. For details, see the following topic: Create Unidesk Session Host Collections Create a Session Host in each Collection If you plan to add your Session Hosts to a connection broker, be sure to create a Session Host in each Collection. Add your Session Hosts to a connection broker Once you've created all of your Unidesk Collections, each containing at least one Session Host, you can add your Session Hosts to a connection broker, either the Microsoft RD Connection Broker (RDCB) or Citrix XenApp. This makes it easier to manage your Session Hosts. Add Session Hosts to Microsoft RD Connection Broker Add Session Hosts to Citrix XenApp Citrix Systems, Inc. All rights reserved. p.67

68 Create Collections for Session Hosts Jun 28, 2017 Unidesk Session Host Collections are containers for organizing Session Hosts. You'll need to create a Collection before you can create your first Session Host. A Collection is where you specify the Operating System Layer to use for your Session Hosts. You can add your Session Hosts to either RDCB or Citrix XenApp, as described below. Before you add Session Hosts to the broker, you'll need to create all of the Unidesk Session Host Collections, and create a Session Host in each Collection. The Session Host module has a Collection tab where you can create the Session Host Collection. For details, see the following topic: Create Unidesk Session Host Collections (add link) If you plan to add your Session Hosts to a connection broker, be sure to create a Session Host in each Collection. Once you've created all of your Unidesk Collections, each containing at least one Session Host, you can add your Session Hosts to a connection broker, either the Microsoft RD Connection Broker (RDCB) or Citrix XenApp. This makes it easier to manage your Session Hosts. Add Session Hosts to Microsoft RD Connection Broker (add link) Add Session Hosts to Citrix XenApp (add link) Citrix Systems, Inc. All rights reserved. p.68

69 Create Session Hosts Jun 28, 2017 A Unidesk Session Host is a virtual machine made up of an Operating System Layer, Application Layers, and a machine Personalization Layer. You create and select the Operating System and Application Layers, and the Unidesk software creates the Personalization Layer, where changes made to the Session Host are saved. When you are ready to create Session Hosts, you can create one or multiple Session Hosts at a time. You can name Session Hosts individually, or generate the names based on built-in naming conventions that you can edit or augment. A single Azure subscription is limited to 48 Session Hosts. Before You Start As soon as you create your Operating System Layer, ensure this Layer and your Domain Join script are in good working order. Do this by creating a bare-bones test Session Host, as described in the next section. Before you can create a Session Host you need a Unidesk Collection [add link], which in turn requires an Operating System Layer [add link]. Certain Session Host attributes are determined by the Collection in which you create them, and once created, you can never change these attributes for the Session Host. Currently, this includes the Operating System Layer. You can change the version of the Operating System Layer assigned to a Session Host, but not the Layer itself. As stated above, the Collection where you create a Session Host determines its key attributes. If you decide to move a Session Host to a different Collection, the new Collection must have the same Operating System Layer. Create a Test Session Host (Recommended) Before using your new Operating System Layer to create your Session Hosts and Application Layers for production, we recommend creating a quick, test Session Host to verify that your Operating System Layer and domain join script are in good working order. Since you won't deploy this Session Host to production, you just need to select the required settings and accept the default values for everything else. 1. On the Unidesk menu bar, select Session Host s, s and then click Creat e Session Host. The Creat e Session Host wizard opens. 2. On the Collect ion Assignment tab, select a Collect ion where you want to group the Session Host and choose to create one Session Host Citrix Systems, Inc. All rights reserved. p.69

70 3. Take the default settings for everything else, and on the Conf irm and Complet e tab, confirm that the settings are correct (see the Visualizat ion panel to the right), and click Creat e Session Host s to start creating the Session Host. A Session Host icon appears with the status displayed in the lower right corner of the icon. The Session Host status cycles through Stopped, Powering on, Starting, and Running. For more status information, click the Expander tab in the bottom center of the console to open the Tasks panel. For example, if the Session Host is not successfully added to the connection broker, a status message appears in the Session Host Details. 1. View the IP address assigned to the Session Host, by hovering over the Session Host icon and clicking the information icon. 2. Log into the Session Host and verify that it successfully joined the domain. If your Session Hosts do not successfully join the domain, follow the steps below to identify the issue. Fixing the problem usually requires an update to the unattend file, and usually you need to create a new version of your Operating System layer and use the Unidesk unattend builder to correct any issues in the unattend.xml file. The Unidesk unattend builder is available for download in the Unidesk Download Center. [update link] About Domain Join When a Session Host is created in Unidesk it runs through the Microsoft Windows mini-setup process, which uses a file called unattend.xml to configure a variety of Session Host settings. We recommend that you use the Unidesk Unattend builder tool to create your unattend file. With the Unattend builder you can specify all of the settings required to join the Session Host to the domain during creation. If your Session Host is not joining the domain correctly, here are some common issues and how to solve them. Keep in mind that while you will look at logs on the Session Host Unattend to identify your problem, you will update the unattend file in your OS layer or in an application layer to correct it so that newly created Session Hosts will successfully join your domain. First T hings t o Check The following log file details the progress of the mini-setup process, including a summary line for each domain attempt. Check this log file for errors: C:\Windows\Panther\UnattendGC\setupact.log Note Be sure you are not looking at the setupact log in C:Windows\Panther. You want the log file that's in C:Windows\Panther\UnattendGC Citrix Systems, Inc. All rights reserved. p.70

71 Search for DJoin.exe to see a log of the domain join operations: DsGetDCName failed: 0x54b check your fully qualified domain name NetJoinDomain attempt failed: 0x89a check your domain join credentials NetJoinDomain attempt failed 0x2: check your OU specification Still stumped? For other log files to check, go to the section on Advanced debugging later in this article. Check your unat t end file f or common problems and fix any issues Let s assume that you have this configuration: Fully qualified domain name: vdidomain.acme.com or vdidomain.local Short domain name: vdi OU: acmegrp1 Domain account: Administrator 1. Open the unattend file on the Session Host and check for some common problems. The unattend file is located in c:\windows\panther. Search for the <JoinDomain> tag and check the fully qualified domain name. It should look like one of these examples: <JoinDomain>vdidomain.local</JoinDomain> <JoinDomain>vdidomain.acme.com</JoinDomain> Check the domain specification by searching for the Domain tag: <Domain>. The Domain tag must be the short domain name, not the fully qualified domain name.it should look like this: Citrix Systems, Inc. All rights reserved. p.71

72 Correct: <Domain>vdi<Domain> Incorrect: <Domain>vdidomain.acme.com<Domain> Check the Username specification. It should look like this: Correct: <Username>Administrator</Username> Incorrect:<Username>vdi\Administrator<\Username> Check the processor architecture In the component tag, make sure processorarchitecture is correct for your platform, either amd64 or x Fix any issues you find in the unattend.xml, either by editing the file manually, or by re-running the Unattend builder. This involves creating a new version of your OS layer to update the unattend file: 1. In the Unidesk Management Console, click Operat ing Syst em Layer > Add Version. Allow the Operating System Layer to boot up in the Install Machine and log in. 2. Once logged in, either edit the unattend.xml file, or run the Unattend builder again: Run Notepad as an Administrator, edit the file at C:\Windows\Panther\unattend.xml, and then save the file. 3. Finalize the layer. 3. Deploy a new Session Host with your latest OS version and check for successful domain join. Check t he Net set up log file f or errors One log file details the entire process of joining the domain: C:\Windows\debug\NetSetup.log. Look for the section with today's date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed. If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages. A successful domain join displays the following message: Citrix Systems, Inc. All rights reserved. p.72

73 05/01/ :28:01:740 NetpDoDomainJoin: status: 0x0 This line appears at the bottom of the last attempt, and denotes that the domain join process succeeded. Any return status other than 0x0 denotes a failure. You may also see the following lines above it, which also shows success: 05/01/ :28:01:740 NetpCompleteOfflineDomainJoin: status: 0x0 05/01/2012 9:28:01:740 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0 Failure, again, is a non-zero return code: 01/20/ :53:01:232 NetpDoDomainJoin: status: 0x2 One of the most common failures is an error attempting to connect to the IPC$ share on the domain controller. It will look like this: 05/02/ :14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned XXXX Get the returned message (XXXX)and run net helpmsg XXXX from a command prompt to see the specific error. The following are common domain join errors and solutions to those errors. Failure Citrix Systems, Inc. All rights reserved. p.73

74 07/12/ :38:52:122 NetUseAdd to \\DC1.company.local\IPC$ returned /12/ :38:52:122 NetpJoinDomain: status of connecting to dc '\\TDC1.company.local': 0x4cf 07/12/ :38:52:122 NetpJoinDomainOnDs: Function exits with status of: 0x4cf 07/12/ :38:52:122 NetpDoDomainJoin: status: 0x4cf Pre-1.5 versions of Unidesk had a timing issue that could cause domain joins on Windows 7 x64 to fail randomly. Upgrade to the latest version of Unidesk if you are using a version earlier than version 1.5. This error may aslo be the result of mixing layers that were built from different OS layers. Resolve it by deploying with just the Operating System Layer. Once you can identify which Application Layer is breaking the domain join process, recreate that layer with the current version of the current OS layer. If you cannot find conflicting layers, use the PowerShell script for joining the domain: [add link] Failure /02/ :07:31:696 NetUseAdd to \\DC1.company.local\IPC$ returned /02/ :07:31:696 NetpJoinDomain: status of connecting to dc '\\DC1.company.local': 0x52e 05/02/ :07:31:696 NetpJoinDomainOnDs: Function exits with status of: 0x52e 05/02/ :07:31:696 NetpDoDomainJoin: status: 0x52e Failure 1326 is a straightforward password error, "Logon failure: unknown user name or bad password." Double-check the username and password in your unattend.xml file. Failure Citrix Systems, Inc. All rights reserved. p.74

75 05/02/ :14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned /02/ :14:21:057 NetpJoinDomain: status of connecting to dc '\\DC1.company.local': 0x775 05/02/ :14:21:057 NetpJoinDomainOnDs: Function exits with status of: 0x775 05/02/ :14:21:057 NetpDoDomainJoin: status: 0x775 A 1909 error means "The referenced account is currently locked out and may not be logged on to." Go to your Active Directory and unlock the account. You should also determine how the account got locked. Often the account becomes locked because the unattend.xml has an incorrect password. Attempting to join a domain retries dozens of times. If the password is incorrect, you might get three password failures and dozens of "account locked" failures. Bad OU specified 01/20/ :53:01:232 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2 01/20/ :53:01:232 NetpProvisionComputerAccount: LDAP creation failed: 0x2 01/20/ :53:01:232 NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported 01/20/ :53:01:232 ldap_unbind status: 0x0 01/20/ :53:01:232 NetpJoinDomainOnDs: Function exits with status of: 0x2 01/20/ :53:01:232 NetpJoinDomainOnDs: status of disconnecting from '\\DC1.company.local': 0x0 01/20/ :53:01:232 NetpDoDomainJoin: status: 0x Citrix Systems, Inc. All rights reserved. p.75

76 The message "Cannot retry downlevel, specifying OU is not supported" means that the specified OU is invalid. This error could indicate that the OU does not exist within the AD, or that you are attempting to specify the default Computers container. Windows requires that the default OU be left unspecified, so if you want to put new Session Hosts into the default Computers OU, you must delete the <MachineObjectOU> line entirely. Look further up the log file for what the specified OU is: 01/20/ :53:01:123 lpmachineaccountou: OU=Computers,OU=VDI,DC=company,DC=local Verify the existence of the specified OU and confirm that it is not the top-level Computers container. Bad domain specified If the domain name itself is invalid, a domain join makes no entries to NetSetup.log and does not create a log file. In this situation, look in C:\Windows\Panther\UnattendGC\setupact.log for lines like this: :11:15, Warning [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 5 seconds... The error text for 0x54b (1355) is "The specified domain either does not exist or could not be contacted." You can look further up in the setupact.log to see exactly what domain you were trying to join. Note that this is an error with the "JoinDomain" tag, not the credentials. Insuf ficient user right s Citrix Systems, Inc. All rights reserved. p.76

77 07/17/ :26:47:524 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: : SecErr: DSID /17/ :26:47:524 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x32 0x5 07/17/ :26:47:524 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5 07/17/ :26:47:524 NetpProvisionComputerAccount: LDAP creation failed: 0x /17/ :26:47:539 NetpDoDomainJoin: status: 0x5 The user account you specify must have rights to add machine accounts to the domain in the specified OU. This error appears when you have a valid account with insufficient privileges. Either try a different account or adjust the account privileges in the domain. Use anot her approach t o domain join: Add a script t o t he deployment process If you are unable to make your domain join work automatically via the unattend file, you can try adding a PowerShell script to the deployment process to do the domain join. For more information, see this article: [ADD LINK] More about how domain join works The relevant section of the unattend.xml belongs in the 'pass="specialize"' settings block: Citrix Systems, Inc. All rights reserved. p.77

78 <component name="microsoft-windows-unattendedjoin" processorarchitecture="amd64" publickeytoken="31bf3856ad364e35" languag <Identification> <Credentials> <Domain>company</Domain <Password>thePassword</Password> <Username>administrator</Username> </Credentials> <JoinDomain>company.local</JoinDomain> <MachineObjectOU>OU=VDI,OU=lab,DC=company,DC=local</MachineObjectOU> <DebugJoin>true</DebugJoin> </Identification> </component> There are four elements of block that need to be correct: 1. In the "component" tag, make sure "processorarchitecture" is correct for your platform - either "amd64" or "x86". 2. In the "Identification" block, the "Credentials" block must be correct. The "Domain" tag must be the short domain name, not the FQDN. The "Domain" and "Username" tags are joined to create the account that the Session Host will login to the domain as in order to create the Machine Account. The account must exist and be a domain administrator or a service account with sufficient privileges to create Machine Account objects. In this example, "company\administrator" logs in with password "thepassword". Note that the password is stored in the gold as plain text, but is replaced with the string "*SENSITIVE*DATA*DELETED*" during deployment to preserve security. 3. The "JoinDomain" tag must contain the full domain as a FQDN. The Session Host logs in to and joins this domain using the credentials described above earlier Citrix Systems, Inc. All rights reserved. p.78

79 4. The "MachineObjectOU" tag must refer to an existing OU. It must not refer to the default Computers container. If you want your Session Hosts to appear in the default Computers container for your domain, you must delete the entire MachineObjectOU line. The reason is that the MachineObjectOU field must refer to an OU, but Computers is actually a CN. You cannot specify a CN there, and if you reference Computers as an OU, it's an error. So to get the default, which you can't specify, you must not have the line at all. (When using the Unattend Builder from Unidesk, specify the Computers container by putting nothing in the "OU to Place Session Hosts" field.) Note that if the machine already has a Machine Account in your domain (for instance because you are reusing names from Session Hosts that have been created and deleted before), the domain reuses the existing Machine Account in whatever location it is already in, ignoring the one specified in unattend.xml. One log file details the entire process of joining the domain: C:\Windows\debug\NetSetup.log. Review this file after deployment to determine why the attempt to join the domain failed. Look for the section with today's date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed. If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages. A second log, C:\Windows\Panther\UnattendGC\setupact.log, details the progress of mini-setup, including a summary line for each domain attempt. At least one type of failure (bad domain specified) results in no NetSetup.log being created, so you would have to see the failure information in setupact.log. If you find no current information in NetSetup.log, or no log at all, check setupact.log. Create one or more Session Hosts In the Unidesk Management Console, select Session Hosts > Create Session Host. This opens the Create Session Host wizard where you can configure the Session Host(s). Collect ion Assignment Select a Unidesk Collection Session Host Det ails Session Host Names - You can use our built-in naming convention to auto-generate Session Host names. Or, you can define your own custom naming convention using a set of expressions, and change the built-in naming convention. Generate Name Automatically - This option automatically generates the Session Host names based on a naming convention. You can select a built-in naming convention or create your own custom naming convention. You must use automatic name generation if you are creating more than one Session Host. If you don't want the default naming convention (Collection name and increment), you can make your own naming convention by selecting Custom and entering an expression. Enter Session Host Name - If you are creating a single Session Host, deselectgenerate Name Automatically and type in a Session Host name. Session Host Naming Requirement s Session Host names must meet these basic naming requirements, or the Session Host does not start. Names can include one to 15 of these characters: Letters a through z, and A through Z Citrix Systems, Inc. All rights reserved. p.79

80 Numbers 0 through 9 Hyphen (-) and Underscore (_) Names cannot include Spaces, the characters / \ *,. or a sequence of two hyphens (--) or underscores ( ) Names cannot start with a number, hyphen (-), or underscore (_) Names cannot end with a hyphen (-) or an underscore (_) Applicat ion Assignment Application Layer(s) to add to the Session Host. Expand a Layer to select the version. You can assign up to 13 Application Layers to each Session Host. This is where you configure hardware and memory settings for the virtual machine. CPUs - Number of virtual CPUs to allocate to the Session Host. You can specify any number between 1 and 64. The default number of CPUs is derived from the greater of the following two values: the number of CPUs on the gold image or the minimum number of CPUs Unidesk recommends, which is 4. Your infrastructure must be able to support the number of CPUs you choose. Starting Memory - Amount of memory (in megabytes) to allocate to the Session Host at startup. Dynamic Memory - Marking this check box specifies the use of dynamic memory for the Session Host, while clearing this check box specifies that the Session Host's memory use is static. Using dynamic memory enables the Session Host to contribute or receive memory as a shared resource. When working with multiple Session Hosts, dynamic memory utilizes the overall available physical memory in a more efficient way than static memory does. Not es: If you select the Dynamic Memory option, the Starting Memory number must be greater than or equal to the Minimum RAM number and less than or equal to the Maximum RAM number. If you upgrade a Session Host that is using dynamic memory, the Dynamic Memory option is no longer enabled following the upgrade procedure. A CachePoint that has not been upgraded disregards any dynamic memory settings. Once the CachePoint is upgraded, the next edit to it invokes the dynamic memory settings. Minimum RAM - The minimum amount of memory (in megabytes) to allocate to the Session Host after startup. This number cannot be less than 32 and must be divisible by 2. This option becomes active when the Dynamic Memory option is selected. The default minimum value for this setting is 8192 MB (8 GB). Maximum RAM - The maximum amount of memory (in megabytes) to allocate to the Session Host after startup. This number cannot be greater than and must be divisible by 2. This option becomes active when the Dynamic Memory option is selected. The default value for this option is the greater of the following two values: the Maximum RAM from the Gold Image, or MB (16 GB), the minimum recommended by Unidesk. Buffer Percentage - Specifies how much memory to add to the Session Host as a buffer. This number is a percentage of the amount of memory the Session Host actually requires to run applications and services. This percentage cannot be less than 5 or greater than This option becomes active when the Dynamic Memory option is selected. User Data Storage - Space in GB to allow for the machine's personalization settings and data files. Page File Size - Percentage of memory to use for the page file size. Note The Page File size is a percentage of the Starting Memory value. On Session Hosts that have Dynamic Memory enabled, and a Maximum RAM value set greater then the Starting RAM value, Full Core Dumps may not be created successfully, as the Page file might not be large enough Citrix Systems, Inc. All rights reserved. p.80

81 Core Dump Type - The type of core dump file you want the system to create when system problems occur. You can specify None, Mini (to create a small, or mini-dump file), Kernel (to create a kernel memory dump file), or Full (to create a full crash dump file). If you select Full, the size for the page file must be a minimum of 100%. Maint enance Schedule A maintenance window is a time for Session Host maintenance tasks that require users to be logged off, for example, adding a new version of a Layer. Unidesk keeps track of the number of users logged into each session host, so that maintenance can be performed when all users are logged off. Important When using XenApp, Session Hosts must be put in Maintenance Mode by using the Desktop Studio Console Citrix Systems, Inc. All rights reserved. p.81

82 Add Session Hosts to Microsoft Remote Desktop Connection Broker Jun 28, 2017 To simplify Session Host management, you can connect Unidesk with Microsoft RD Connection Broker (RDCB). Create the Unidesk Operating System Layer Prepare t he Windows Server 2012 R2 Gold Image When you prepare the gold image, it's important to follow the detailed steps for a Windows Server Session Host. This includes special steps for servers, including: Running all Microsoft redistributable items Enabling the RDSH Role on the server Use the steps to Prepare the gold image [ADD LINK] for your Unidesk Session Hosts. Import t he gold image int o a new Operat ing Syst em Layer When the gold image is ready, you can import it into a new Operating System Layer, as described here: Create the Operating System Layer [UPDATE LINK] Create your Unidesk Collections and Session Hosts To connect to RD Connection Broker, every Unidesk Session Host must be manually connected to an RDS Collection. Therefore, you must create the Session Hosts, which in turn require Unidesk Collections. In case this isn't done yet, you can use the following links: Create Session Host Collections [ADD LINK] Create a Session Host [ADD LINK] Add the Unidesk Session Hosts to RDS Collections Add Session Host s t o RDS 1. From Server manager, start at All Servers. 2. Right-click and select Add Servers. 3. Type the first letter or two of the server name and select the correct server. When the servers are added, you can add them as RD Session Hosts to new RDS Collections. Creat e RDS Collect ions t hat correspond t o Unidesk Collect ions Citrix Systems, Inc. All rights reserved. p.82

83 At least one Session Host must have been added for each RD Collection you want to create. See the above step for details about adding Unidesk Session Hosts to RDS. 1. In Remot e Deskt op Services, select RD Session Host Services. 2. In the list of Server Pools, select a server, move it to the Select ed list, and click OK. This server will now be a managed RD Session host that can be added to existing collections or used to create new collections. If the active management broker server fails What happens when t he act ive management broker server f ails If the active management server fails, users can still connect to Desktops via RDWeb, and Unidesk's scheduled maintenance of those Desktops continues. However, you cannot create new Desktops or edit Collection entitlements until the broker settings in the Unidesk Management Console are updated with the new active management server. To update the RD connection broker settings, you can wait for RDS to detect that the server has gone down and change the active management server, which may take several minutes. Or, you can manually change the active management servers. Updat e RD connect ion broker set t ings When there is a new active management server, connect to the Unidesk Management Appliance and update the server information. 1. Log on to the Unidesk Management Console (UMC). 2. Click the Syst em tab and then the Set t ing and Conf igurat ion tab. 3. Click Edit next to the Broker Set t ings section. 4. Select the broker server from the list and then click the Modif y button. 5. Update the Broker Address to the FQDN of the new active management server and click Apply. 6. Click Save to commit the change Citrix Systems, Inc. All rights reserved. p.83

84 Add Session Hosts to Citrix XenApp Jun 28, 2017 You can manually connect to Citrix XenApp, so that you can align your Session Host Collections with XenApp. Unlike integrating with Desktop Brokers, currently you can simply connect, not fully integrate with a broker. Requirements to integrate Unidesk with XenApp What you need to connect to Citrix XenApp. T o You need Get started A supported version [ADD LINK] of the Citrix XenApp software. Create a XenApp Group XenDesktop Catalog(s) with a machine type of Existing. At least one valid Directory Junction. An Operating System Layer for the Session Hosts. Create the Unidesk Operating System Layer Prepare t he Windows Server 2012 Gold Image When you prepare the gold image, it's important to follow the detailed steps for a Windows Server Session Host. This includes special steps for servers, including: Running all Microsoft redistributable items Enabling the RDSH Role on the server Use the steps to Prepare the gold image [ADD LINK] for your Unidesk Session Hosts. Import t he gold image int o a new Operat ing Syst em Layer When the gold image is ready, you can import it into a new Operating System Layer, as described here: Create the Operating System Layer [ADD LINK] Install the XenApp agent on a Unidesk Layer Layer requirement s f or XenApp The XenApp VDA can be installed into a new version of the Unidesk Operating System Layer, or if you do not need Microsoft App-V integration, in an Application Layer Citrix Systems, Inc. All rights reserved. p.84

85 Important T he installation process will attempt to create a user account. T his account is used to deliver App-V packages. If this App-V functionality is not required, then the XenApp VDA can be installed in an Application Layer. If the App-V functionality is required, than the VDA must be installed into a new version of the Operating System Layer. Inst all and configure t he XenApp client on t he Inst allat ion Machine Follow these steps to install and configure the XenApp client. 1. Attach the XenApp.iso and auto-run it. The installer opens. 2. Click the XenApp St art button. 3. On the next screen, click Prepare Machines and Images. 4. For the Environment, select Enable connect ions t o a server machine. 5. For the Core Component s, s select Cit rix Receiver. 6. For the Delivery Cont roller, select Do it manually, then in the Cont roller address field, add the FQDN (not the IP address) of the Delivery Controller. Test the connection and when successful, add the connection and continue. 7. For Feat ures, you can leave all items selected. 8. The Firewall is configured automatically. 9. Review the Summary, and fix any issues with your selections. 10. On the Inst all tab, click Inst all. 11. If you are prompted to restart the machine, allow the restart and then sign back in as administrator once the machine is back up. The installation continues. 12. When the post installation task (Component Initialization) is complete, allow the machine to restart again. Expedit e Microsof t NGen operat ions After certain applications are installed, the operating system will have outstanding Microsoft NGEN operations for its.net components. You can take steps to expedite the completion of the queued NGEN items, as described in this section. Layer int egrit y check When finalizing a Layer, Unidesk checks to see if the Layer is ready. If any tasks remain to be completed, for example Microsoft NGen or other Windows operations, it waits until all Windows operations that are in progress on the Installation Machine have completed before finalizing the Layer. Otherwise, the new Layer or Layer version that uses this Installation Machine would have issues. A Layer integrity message, lets you know what you can do to expedite the completion of queued tasks that must be completed before a Layer is finalized. Layer Integrity Message: The new version [version-name] of Layer [layer name] on Installation Machine (IM) [im-name] can only be finalized when the following conditions are addressed: A restart is pending to update drivers on the boot disk - please check and restart the IM. A post-installation restart is pending - please check and restart the IM. A Microsoft NGen operation is in progress in the background - (Click here for help with this condition). An MSI install operation is in progress - please check the IM. See if you can expedit e Microsof t NGen operat ions About Microsof t NGen operat ions Citrix Systems, Inc. All rights reserved. p.85

86 NGen is the Microsoft "Native Image Generator". It is part of the.net system, and basically re-compiles.net byte code into native images and constructs the registry entries to manage them. Windows will decide when to run NGen, based on what is being installed and what Windows detects in the configuration. When NGen is running, you must let it complete. An interrupted NGen operation can leave you with non-functioning.net assemblies or other problems in the.net system. You have the choice of waiting for the NGen to complete in the background or you can force the NGen to the foreground. Forcing the NGen to the foreground will allow you to view the progress and once the output has completed you should be able to finalize the layer. Force an NGen operat ion t o t he f oreground Normally, NGen is a background operation and will pause if there is foreground activity. Bringing the task into the foreground can help the task to complete as quickly as possible Open a command prompt as Administrator. Go to the Microsoft.NET Framework directory for the version currently in use: cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX 3. Enter the NGen command to execute the queued items: ngen update /force This brings the NGen task to the foreground in the command prompt, and lists the assemblies being compiled. Note It s okay if you see several compilation failed messages. 4. Look in the Task Manager to see if an instance of MSCORSVW.EXE is running. If it is, you must allow it to complete, or run the command ngen update /force again. Do not restart to stop the task. You must allow it to complete. Check t he st at us of an NGen operat ion If you would prefer to wait for the NGen to complete you can check the status as described here. However, every time you check the queue status, you are creating foreground activity, which might cause the background processing to temporarily Citrix Systems, Inc. All rights reserved. p.86

87 pause Open a command prompt as Administrator. Check status by running this command: ngen queue status 3. When you receive the following status, the NGen is complete, and you can finalize the Layer. The.NET Runtime Optimization Service is stopped. Create your Unidesk Collections and Session Hosts To connect to XenApp, every Unidesk Session Host must be manually connected to a XenApp Delivery Group. Therefore, you must create the Session Hosts, which in turn require Unidesk Collections. In case this isn't done yet, you can use the following links: Create Session Host Collections [ADD LINK] Create a Session Host [ADD LINK] Add the Unidesk Session Hosts to XenApp Delivery Groups When your Session Hosts are available in Unidesk, you can add them to Citrix Machine Catalogs and Delivery Groups. Creat e XenApp Delivery Groups t hat correspond t o your Unidesk Collect ions Use Citrix Studio to create the Delivery Groups for your Unidesk Session Hosts. Citrix recommends using the same names for your Delivery Groups as you did for the Unidesk Collections. Configure t he Machine Cat alogs and Delivery Groups To add Unidesk managed Session Hosts to the XenApp environment, follow the usual steps for adding a physical machine to a XenApp Machine Catalog Citrix Systems, Inc. All rights reserved. p.87

88 1. In Citrix Studio, select Machine Cat alog Set up. 2. On the Operat ing Syst em tab, select Windows Server OS and then select Next. 3. On the Machine Management tab, select Anot her service or T echnology. 4. On the Machines tab, select Add Comput ers and search for the name of the XenApp server you just deployed. Configure t he Delivery Groups Delivery groups are collections of machines. These groups define who is authorized to use the Applications hosted on those machines. Create a new Delivery Group and add the previously created Session Host to this group. 1. In Citrix Studio, select Creat e Delivery Group. 2. On the Machines tab, select the Cat alog you just created, and click Next. 3. On the Delivery T ype tab, select Applicat ions and click Next. 4. On the Users tab, add users you want to entitle in this delivery group. 5. On the Applicat ions tab, publish an application. This can be done by typing the path to the executable or by browsing applications. It can take some time before the list is generated, as it requires communication with the XenApp Virtual Delivery Agent Citrix Systems, Inc. All rights reserved. p.88

89 Desktops and Session Hosts Jun 28, 2017 A Unidesk Machine (Desktop or Session Host) is a virtual machine composed of an Operating System layer and Application Layers. A Unidesk Machine also includes a Personalization Layer. You create and select the OS Layer and Application Layers and for Unidesk Machines, Unidesk creates the Personalization Layer. In a Persistent Desktop or Session Host, the Personalization Layer stores all changes made to the Machine, including files and installed applications. In a Non-persistent Desktop the Personalization Layer is cleared on each Desktop restart or log off, unless you are using RDS in which case it is cleared only on a log off. Unidesk Machines can be deployed to a connection broker such as Microsoft s RDCB or can simply be deployed to the virtual infrastructure and accessed via a connection client like RDP. Once you have Collections, Citrix recommends connecting to your directory service so you can easily create Desktops and assign roles to Directory Service users Citrix Systems, Inc. All rights reserved. p.89

90 Connect to a directory service Jun 28, 2017 Once you configure Unidesk to connect to your directory service, for example Active Directory, Unidesk associates the Unidesk Machines (Desktops or Session Hosts) you create with users and groups in your directory service (supported directory services). When you connect to your directory service, you will create one or more Directory Junctions to access specific domains or OUs. Unidesk reads from your directory service to create an association between users and Unidesk Machines. If you are using a broker, the user association will also be configured in the broker. Your directory service is not modified by Unidesk. About connecting Unidesk to a directory service Overlapping Directory Junctions Overlapping (or nested) Directory Junctions occur when you create multiple Directory Junctions that contain the same users and then import the users into the Unidesk directory tree. When overlapping occurs, each Directory Junction contains its own copy of the duplicate users. Assume you create Directory Junction A that starts at the Marketing folder in a directory service tree. Next, you create Directory Junction B which starts at a folder above the Marketing folder. If you browse both Directory Junctions, you can see the Marketing users in both folders. User attributes are imported from the directory service The Unidesk software imports and caches user and group attributes from your directory service when: You assign a Unidesk Machine to a user or group. You assign administrator privileges to a user. The values of the attributes change in the directory service. The attributes that the Unidesk software caches are read only. All changes to the attributes for directory service users come from the directory server. The Unidesk software synchronizes the information it caches for directory service users with the directory service every 12 hours. If the software discovers that a user is no longer an object in the directory service, it classifies the user as abandoned (you can view this information in the Information view for the user). You can continue to assign Unidesk Machines to this user; however, the attributes that the software originally obtained from the directory service are not updated unless you change them manually in the Unidesk Management Console. In this case, the directory user is equivalent to a local user. Directory service user name changes and assigned Unidesk Machine owners Citrix Systems, Inc. All rights reserved. p.90

91 After you assign a directory service user to a Unidesk Machine, changing the name in the directory service has no effect on the assigned owner of the machine. Unidesk continues to display the original user name as the owner of the machine. Create a directory junction Before you start Create the folders where you want to place the Directory Junctions or decide which existing folder you want to use. You can add a Directory Junction folder to any existing folder in the Unidesk Management Console directory tree. Best Pract ice: Avoid creating overlapping Directory Junctions, if possible. In some circumstances, deleting an overlapping Directory Junction can affect your ability to delete another Directory Junction that contains the same users. You can, however, browse and assign Unidesk Machines to users that belong to overlapping Directory Junctions. Create a directory junction Select Users > Direct ory Service. Select Creat e Direct ory Junct ion in the Act ion bar. The Create Directory Junction wizard opens. On the Connect ion Det ails tab, specify the details for the directory server Name f or t he Direct ory Junct ion - This name becomes the name of the folder that you see in the Unidesk Management Console tree view. You can use any name, including the name of a domain in your directory service tree. IP address or DNS name - This is the name for the server you will use for the directory service. Port number - Specify the port for communicating with the directory server. SSL check box - Select this if you want to use Secure Sockets Layer (SSL) communication. If certificate errors occur, the wizard displays a list of these errors. If you know it is safe to ignore them, select Ignore Certificate Errors. T est Connect ion - Click to verify that the Management Appliance can connect to the directory service. On the Aut hent icat ion Det ails tab, enter the authentication details for a user who has permissions to search the directory service. ID, user name, or Dist inguished Name - This ID is referred to as the Bind Distinguished Name (DN). To determine the correct syntax for the Bind DN or user name, see the documentation for your directory service. Examples: The following examples shows some of the ways you can specify a user for the directory service: domain\username or username@domain.com. Password for the Bind DN T est Aut hent icat ion - Click to verify that the connection to the directory server is valid. On the Dist inguished Name Det ails tab, specify where you want the software to start searching for users and groups in the remote directory service. Base Dist inguished Name (DN) - The software starts searching for users and groups in the remote directory service. Once you establish a connection to the server for the directory service, the wizard displays a list of available DNs. You can select a DN from the list or enter the DN directly in the box Citrix Systems, Inc. All rights reserved. p.91

92 Example: Assume that you want to start the search at the Marketing Organizational Unit at the root of a domain. You would enter the following Base DN: OU=marketing, DC=root,DC=mydomain DC=com Click T est Base DN to verify that the Base DN you specified is valid. 6. On the Folder Locat ion tab, select the folder in the Unidesk tree where you want to add the directory junction for the remote directory service On the At t ribut e Mapping tab, enter the names of directory service attributes that you want to map to the local attributes or use the default settings. To change the mapping from local attributes back to default mappings, click Use Def ault s. s On the Confirm and Complet e tab, verify the Directory Junction settings, enter a comment if required, and click Updat e Direct ory Junct ion. If you enter comments, they appear in the Information view Audit History. To ensure that the Unidesk software can find user, group, and folder entities in a directory service, you can map attributes that the directory service uses to the attributes that the Unidesk software uses. When you enter attribute values, use the following syntax. The software searches for the first attribute. If it cannot find the first attribute, it searches for the second one. attribute:attribute The following tables describe the local attributes that you can map to directory service attributes Citrix Systems, Inc. All rights reserved. p.92

93 Local attribute Des cription GUID T he Globally Unique Identifier for the user. If the user entity's location in the directory service changes, the Unidesk software uses this attribute to locate it and retrieve its values. Display Name A name associated with the user. First Name The first name of the user. Last Name The last name of the user. T itle A title associated with the user (for example Vice-President of Sales). Logon Name T he user name for authentication. T he address associated with the user. Phone T he telephone number associated with the user. Address 1 T he first line of the user's street address. Address 2 T he second line of the user's street address. City T he city associated with the user's street address. State T he state associated with the user's street address. Postal code T he postal or ZIP code associated with the user's street address. Country T he country associated wit the user's street address Citrix Systems, Inc. All rights reserved. p.93

94 Local attribute Des cription GUID T he Globally Unique Identifier for a group. If the group entity's location in the directory service changes, the Unidesk software uses this attribute to locate it and retrieve its values. Display Name A name associated with the group. Description A description of the group. Members T he name of the groups in which this group has membership. Local attribute Des cription GUID T he Globally Unique Identifier for a folder. If the folder entity's location in the directory service changes, the Unidesk software uses this attribute to locate it and retrieve its values. Display Name The name of the folder. Description A description of the folder. Local attribute Des cription User A search string that looks for users. T he default value searches for users based on their last names. Group A search string that looks for groups. T he default value searches for group names, including the names of groups that are members of other groups. Folder A search string that looks for specific contents in organizational units. T he default value searches organization units that are likely to contain users and groups. Connect to a directory service 1. Select an existing folder or use the Creat e Folder action to create folders in the Unidesk directory tree structure where you want to place connections to a directory service Citrix Systems, Inc. All rights reserved. p.94

95 2. Select Creat e Direct ory Junct ion and specify: Bind Distinguished Name - The Distinguished Name or ID for a user who has the permissions required to search the directory service tree. Base Distinguished Name - The starting point that the software uses when searching for users and groups in the directory service tree. Now you can assign Unidesk Machines to the users, or assign administrator privileges to them. The Unidesk software caches the attributes for each directory service entry, so that if the connection to the directory service is lost temporarily, the software can use the cached information for management tasks Citrix Systems, Inc. All rights reserved. p.95

96 Create desktops Jun 28, 2017 A Unidesk Desktop is a virtual machine made up of an Operating System Layer, Application Layers, and a user Personalization Layer. You create and select the Operating System and Application Layers, and the Unidesk software creates the Personalization Layer. About Unidesk Desktops Persist ent and Non-persist ent Deskt ops On a Persistent Desktop, the Personalization Layer stores all changes made by the Desktop s user, including files and installed applications. On a Non-persistent Desktop the Personalization Layer is cleared on each Desktop reboot or log off, unless you are using RDS in which case it is cleared only on a log off. Desktops can be deployed to a connection broker such as Microsoft s RD Connection Broker or Citrix XenDesktop, or can simply be deployed to the virtual infrastructure and accessed via a connection client like RDP. Creat ing a t est Deskt op t o verif y your Operat ing Syst em Layer The first Desktop you create will be a test Desktop, and it will give you an idea of the broad range of settings available for your users, though you don't need to concern yourself with the majority of settings until you are ready to create them for real users. Creat ing mult iple Deskt ops at once When you are ready to create Desktops for real users, you can create one Desktop at a time, or as many as you want at once. You can name Desktops individually, or generate the names based on built-in naming conventions that you can edit or augment. Before You Start Desktop Requirements As soon as you create your Operating System Layer, you should make sure this Layer and your Domain Join script are in good working order. Do this by creating a bare-bones test Desktop, as described in the next section. Before you can create a Desktop you need: A Unidesk Collection, which in turn requires an Operating System Layer Users (available in Unidesk via a connection to your directory service) A cluster or host that you set up when installing Unidesk appliances Access to the network where the cluster or host is running Desktop attributes you can never change Certain Desktop attributes are determined by the Collection in which you create them, and once created, you can never change these attributes for the Desktop: Citrix Systems, Inc. All rights reserved. p.96

97 Desktop Type - The Desktop Type can be either Persistent or Non-Persistent. A Persistent Desktop retains all user customizations, including settings and data files, while a Nonpersistent Desktop returns to its original state when the user logs off. The Desktop Type is determined by the type of Collection in which is created. Connection Broker - You can upgrade the version of the broker used for a Desktop, but cannot move the Desktop to a different broker. Operating System Layer - You can change the version of the Operating System Layer assigned to a Desktop, but not the Layer itself. Desktops and the Collections to Which They Belong As stated previously, the Collection where you create a Desktop determines its key attributes. If you decide to move a Desktop to a different Collection, the new Collection must have the same key attributes, Broker, Desktop Type, and Operating System Layer. Create a Test Desktop (Recommended) Before using your new Operating System Layer to create your Desktops and Application Layers for production, Citrix recommends creating a test Desktop to verify that your Operating System Layer and domain join script work. Create a Test Desktop to Verify Your Operating System Layer and Domain Join Settings Since you won't deploy this Desktop to production, select the required settings only and accept the default values for everything else. 1. In the Unidesk menu bar select Deskt ops and then click Creat e Deskt op. The Creat e Deskt op wizard opens. 2. On the Collect ion Assignment tab, select a Collection where you want to group the Desktop with other Desktops, then browse your directory service tree and select a user. This step creates an association in Unidesk between the user and the Desktop. It also configures your broker to associate the Desktop with the selected user. Your directory service is not modified. 3. On the Deskt op Det ails tab, select a cluster or host, a network, and a VLAN Tag (if necessary). Use the default settings for everything else. 4. On the Conf irm and Complet e tab, confirm that the settings are correct in the Deskt op Visualizat ion panel on the right. 5. Click Creat e Deskt ops to start creating the Desktop. A Desktop icon appears with the status displayed in the lower right corner of the icon. The Desktop status cycles through Stopped, Powering on, Starting, and Running. For more status information, click the Expander tab in the bottom center of the console to open the T asks panel. For example, if the Desktop is not successfully added to the connection broker, a status messages are displayed in the Desktop Details. 6. View the IP address assigned to the Desktop, by hovering over the Desktop icon and clicking the information icon. 7. Log into the Desktop and verify that the Desktop successfully joined the domain. Troubleshoot Domain Join Issues (Windows 7, Windows 8.1) If your Desktops are not successfully joining the domain, follow the steps below to identify the issue. Fixing the problem Citrix Systems, Inc. All rights reserved. p.97

98 usually requires an update to the unattend file. Then you need to create a new version of your Operating System layer. Use the Unidesk unattend builder to correct any issues in the unattend.xml file. The Unidesk unattend builder is available for download in the Unidesk Download Center. [ADD LINK] When a Windows 7 or Windows 8.1 Desktop is created in Unidesk it runs through the Microsoft Windows mini-setup process, which uses a file called unattend.xml to configure a variety of Desktop settings. We recommend that you use the Unidesk Unattend builder tool to create your unattend file. With the Unattend builder you can specify all of the settings required to join the Desktop to the domain during creation. If your Desktop is not joining the domain correctly, here are some common issues and how to solve them. Keep in mind that while you will look at logs on the Desktop Unattend to identify your problem, you will update the unattend file in your OS layer or in an application layer to correct it so that newly created Desktops will successfully join your domain. Check t he Set upact log on t he Deskt op f or errors The following log file details the progress of the mini-setup process, including a summary line for each domain attempt. Check this log file for errors: C:\Windows\Panther\UnattendGC\setupact.log Note Ensure you are looking at the setupact log in C:Windows\Panther\UnattendGC. T he log file is not in the directory path C:Windows\Panther. Search for DJoin.exe to see a log of the domain join operations: DsGetDCName failed: 0x54b check your fully qualified domain name NetJoinDomain attempt failed: 0x89a check your domain join credentials NetJoinDomain attempt failed 0x2: check your OU specification Still stumped? For other log files to check, go to the section on Advanced debugging later in this article. Check your unat t end file f or common problems and fix any issues Citrix Systems, Inc. All rights reserved. p.98

99 Let s assume that you have this configuration: Fully qualif ied domain name: vdidomain.acme.com or vdidomain.local Short domain name: vdi OU: acmegrp1 Domain account : Administrator To check your unat t end file 1. Open the unattend file on the Desktop and check for some common problems. The unattend file is located in c:\windows\panther. Search for the <JoinDomain> tag and check the fully qualified domain name, as shown in one of these examples: <JoinDomain>vdidomain.local</JoinDomain> <JoinDomain>vdidomain.acme.com</JoinDomain> Check the domain specification by searching for the Domain tag: <Domain>. The Domain tag must be the short domain name, not the fully qualified domain name. An example is: Correct: <Domain>vdi<Domain> Incorrect: <Domain>vdidomain.acme.com<Domain> Check the Username specification. An example is: Citrix Systems, Inc. All rights reserved. p.99

100 Correct: <Username>Administrator</Username> Incorrect:<Username>vdi\Administrator<\Username> Check the processor architecture. In the component tag, make sure the processorarchitecture is correct for your platform, either amd64 or x Fix any issues you find in the unattend.xml, either by editing the file manually, or by running the Unattend builder again. This involves creating a new version of your OS layer to update the unattend file: 1. In the Unidesk Management Console, click Operat ing Syst em Layer > Add Version. Allow the Operating System Layer to start up in the Install Machine and then log on. 2. Once logged on, either edit unattend.xml or run the Unattend builder: Run Notepad as Administrator, edit C:\Windows\Panther\unattend.xml, and then save the file. 3. Finalize the layer. 3. Deploy a new Desktop with your latest OS version and check for successful domain join. One log file details the entire process of joining the domain: C:\Windows\debug\NetSetup.log. Look for the section with today's date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed. If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages. A successful domain join displays the following message: 05/01/ :28:01:740 NetpDoDomainJoin: status: 0x0 This line appears at the bottom of the last attempt and denotes that the domain join process is successful. Any return status other than 0x0 denotes a failure. You may also see the following lines above it, which also show success: 05/01/ :28:01:740 NetpCompleteOfflineDomainJoin: status: 0x0 05/01/2012 9:28:01:740 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0 Failure, again, is a non-zero return code: 01/20/ :53:01:232 NetpDoDomainJoin: status: 0x2 One of the most common failures is an error attempting to connect to the IPC$ share on the domain controller. It will look like this: 05/02/ :14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned XXXX Get the returned message (XXXX)and run net helpmsg XXXX from a command prompt to see the specific error. The following are common domain join errors and solutions to those errors Citrix Systems, Inc. All rights reserved. p.100

101 Failure /12/ :38:52:122 NetUseAdd to \\DC1.company.local\IPC$ returned /12/ :38:52:122 NetpJoinDomain: status of connecting to dc '\\TDC1.company.local': 0x4cf 07/12/ :38:52:122 NetpJoinDomainOnDs: Function exits with status of: 0x4cf 07/12/ :38:52:122 NetpDoDomainJoin: status: 0x4cf Pre-1.5 versions of Unidesk had a timing issue that could cause domain joins on Windows 7 x64 to fail randomly. Upgrade to the latest version of Unidesk if you are using a version earlier than version 1.5. This error may also be the result of mixing layers that were built from different OS layers. Resolve it by deploying with just the Operating System Layer. Once you can identify which Application Layer is breaking the domain join process, recreate that layer with the current version of the current OS layer. If you cannot find conflicting layers, use the PowerShell script for joining the domain: Failure /02/ :07:31:696 NetUseAdd to \\DC1.company.local\IPC$ returned /02/ :07:31:696 NetpJoinDomain: status of connecting to dc '\\DC1.company.local': 0x52e 05/02/ :07:31:696 NetpJoinDomainOnDs: Function exits with status of: 0x52e 05/02/ :07:31:696 NetpDoDomainJoin: status: 0x52e Failure 1326 is a straightforward password error, "Logon failure: unknown user name or bad password." Double-check the username and password in your unattend.xml file. Failure /02/ :14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned /02/ :14:21:057 NetpJoinDomain: status of connecting to dc '\\DC1.company.local': 0x775 05/02/ :14:21:057 NetpJoinDomainOnDs: Function exits with status of: 0x775 05/02/ :14:21:057 NetpDoDomainJoin: status: 0x775 A 1909 error means "The referenced account is currently locked out and may not be logged on to." Go to your Active Directory and unlock the account. You should also determine how the account got locked. Often the account becomes locked because the unattend.xml has an incorrect password. Attempting to join a domain retries dozens of times. If the password is incorrect, you might get three password failures and dozens of "account locked" failures. Bad OU specified 01/20/ :53:01:232 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2 01/20/ :53:01:232 NetpProvisionComputerAccount: LDAP creation failed: 0x2 01/20/ :53:01:232 NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported 01/20/ :53:01:232 ldap_unbind status: 0x0 01/20/ :53:01:232 NetpJoinDomainOnDs: Function exits with status of: 0x2 01/20/ :53:01:232 NetpJoinDomainOnDs: status of disconnecting from '\\DC1.company.local': 0x0 01/20/ :53:01:232 NetpDoDomainJoin: status: 0x2 The message "Cannot retry downlevel, specifying OU is not supported" means that the specified OU is invalid. This error could indicate that the OU does not exist within the AD, or that you are attempting to specify the default Computers container. Windows requires that the default OU be left unspecified, so if you want to put new Desktops into the default Computers OU, you must delete the <MachineObjectOU> line entirely. Look further up the log file for what the specified OU is: 01/20/ :53:01:123 lpmachineaccountou: OU=Computers,OU=VDI,DC=company,DC=local Citrix Systems, Inc. All rights reserved. p.101

102 Verify the existence of the specified OU and confirm that it is not the top-level Computers container. Bad domain specified If the domain name itself is invalid, a domain join makes no entries to NetSetup.log and does not create a log file. In this situation, look in C:\Windows\Panther\UnattendGC\setupact.log for lines like this: :11:15, Warning [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 5 seconds... The error text for 0x54b (1355) is "The specified domain either does not exist or could not be contacted." You can look further up in the setupact.log to see exactly what domain you were trying to join. Note that this is an error with the "JoinDomain" tag, not the credentials. Insuf ficient user right s 07/17/ :26:47:524 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: : SecErr: DSID , problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 07/17/ :26:47:524 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x32 0x5 07/17/ :26:47:524 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5 07/17/ :26:47:524 NetpProvisionComputerAccount: LDAP creation failed: 0x /17/ :26:47:539 NetpDoDomainJoin: status: 0x5 The user account you specify must have rights to add machine accounts to the domain in the specified OU. This error appears when you have a valid account with insufficient privileges. Either try a different account or adjust the account privileges in the domain. If you are unable to make your domain join work automatically via the unattend file, you can try adding a PowerShell script to the deployment process to do the domain join. For more information, see this article: [CHANGE LINK] The relevant section of the unattend.xml belongs in the 'pass="specialize"' settings block: <settings pass="specialize" waspassprocessed="true"> The UnattendedJoin block within it looks like this Citrix Systems, Inc. All rights reserved. p.102

103 <component name="microsoft-windows-unattendedjoin" processorarchitecture="amd64" publickeytoken="31bf3856ad364e35" languag <Identification> <Credentials> <Domain>company</Domain <Password>thePassword</Password> <Username>administrator</Username> </Credentials> <JoinDomain>company.local</JoinDomain> <MachineObjectOU>OU=VDI,OU=lab,DC=company,DC=local</MachineObjectOU> <DebugJoin>true</DebugJoin> </Identification> </component> There are four elements of block that need to be correct: 1. In the "component" tag, make sure "processorarchitecture" is correct for your platform - either "amd64" or "x86". 2. In the "Identification" block, the "Credentials" block must be correct. The "Domain" tag must be the short domain name, not the FQDN. The "Domain" and "Username" tags are joined to create the account that the Desktop will login to the domain as in order to create the Machine Account. The account must exist and be a domain administrator or a service account with sufficient privileges to create Machine Account objects. In this example, "company\administrator" logs in with password "thepassword". Note that the password is stored in the gold as plain text, but is replaced with the string "*SENSITIVE*DATA*DELETED*" during deployment to preserve security. 3. The "JoinDomain" tag must contain the full domain as a FQDN. The Desktop logs in to and joins this domain using the credentials described above earlier Citrix Systems, Inc. All rights reserved. p.103

104 4. The "MachineObjectOU" tag must refer to an existing OU. It must not refer to the default Computers container. If you want your Desktops to appear in the default Computers container for your domain, you must delete the entire MachineObjectOU line. The reason is that the MachineObjectOU field must refer to an OU, but Computers is actually a CN. You cannot specify a CN there, and if you reference Computers as an OU, it's an error. So to get the default, which you can't specify, you must not have the line at all. (When using the Unattend Builder from Unidesk, specify the Computers container by putting nothing in the "OU to Place Desktops" field.) Note that if the machine already has a Machine Account in your domain (for instance because you are reusing names from Desktops that have been created and deleted before), the domain reuses the existing Machine Account in whatever location it is already in, ignoring the one specified in unattend.xml. One log file details the entire process of joining the domain: C:\Windows\debug\NetSetup.log. Review this file after deployment to determine why the attempt to join the domain failed. Look for the section with today's date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed. If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages. A second log, C:\Windows\Panther\UnattendGC\setupact.log, details the progress of mini-setup, including a summary line for each domain attempt. At least one type of failure (bad domain specified) results in no NetSetup.log being created, so you would have to see the failure information in setupact.log. If you find no current information in NetSetup.log, or no log at all, check setupact.log. Create One or More Desktops In the Unidesk Management Console, select Deskt ops > Creat e Deskt op. The Create Desktop wizard opens where you can configure the Desktop(s). Collection Assignment Select a Unidesk Collection, and individual users or a group. If you select a group, Desktops will be created for all users in the group. Collection assignment creates an association in Unidesk between the user and the Desktop, and will also configure your broker to associate the Desktop with that user. Your directory service is not modified. Not es If the Desktop is not successfully added to the connection broker, a status message appears in the Desktop Details. To see the broker or a status message about the Desktop being added to the broker, click the information symbol on the Desktop icon. In an RD Connection Broker (RDCB) collection, a user can have only one Desktop. If you attempt to create a Desktop in an RDCB collection where there is already a Desktop owned by that user, the Desktop will not be created. Desktop Details Cluster or Host - Choose the cluster or server to host the Desktop(s) from the choices you configured when setting up the UnideskManagement Appliance. If the cluster or host is missing, verify that it has been enabled for the Management Appliance and CachePoint. Note that the Management Appliance must be restarted if hosts are added or removed from a cluster Citrix Systems, Inc. All rights reserved. p.104

105 Desktop Names - You can use one of our built-in naming conventions to auto-generate Desktop names. Or, you can define your own custom naming convention using a set of expressions, and change the built-in naming convention. Generate Name Automatically - This option automatically generates the Desktop names based on a naming convention. You can select a built-in naming convention or create your own custom naming convention. You must use automatic name generation if you are creating more than one Desktop. If you don't want the default naming convention (FirstnameLastname), you can make your own naming convention by selecting Custom and entering an expression. Enter Desktop Name - If you are creating a single Desktop, deselectgenerate Name Automatically and type in a Desktop name. Desktop names must meet the following basic naming requirements or the Desktop will not start. Names can include one to 15 of these characters: Letters a through z, and A through Z Numbers 0 through 9 Hyphen (-) and Underscore (_) Names cannot include Spaces, the characters / \ *,. or a sequence of two hyphens (--) or underscores ( ) Names cannot start with a number, hyphen (-), or underscore (_) Names cannot end with a hyphen (-) or an underscore (_) Note If you use non-alphanumeric characters in the Desktop name, Unidesk substitutes an underscore for each non-alphanumeric character in the corresponding folder name. When you create more than one Desktop at a time, the system generates the names for you. You can also choose to have the system generate a name for an individual Desktop. You can either use the built-in naming conventions, or create a custom naming convention. The built-in naming conventions available are based on whether the Collection is for Persistent or Non-persistent Desktops. When creating Desktops, you can ensure that naming is consistent by choosing one of the built-in naming conventions, or by defining (and then choosing) a naming convention of your own Citrix Systems, Inc. All rights reserved. p.105

106 T his convention Creates a name that contains the Example FirstnameLastname First name and last name of the selected user. JohnDoe LastnameFirstInitial Last name and first initial of the selected user. DoeJ FirstInitialLastname First initial and last name of the selected user. JDoe CollectionIncrement Selected Collection. Also appends a sequential numeric value to the end of each Desktop name. Support1, Support2 1. Select Syst em > Set t ings and Conf igurat ion. 2. Select Deskt op Naming Convent ion Set t ings and then click Edit. 3. In the Expression box for the naming convention that you want to change, edit the displayed expression. In addition to using the naming expressions, you can enter additional characters as long at they follow the host naming standards. Example: If you wanted Desktop names to use a format such as, MKTG-FirstnameLastname, you could enter an expression similar to the following one: MKTG-%F%L 4. Click Save. 1. Select Syst em > Set t ings and Conf igurat ion. 2. Select Deskt op Naming Convent ion Set t ings and then click Edit. 3. Click Add Naming Convent ion. 4. In the Convent ion Name box, enter a name that you want to associate with the naming convention. The Create Desktop wizard displays this name as a selection in the Desktop Assignment tab. 5. Enter an expression that defines the syntax for the name. In addition to using the built-in naming expressions, you can enter additional characters as long at they follow the host naming standards. 6. Click Add and then click Save. Naming convention expressions define how the system displays the naming conventions. The following table describes the syntax for the valid expressions that the system uses to generate names Citrix Systems, Inc. All rights reserved. p.106

107 Us e T o include Examples % [n]f T he first name of the selected user. T he n variable indicates the number of characters to include. If you do not specify a character length, the software uses the full name. %F = Joey %3F = Joe % [n]l T he last name of the selected user. T he n variable indicates the number of characters to include. If you do not specify a character length, the software uses the full name. %L = Hartley %4L = Hart % [n]c The name of a selected group. T he n variable indicates the number of characters to include. If you do not specify a character length, the software uses the full name. %C = Marketing %3C =Mar [%I] A unique number at the end of a generated name. T he number starts at 1 and increments sequentially for each Desktop that the software creates. T he software applies this expression if the generated name is not unique and if you include it in a custom expression. %3C%I = Mar1, Mar2, Mar3,... Network - Choose a network. The list displays all networks available to the selected host or cluster. Application Assignment Application Layer(s) to add to the Desktop. Expand a Layer to select the version. Desktop Settings This is where you configure hardware and memory settings for the virtual machine. CPUs - Number of virtual CPUs to allocate to the Desktop. You can specify any number from 1 to 64. The default number of CPUs is derived from the greater of the following two values: the number of CPUs that was imported for the gold image or the minimum number of CPUs Unidesk has defined. Starting Memory - Amount of memory (in megabytes) to allocate to the Desktop at startup. The default setting is derived from the greater of the following two values: the Starting Memory that was imported for the gold image or the minimum amount of starting memory Unidesk has defined. Dynamic Memory - Specifies the use of dynamic memory for the Desktop; otherwise, the Desktop's memory use is static. Using dynamic memory enables the Desktop to contribute or receive memory as a shared resource. When working with multiple Desktops, dynamic memory uses the overall available physical memory in a more efficient way than static memory does. If you select the Dynamic Memory option, the Starting Memory number must be greater than or equal to the Minimum RAM number and less than or equal to the Maximum RAM number. If you upgrade a Desktop that is using dynamic memory, the Dynamic Memory option is no longer enabled following the upgrade procedure. A CachePoint that has not been upgraded disregards any Dynamic Memory settings. Once the CachePoint is upgraded, the next edit to it invokes the Dynamic Memory settings. Minimum RAM - The minimum amount of memory (in megabytes) to allocate to the Desktop after startup. This number cannot be less than 32 and must be divisible by 2. This option becomes active when the Dynamic Memory option is Citrix Systems, Inc. All rights reserved. p.107

108 selected. Maximum RAM - The maximum amount of memory (in megabytes) to allocate to the Desktop after startup. This number cannot be greater than and must be divisible by 2. This option becomes active when the Dynamic Memory option is selected. Buffer Percentage - Specifies how much memory to add to the Desktop as a buffer. This number is a percentage of the amount of memory the Desktop actually requires to run applications and services. This percentage cannot be less than 5 nor greater than This option becomes active when the Dynamic Memory option is selected. User Data Storage - Space in GB to allow for the machine's personalization settings and data files. Page File Size - Percentage of memory to use for the page file size. The Page File size is a percentage of the Starting Memory value. On Desktops that have Dynamic Memory enabled, and a Maximum RAM value set greater then the Starting RAM value, Full Core Dumps may not be created successfully, as the Page file might not be large enough. Core Dump Type - The type of core dump file you want the system to create when system problems occur. You can specify None, Mini (to create a small, or mini-dump file), Kernel (to create a kernel memory dump file), or Full (to create a full crash dump file). If you select Full, the size for the page file must be a minimum of 100%. Maintenance Schedule A maintenance window is a time set aside for Desktop maintenance tasks that require the user to log off, for example, adding a new version of a Layer Citrix Systems, Inc. All rights reserved. p.108

109 Create session hosts Jun 28, 2017 A Unidesk Session Host is a virtual machine made up of an Operating System Layer, Application Layers, and a machine Personalization Layer. You create and select the Operating System and Application Layers, and the Unidesk software creates the Personalization Layer, where changes made to the Session Host are saved. When you are ready to create Session Hosts, you can create one or multiple Session Hosts at a time. You can name Session Hosts individually, or generate the names based on built-in naming conventions that you can edit or augment. A single Azure subscription is limited to 48 Session Hosts. Before you start Session Host Requirements As soon as you create your Operating System Layer, you should make sure this Layer and your Domain Join script are in good working order. Do this by creating a bare-bones test Session Host, as described in the next section. Before you can create a Session Host you need: A Unidesk Collection, which in turn requires an Operating System Layer Session Host attributes you can never change Certain Session Host attributes are determined by the Collection in which you create them, and once created, you can never change these attributes for the Session Host. Currently, this includes: Operating System Layer - You can change the version of the Operating System Layer assigned to a Session Host, but not the Layer itself. Session Hosts and the Collections they belong to As stated above, the Collection where you create a Session Host determines its key attributes. So, if you decide to move a Session Host to a different Collection, the new Collection must have the same Operating System Layer. Create a test Session Host (Recommended) Before using your new Operating System Layer to create your Session Hosts and Application Layers for production, we recommend creating a quick, test Session Host to verify that your Operating System Layer and domain join script are in good working order. Create a test Session Host to verify your Operating System Layer and domain join settings Since you won't deploy this Session Host to production, you just need to select the required settings, and accept the default values for everything else. 1. On the Unidesk menu bar select Session Host s, then click Creat e Session Host. This opens the Create Session Host wizard Citrix Systems, Inc. All rights reserved. p.109

110 2. On the Collection Assignment tab, select a Collection where you want the Session Host to be grouped, and choose to create 1 Session Host. 3. Take the default settings for everything else, and on the Confirm and Complete tab, confirm that the settings are correct (see the Visualization panel to the right), and click Creat e Session Host s to start creating the Session Host. A Session Host icon appears, its status displayed in the lower right corner of the icon. The Session Host status cycles through Stopped, Powering on, Starting, and Running. For more status information, click the Expander tab in the bottom center of the console to open the Tasks panel. For example, if the Session Host is not successfully added to the connection broker, a status messages is displayed in the Session Host Details. 1. View the IP address assigned to the Session Host, by hovering over the Session Host icon and clicking the information icon. 2. Log into the Session Host and verify that t has successfully joined the domain. Troubleshoot domain join issues If your Session Hosts are not successfully joining the domain, follow the steps below to identify the issue. Fixing the problem usually requires an update to the unattend file, and usually you need to create a new version of your Operating System layer and use the Unidesk unattend builder to correct any issues in the unattend.xml file. The Unidesk unattend builder is available for download in the Unidesk Download Center. About domain join When a Session Host is created in Unidesk it runs through the Microsoft Windows mini-setup process, which uses a file called unattend.xml to configure a variety of Session Host settings. We recommend that you use the Unidesk Unattend builder tool to create your unattend file. With the Unattend builder you can specify all of the settings required to join the Session Host to the domain during creation. If your Session Host is not joining the domain correctly, here are some common issues and how to solve them. Keep in mind that while you will look at logs on the Session Host Unattend to identify your problem, you will update the unattend file in your OS layer or in an application layer to correct it so that newly created Session Hosts will successfully join your domain. First things to check The following log file details the progress of the mini-setup process, including a summary line for each domain attempt. Check this log file for errors: C:\Windows\Panther\UnattendGC\setupact.log Note: Be sure you are not looking at the setupact log in C:Windows\Panther. You want the log file that's in C:Windows\Panther\UnattendGC. Search for DJoin.exe to see a log of the domain join operations: DsGetDCName failed: 0x54b check your fully qualified domain name NetJoinDomain attempt failed: 0x89a check your domain join credentials Citrix Systems, Inc. All rights reserved. p.110

111 NetJoinDomain attempt failed 0x2: check your OU specification Still stumped? For other log files to check, go to the section on Advanced debugging later in this article. Let s assume that you have this configuration: f ully qualif ied domain name: vdidomain.acme.com or vdidomain.local short domain name: vdi OU: acmegrp1 Domain account: Administrator 1. Open the unattend file on the Session Host and check for some common problems. The unattend file is located in c:\windows\panther. Search for the <JoinDomain> tag and check the fully qualified domain name. It should look like one of these examples: <JoinDomain>vdidomain.local</JoinDomain> <JoinDomain>vdidomain.acme.com</JoinDomain> Check the domain specification by searching for the Domain tag: <Domain>. The Domain tag must be the short domain name, not the fully qualified domain name.it should look like this: Correct: <Domain>vdi<Domain> Incorrect: <Domain>vdidomain.acme.com<Domain> Check the Username specification. It should look like this: Correct: <Username>Administrator</Username> Incorrect:<Username>vdi\Administrator<\Username> Check the processor architecture In the component tag, make sure processorarchitecture is correct for your platform, either amd64 or x Fix any issues you find in the unattend.xml, either by editing the file manually, or by re-running the Unattend builder. This involves creating a new version of your OS layer to update the unattend file: 1. In the Unidesk Management Console, click Operating System Layer > Add Version. Allow the Operating System Layer to boot up in the Install Machine, and log in. 2. Once logged in, either edit unattend.xml, or re-run the Unattend builder: Run Notepad as Administrator, edit C:\Windows\Panther\unattend.xml, and save the file. 3. Finalize the layer 3. Deploy a new Session Host with your latest OS version and check for successful domain join. Check the Netsetup log file for errors One log file details the entire process of joining the domain: C:\Windows\debug\NetSetup.log. Look for the section with today's date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed. If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages. A successful domain join displays the following message: Citrix Systems, Inc. All rights reserved. p.111

112 05/01/ :28:01:740 NetpDoDomainJoin: status: 0x0 This line appears at the bottom of the last attempt, and denotes that the domain join process succeeded. Any return status other than 0x0 denotes a failure. You may also see the following lines above it, which also show success: 05/01/ :28:01:740 NetpCompleteOfflineDomainJoin: status: 0x0 05/01/2012 9:28:01:740 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0 Failure, again, is a non-zero return code: 01/20/ :53:01:232 NetpDoDomainJoin: status: 0x2 One of the most common failures is an error attempting to connect to the IPC$ share on the domain controller. It will look like this: 05/02/ :14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned XXXX Get the returned message (XXXX)and run net helpmsg XXXX from a command prompt to see the specific error. The following are common domain join errors and solutions to those errors. 07/12/ :38:52:122 NetUseAdd to \\DC1.company.local\IPC$ returned /12/ :38:52:122 NetpJoinDomain: status of connecting to dc '\\TDC1.company.local': 0x4cf 07/12/ :38:52:122 NetpJoinDomainOnDs: Function exits with status of: 0x4cf 07/12/ :38:52:122 NetpDoDomainJoin: status: 0x4cf Pre-1.5 versions of Unidesk had a timing issue that could cause domain joins on Windows 7 x64 to fail randomly. Upgrade to the latest version of Unidesk if you are using a version earlier than version 1.5. This error may aslo be the result of mixing layers that were built from different OS layers. Resolve it by deploying with just the Operating System Layer. Once you can identify which Application Layer is breaking the domain join process, recreate that layer with the current version of the current OS layer. If you cannot find conflicting layers, use the PowerShell script for joining the domain: 05/02/ :07:31:696 NetUseAdd to \\DC1.company.local\IPC$ returned /02/ :07:31:696 NetpJoinDomain: status of connecting to dc '\\DC1.company.local': 0x52e 05/02/ :07:31:696 NetpJoinDomainOnDs: Function exits with status of: 0x52e 05/02/ :07:31:696 NetpDoDomainJoin: status: 0x52e Failure 1326 is a straightforward password error, "Logon failure: unknown user name or bad password." Double-check the username and password in your unattend.xml file. 05/02/ :14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned /02/ :14:21:057 NetpJoinDomain: status of connecting to dc '\\DC1.company.local': 0x775 05/02/ :14:21:057 NetpJoinDomainOnDs: Function exits with status of: 0x Citrix Systems, Inc. All rights reserved. p.112

113 05/02/ :14:21:057 NetpDoDomainJoin: status: 0x775 A 1909 error means "The referenced account is currently locked out and may not be logged on to." Go to your Active Directory and unlock the account. You should also determine how the account got locked. Often the account becomes locked because the unattend.xml has an incorrect password. Attempting to join a domain retries dozens of times. If the password is incorrect, you might get three password failures and dozens of "account locked" failures. 01/20/ :53:01:232 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2 01/20/ :53:01:232 NetpProvisionComputerAccount: LDAP creation failed: 0x2 01/20/ :53:01:232 NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported 01/20/ :53:01:232 ldap_unbind status: 0x0 01/20/ :53:01:232 NetpJoinDomainOnDs: Function exits with status of: 0x2 01/20/ :53:01:232 NetpJoinDomainOnDs: status of disconnecting from '\\DC1.company.local': 0x0 01/20/ :53:01:232 NetpDoDomainJoin: status: 0x2 The message "Cannot retry downlevel, specifying OU is not supported" means that the specified OU is invalid. This error could indicate that the OU does not exist within the AD, or that you are attempting to specify the default Computers container. Windows requires that the default OU be left unspecified, so if you want to put new Session Hosts into the default Computers OU, you must delete the <MachineObjectOU> line entirely. Look further up the log file for what the specified OU is: 01/20/ :53:01:123 lpmachineaccountou: OU=Computers,OU=VDI,DC=company,DC=local Verify the existence of the specified OU and confirm that it is not the top-level Computers container. If the domain name itself is invalid, a domain join makes no entries to NetSetup.log and does not create a log file. In this situation, look in C:\Windows\Panther\UnattendGC\setupact.log for lines like this: :11:15, Warning [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 5 seconds... The error text for 0x54b (1355) is "The specified domain either does not exist or could not be contacted." You can look further up in the setupact.log to see exactly what domain you were trying to join. Note that this is an error with the "JoinDomain" tag, not the credentials. 07/17/ :26:47:524 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: : SecErr: DSID , problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 07/17/ :26:47:524 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x32 0x5 07/17/ :26:47:524 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5 07/17/ :26:47:524 NetpProvisionComputerAccount: LDAP creation failed: 0x /17/ :26:47:539 NetpDoDomainJoin: status: 0x5 The user account you specify must have rights to add machine accounts to the domain in the specified OU. This error appears when you have a valid account with insufficient privileges. Either try a different account or adjust the account privileges in the domain Citrix Systems, Inc. All rights reserved. p.113

114 Use another approach to domain join: Add a script to the deployment process If you are unable to make your domain join work automatically via the unattend file, you can try adding a PowerShell script to the deployment process to do the domain join. For more information, see this article: More about how domain join works The relevant section of the unattend.xml belongs in the 'pass="specialize"' settings block: <settings pass="specialize" waspassprocessed="true"> And the UnattendedJoin block within it looks like this. <component name="microsoft-windows-unattendedjoin" processorarchitecture="amd64" publickeytoken="31bf3856ad364e35" language="neutral" versionscope="nonsxs" xmlns:wcm=" xmlns:xsi=" <Identification> <Credentials> <Domain>company</Domain <Password>thePassword</Password> <Username>administrator</Username> </Credentials> <JoinDomain>company.local</JoinDomain> <MachineObjectOU>OU=VDI,OU=lab,DC=company,DC=local</MachineObjectOU> <DebugJoin>true</DebugJoin> </Identification> </component> There are four elements of block that need to be correct: 1. In the "component" tag, make sure "processorarchitecture" is correct for your platform - either "amd64" or "x86". 2. In the "Identification" block, the "Credentials" block must be correct. The "Domain" tag must be the short domain name, not the FQDN. The "Domain" and "Username" tags are joined to create the account that the Session Host will login to the domain as in order to create the Machine Account. The account must exist and be a domain administrator or a service account with sufficient privileges to create Machine Account objects. In this example, "company\administrator" logs in with password "thepassword". Note that the password is stored in the gold as plain text, but is replaced with the string "*SENSITIVE*DATA*DELETED*" during deployment to preserve security. 3. The "JoinDomain" tag must contain the full domain as a FQDN. The Session Host logs in to and joins this domain using the credentials described above earlier. 4. The "MachineObjectOU" tag must refer to an existing OU. It must not refer to the default Computers container. If you want your Session Hosts to appear in the default Computers container for your domain, you must delete the entire MachineObjectOU line. The reason is that the MachineObjectOU field must refer to an OU, but Computers is actually a CN. You cannot specify a CN there, and if you reference Computers as an OU, it's an error. So to get the default, which you can't specify, you must not have the line at all. (When using the Unattend Builder from Unidesk, specify the Computers container by putting nothing in the "OU to Place Session Hosts" field.) Note that if the machine already has a Machine Account in your domain (for instance because you are reusing names from Citrix Systems, Inc. All rights reserved. p.114

115 Session Hosts that have been created and deleted before), the domain reuses the existing Machine Account in whatever location it is already in, ignoring the one specified in unattend.xml. One log file details the entire process of joining the domain: C:\Windows\debug\NetSetup.log. Review this file after deployment to determine why the attempt to join the domain failed. Look for the section with today's date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed. If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages. A second log, C:\Windows\Panther\UnattendGC\setupact.log, details the progress of mini-setup, including a summary line for each domain attempt. At least one type of failure (bad domain specified) results in no NetSetup.log being created, so you would have to see the failure information in setupact.log. If you find no current information in NetSetup.log, or no log at all, check setupact.log. Create one or more Session Hosts In the Unidesk Management Console, select Session Host s > Creat e Session Host. This opens the Create Session Host wizard where you can configure the Session Host(s). Collection Assignment Select a Unidesk Collection Session Host Details Session Host Names - You can use our built-in naming convention to auto-generate Session Host names. Or, you can define your own custom naming convention using a set of expressions, and change the built-in naming convention. Generate Name Automatically - This option automatically generates the Session Host names based on a naming convention. You can select a built-in naming convention or create your own custom naming convention. You must use automatic name generation if you are creating more than one Session Host. If you don't want the default naming convention (Collection name and increment), you can make your own naming convention by selecting Cust om and entering an expression. Enter Session Host Name - If you are creating a single Session Host, deselect Generat e Name Aut omat ically and type in a Session Host name. Session Host naming requirements Session Host names must meet the these basic naming requirements, or the Session Host will not start. Names can include one to 15 of these characters: Letters a through z, and A through Z Numbers 0 through 9 Hyphen (-) and Underscore (_) Names cannot include Spaces, the characters / \ *,. or a sequence of two hyphens (--) or underscores ( ) Names cannot start with a number, hyphen (-), or underscore (_) Names cannot end with a hyphen (-) or an underscore (_) Application Assignment Citrix Systems, Inc. All rights reserved. p.115

116 Application Layer(s) to add to the Session Host. Expand a Layer to select the version. You can assign up to 13 Application Layers to each Session Host. This is where you configure hardware and memory settings for the virtual machine. CPUs - Number of virtual CPUs to allocate to the Session Host. You can specify any number between 1 and 64. The default number of CPUs is derived from the greater of the following two values: the number of CPUs on the gold image or the minimum number of CPUs Unidesk recommends, which is 4. Your infrastructure must be able to support the number of CPUs you choose. Starting Memory - Amount of memory (in megabytes) to allocate to the Session Host at startup. Dynamic Memory - Marking this check box specifies the use of dynamic memory for the Session Host, while clearing this check box specifies that the Session Host's memory use is static. Using dynamic memory enables the Session Host to contribute or receive memory as a shared resource. When working with multiple Session Hosts, dynamic memory utilizes the overall available physical memory in a more efficient way than static memory does. Not es: If you select the Dynamic Memory option, the Starting Memory number must be greater than or equal to the Minimum RAM number and less than or equal to the Maximum RAM number. If you upgrade a Session Host that is using dynamic memory, the Dynamic Memory option is no longer enabled following the upgrade procedure. A CachePoint that has not been upgraded disregards any dynamic memory settings. Once the CachePoint is upgraded, the next edit to it invokes the dynamic memory settings. Minimum RAM - The minimum amount of memory (in megabytes) to allocate to the Session Host after startup. This number cannot be less than 32 and must be divisible by 2. This option becomes active when the Dynamic Memory option is selected. The default minimum value for this setting is 8192 MB (8 GB). Maximum RAM - The maximum amount of memory (in megabytes) to allocate to the Session Host after startup. This number cannot be greater than and must be divisible by 2. This option becomes active when the Dynamic Memory option is selected. The default value for this option is the greater of the following two values: the Maximum RAM from the Gold Image, or MB (16 GB), the minimum recommended by Unidesk. Buffer Percentage - Specifies how much memory to add to the Session Host as a buffer. This number is a percentage of the amount of memory the Session Host actually requires to run applications and services. This percentage cannot be less than 5 or greater than This option becomes active when the Dynamic Memory option is selected. User Data Storage - Space in GB to allow for the machine's personalization settings and data files. Page File Size - Percentage of memory to use for the page file size. Not e: The Page File size is a percentage of the Starting Memory value. On Session Hosts that have Dynamic Memory enabled, and a Maximum RAM value set greater then the Starting RAM value, Full Core Dumps may not be created successfully, as the Page file might not be large enough. Core Dump Type - The type of core dump file you want the system to create when system problems occur. You can specify None, Mini (to create a small, or mini-dump file), Kernel (to create a kernel memory dump file), or Full (to create a full crash dump file). If you select Full, the size for the page file must be a minimum of 100%. Maintenance Schedule A maintenance window is a time for Session Host maintenance tasks that require users to be logged off, for example, adding a new version of a Layer. Unidesk keeps track of the number of users logged into each session host, so that maintenance can be performed when all users are logged off Citrix Systems, Inc. All rights reserved. p.116

117 IMPORTANT : When using XenApp, Session Hosts must be put in Maintenance Mode using the Desktop Studio Console Citrix Systems, Inc. All rights reserved. p.117

118 Application Layers Jun 28, 2017 Create Application Layers You can create any number of Application Layers and assign them to Unidesk Machines (Desktops or Session Hosts). You'll need a staging area, called an Installation Machine (IM) where you'll create the Layers. Then you can assign them to Unidesk Machines that use the same Operating System Layer as the IM. Refer to these detailed steps for creating an Installation Machine, creating an Application Layer, and assigning the Application Layer to Unidesk Unidesk Machines. Create an Installation Machine, a staging area for your Layers Create Application Layers Assign Layers to your Unidesk Machines Application Layering tips Tips to deploy Anti-virus applications in Layers Tips to deploy Windows 8.1 applications in Layers Citrix Systems, Inc. All rights reserved. p.118

119 Create an installation machine Jun 28, 2017 An Installation Machine is a virtual machine that you provision with the software needed for new Application Layers and new versions of Operating System and Application Layers. You will need at least one installation machine for each Operating System Layer in your Unidesk deployment. About Installation Machines When to use an Installation Machine You'll need an Installation Machine whenever you want to create a new Application Layer or when you add a new Version to an existing Application or Operating System Layer. You do not need an Installation Machine for the initial creation of an Operating System Layer, just for any Layer Versions you add to it. The role of an Installation Machine in Layer creation The Installation Machine is a virtual machine that you use as a staging area for the application(s) you want to put in a Layer. Before creating a Layer or a new version of a Layer, you'll set up the new software on an Installation Machine. Before you start Determine the configuration for memory, CPUs, and network adapters that the application(s) need on the Installation Machine. For example, if you plan to create Application Layers that require two CPUs, ensure you provision an Installation Machine with this setting. Create the Installation Machine (IM) You must create at least one Installation Machine for each Operating System Layer that you are using in your environment. Once you create an Installation Machine, you cannot change its Virtual Machine settings, including the Operating System Layer. 1. Select Syst em > Inst allat ion Machine > Create Installation Machine. This opens the Create Installation Machine wizard. 2. In the General Settings tab, specify the virtual machine settings for the Installation Machine, including: Installation Machine Name The Installation Machine name (IM Name) should be 15 characters or less, and unique on the Master CachePoint Appliance. Valid characters include the letters a - z and A - Z; the numbers 0-9; underscores (_) and hyphens (-). Names cannot start or end with a hyphen or an underscore, nor can two hyphens or underscores be used consecutively. Associated OS Layer The Operating System Layer associated with this IM. Amount of memory (in megabytes) to allocate to the Installation Machine We suggest a minimum Citrix Systems, Inc. All rights reserved. p.119

120 Memory CPUs of 4096 MB for Windows updates. By default, this field is pre-populated with the same amount of memory that was allocated to the associated gold image. Number of virtual CPUs to allocate to the Installation Machine. This value can be any number between 1 and 64. By default, this field is pre-populated with the same number of CPUs that were allocated to the associated gold image. Virtual Switch The network that the Installation Machine will use to communicate with Unidesk appliances. VLAN Tag The VLAN tag inserted into packet headers, indicating which logical network to use for this virtual machine. If you need to add new VLAN Tags, click the Manage button and use the wizard to do so. 3. In the Confirm and Complete tab, you can enter a comment that describes the Installation Machine for the Audit History. 4. Click Create Installation Machine.If you enter comments, they appear in the Information view Audit History Citrix Systems, Inc. All rights reserved. p.120

121 Create an application layer Jun 28, 2017 An Application Layer includes one or more applications that you can assign to Unidesk Machines (Desktops or Session Hosts). You can create any number of Application Layers to deliver applications to your Unidesk Machines. Creating an Application Layer takes just a few steps. You ll use a virtual machine, called an Installation Machine (IM) to install the application, tell Unidesk when you re done, and Unidesk will create the Layer. You can install as many applications as you want in a single Application Layer. See the application recipes section on the forum for some useful hints about Application Layers About creating an Application Layer Overview of the steps to create an Application Layer Creat e an Installation Machine - Do the initial creation of the Installation Machine using the Unidesk Management Console. Creat e an Application Layer,, or a new version of a Layer - Create an Application Layer, selecting the version of the Operating System Layer that you want to run on your Installation Machine. The Unidesk software boots the Installation Machine VM with the selected Operating System. Inst all applicat ions on t he Installation Machine - After the Unidesk software boots the Installation Machine, the software prompts you to install applications on the Installation Machine. You log into the Installation Machine (using your virtual infrastructure management software or a remote Desktop connection) and install the applications or OS update for the Layer or Layer Version you are creating. Finalize t he Layer or new Layer Version - Finalize the layer. You select the Layer and the software creates the application image and adds it to the layer. It also shuts down the Installation Machine. The Installation Machine is powered off and returns to a non-bootable state. Application Layer requirements To create an Application Layer, you need: Your gold image The installer software for the application(s) you're including in the Layer. An available Installation Machine. Any prerequisite Application Layers.I f applications require other programs (for example, Java versions, Web browsers, or.net framework), make sure that these Prerequisite Layers are available to select when creating the Layer, and also deployed to the Unidesk Machine before you deploy the Layer. Special considerations for Windows 8.1 Applications To deliver applications on Windows 8.1 via Unidesk Layers, you need to build the applications so they can be centrally managed. This is because Windows Store Apps are managed via each user's profile and can only be deployed to one user. Regular Windows Store apps, like Bing Finance and Weather, cannot be sideloaded or layered. You can, however, deliver centrally managed applications on Windows 8.1 by sideloading Enterprise applications, also called Line of Business (LoB) Citrix Systems, Inc. All rights reserved. p.121

122 applications. For details, please see Sideloading Line of Business applications. Create an Application layer 1. Select Layers > Applicat ion Layersand select Creat e Layer in the Action bar. This opens the Create Layer wizard. 2. In the Layer Details tab,specify the following about the Layer. 1. Enter a name for the Application Layer. 2. (Optional) Enter a description of the Layer 3. Enter a version. This can be the version of the application or a version you assign to the Layer. This value is displayed in the Details view of the Layer. 4. (Optional) Enter a description of the version. 5. (Optional) Enter the path for a custom script that runs once after the Unidesk Machine restarts. 6. Specify the default size for the Layer, in gigabytes. Since Layers are thin provisioned, this value represents the maximum Layer size. Layers will grow as space is used, up to the maximum size. The default value is 10 gigabytes. If the application you are installing could eventually require more space, change this value accordingly. 3. In the Installation Machine Details tab, specify the operating system and the Installation Machine. The Application Layer becomes associated with the Operating System Layer that you use to create it.. 1. Select an Operating System Layer. The layer defaults to the most current version. To select an earlier version, you can expand the layer to display all versions. 2. Select an Installation Machine 4. In the Prerequisite Layers tab, select one or more layers from the displayed list, if required. Only applications created from the specified Operating System Layer are available. 1. Select an Application Layer in the Prerequisite Layers box. 2. Select the version of the Application Layer in the Application Details box. 3. Click Add Layer 5. In the Icon Assignment tab, select an icon to assign to the layer. This layer displays this image in the Icon and List views of the Layers Module. To use an existing image, select an image in the image box. To import a new image, click Browse and select an image in PNG or JPG format. For additional information about uploaded images, see the article about how to Assign icons. 6. In the Confirm and Complete tab, review the details of the Application Layer, enter a comment if required, and click Creat e Layer.If you enter comments, they appear in the Information view Audit History. 7. When prompted to do so in the Tasks bar, install the application and the prerequisite applications on the Installation Machine. Install the application(s) on the Installation Machine During the creation process for Application Layers, the software prompts you to install the applications you want to use in the Layer on the selected Installation Machine. Keep in mind that the state of the Installation Machine before you finalize a layer is what users experience when they access the Unidesk Machine Citrix Systems, Inc. All rights reserved. p.122

123 To install the applications on the Installation Machine: 1. Log in to the Installation Machine. 2. Install the applications, along with any drivers, boot-level applications, or files that the user will need with it. If an application installation requires a system restart, restart it manually. The Installation Machine does not restart automatically. 3. Make sure the Installation Machine is in the state you want it to be for the user: If the applications you install require any post-installation setup or application registration, complete these steps now. Remove any settings, configurations, files, mapped drives, or applications that you do not want to include on the Unidesk Machine. Finalize the Application Layer It is not necessary to log off or disconnect from the Installation Machine before you finalize the Application Layer. During the finalization step, the software will shut down the Installation Machine properly. After installing the applications on the Installation Machine, complete the following steps: 1. Return to the Unidesk Management Console 2. Select the Application Layer in the Layers module. 3. Select Finalize in the Action bar. 4. Monitor the Task bar to verify that the action completes successfully and that the Application Layer is deployable. Layer integrity check When finalizing a Layer, Unidesk checks to see if the Layer is ready. If any tasks remain to be completed, for example Microsoft NGen or other Windows operations, it waits until all Windows operations that are in progress on the Installation Machine have completed before finalizing the Layer. Otherwise, the new Layer or Layer version that uses this Installation Machine would have issues. A Layer integrity message, lets you know what you can do to expedite the completion of queued tasks that must be completed before a Layer is finalized. Layer Int egrit y Message: The new version version-name of Layer layer-name on Installation Machine (IM) im-name can only be finalized when the following conditions have been addressed: A reboot is pending to update drivers on the boot disk - please check and reboot the IM. A post-installation reboot is pending - please check and reboot the IM. A Microsoft NGen operation is in progress in the background. An MSI install operation is in progress - please check the IM. See if you can expedite Microsoft NGen operations About Microsoft NGen operations NGen is the Microsoft "Native Image Generator". It is part of the.net system, and basically re-compiles.net byte code Citrix Systems, Inc. All rights reserved. p.123

124 into native images and constructs the registry entries to manage them. Windows will decide when to run NGen, based on what is being installed and what Windows detects in the configuration. When NGen is running, you must let it complete. An interrupted NGen operation can leave you with non-functioning.net assemblies or other problems in the.net system. You have the choice of waiting for the NGen to complete in the background or you can force the NGen to the foreground. Forcing the NGen to the foreground will allow you to view the progress and once the output has completed you should be able to finalize the layer. Force an NGen operation to the foreground Normally, NGen is a background operation and will pause if there is foreground activity. Bringing the task into the foreground can help the task to complete as quickly as possible. 1. Open a command prompt as Administrator. 2. Go to the Microsoft.NET Framework directory for the version currently in use: cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX 3. Enter the NGen command to execute the queued items: ngen update /force This brings the NGen task to the foreground in the command prompt, and lists the assemblies being compiled. Not e: It s okay if you see several compilation failed messages! 4. Look in the Task Manager to see if an instance of MSCORSVW.EXE is running. If it is, you must allow it to complete, or re-run ngen update /force. Do not reboot to stop the task. You must allow it to complete. Check the status of an NGen operation If you would prefer to wait for the NGen to complete you can check the status as described here. However, every time you check the queue status, you are creating foreground activity, which might cause the background processing to temporarily pause. 1. Open a command prompt as Administrator. 2. Check status by running this command: ngen queue status 3. When you receive the following status, the NGen is complete, and you can finalize the Layer. The.NET Runtime Optimization Service is stopped Considerations If applications affect boot-level components Installing applications such as service packs, hot fixes, and antivirus applications can affect boot-level components, which means you'll need to restart the Installation Machine. This will generate a system task to rebuild the Unidesk Machine's Citrix Systems, Inc. All rights reserved. p.124

125 boot image. Once Unidesk rebuilds the boot image, it shuts down the Installation Machine copies the boot-level components to the boot volume, and restarts the Installation Machine. You can then finalize the layer or version. Not e: e If the Installation Machine restarts before the boot image rebuild is complete, you will see a STOP message screen. This is temporary. About setting a script to run the first time the user logs in When you create a Layer or Layer Version, you can specify a.cmd or.bat script to run the first time the Unidesk Machine (Desktop or Session Host) is deployed. For example, you can use a script to complete the setup for an application. The.cmd or.bat file is installed on the Installation Machine. New Layer Versions - When you create a new Layer Version, the new Version does not inherit the script from the original Layer. If you want to include the script from the original Layer, you need to set the script for the Layer Version. How to set a script To set a script for a Layer or Layer Version: 1. Add the script file to the Installation Machine you are using to create the Layer or Layer Version. Not e: To see whether a Layer Version already has a script configured, check by opening the Layer's Information view and expand the Version entries. 2. Enter the script's path in the Layer or Layer Version's Script Path field. For example, enter C:\Scripts\SpecialScript.bat in the Script Path field. Once the script runs on a Unidesk Machine, it will not run again because the scripts are executed only once. How to set a script to run more than once To run a script more than once, you can: Remove the Layer from the Unidesk Machine and then re-add it. Click Deskt op > Edit Deskt op or Session Host > Edit Session Host, select the Applicat ion Assignment tab, and select Repair for the layer Citrix Systems, Inc. All rights reserved. p.125

126 Assign applications to a desktop or session host Jun 28, 2017 Each Desktop and Session Host includes the applications that users require for their work. The Unidesk Management Console lets you add, remove, or reinstall applications on deployable Desktops and Session Hosts. Before you start Check the Layers module to make sure that the required Application Layers are available. Assign applications 1. Select Deskt ops > Deskt ops or Session Host s > Session Host s and select one or more of them. 2. Select the Edit action. This opens the Edit Desktop or Session Host wizard. 3. In the Application Assignment tab, select one or more applications from the Available Layers list. By default, the software selects the most recent version. To add or remove a specific version, complete the following steps: 1. Expand an application to view the available versions. 2. Select the box next to a version you want to use. 3. Clear the box next to a version that you want to remove. 4. If you want to reinstall a previously-assigned application, select Reinstall. 4. In the Maintenance Schedule tab, select a method for deployment of the configuration changes. You can deploy them in any of the following ways: Select or create a maintenance schedule. A maintenance schedule deploys changes during a specified time frame. As soon as possible. This option deploys the configuration changes after you shut down the Desktops or Session Hosts. Selecting this option overrides the current maintenance schedule. Defer deployment until a specified date and time. This option defers deployment of configuration changes until the specified time elapses. At that time, Unidesk deploys the configuration changes if the Desktops or Session Hosts are shut down. Selecting this option overrides the current maintenance schedule. When t he user logs out or reboot s t he Deskt op or Session Host s. This option defers deployment until the user logs out or reboots. 5. In the Confirm and Complete tab, verify that the application assignment details are correct, and click Updat e Deskt op/ Session Host. Unidesk deploys the configuration changes as specified by your Maintenance Schedule selection Citrix Systems, Inc. All rights reserved. p.126

127 Deploy anti-virus software Jun 28, 2017 You can deploy some of the most commonly-used anti-virus products in a Unidesk environment, including products from Symantec, McAfee, Trend Micro, Sophos, Kaspersky, and AVG. Not e: Some anti-virus products do not yet fully support Windows 10. Before implementing a Windows 10 layer, please check the documentation for your anti-virus package to ensure that Windows 10 is supported. General Guidelines Anti-virus software update options When deploying anti-virus software in a Unidesk layer, one of the considerations is how to handle the anti-virus updates. You can either: Turn on auto updates, and let the updates get stored in the user's Personalization Layer. If auto updates happen daily, this might be the most convenient approach. Note that whenever there is a major product update, you'll need to reinstall on the UEP by redeploying the layer to the Desktop with the Reinst all t he layer checkbox selected. Turn off auto updates, and redeploy the layer for each update. This requires updating the layer whenever you want to push out new updates. We generally recommend using the method with which you're most comfortable. This probably means continuing to do whatever you've been doing. Before you start When deploying any anti-virus software package in the Unidesk environment, you may need to: Start the Remote Registry Service for any of the remote installations. Disable the firewall on the Desktop before installing to allow the products to install. Disable Simple File sharing. Enable/disable User Account Control (UAC). Read the installation instructions for Virtual Desktop Infrastructure (VDI) deployments on the web site for the product you are installing. AVG software About deploying AVG in a Unidesk environment You can use a gold image or an Application Layer to deploy the AVG Business Edition anti-virus software in the Unideskenvironment. Use either of the following methods to deploy the AVG anti-virus software: Citrix Systems, Inc. All rights reserved. p.127

128 Install the software on a gold image and import it to a new Operating System Layer. Install the software on an Application Layer and assign the layer to new or existing Desktops. The following version of AVG anti-virus software has been tested: AVG 2013 Business Edition. Install the software on a gold image To deploy AVG software on a gold image: 1. Install the AVG software on the gold image. 2. Open the AVG application and select Option > Advanced Settings. 3. Select Temporarily Disable AVG Protection. 4. Click Temporarily Disable AVG Protection, and click OK to confirm. 5. Delete the following cache files: C:\ProgramData\AVG2013\Chjw\*.* 6. Click Enable AVG Prot ect ion. 7. Shut down the gold image. 8. Create an Operating System Layer using this gold image. 9. On newly deployed Desktops, it is recommended that you enable the Caching option again. You can do this automatically through integration with AVG Remote Administrator. Install the software on an Application Layer 1. Install the AVG software on the Application Layer. 2. Deploy the AVG layer to Desktops. Kaspersky anti-virus software About deploying Kaspersky software in a Unidesk environment This section provides Kaspersky installation information that is specific to the Unidesk environment. See the Kaspersky documentation for additional instructions about deploying the software in a VDI environment. And, for details about using Kaspersky for non-persistent Desktops in a VDI environment, please read the section on Dynamic VDI Support in this Kaspersky article. Use the following methods to deploy the Kaspersky anti-virus software: Install the software on an Application Layer or Application Layer revision Citrix Systems, Inc. All rights reserved. p.128

129 Install the software on the gold image you import into an Operating System Layer. Install the software on an Operating System Layer revision. The following versions of Kaspersky Endpoint Security for Business have been tested. Kaspersky Security Center Kaspersky Endpoint Security 10 for Windows (a). Note: Encryption with Kaspersky 10.2 is not supported. Kaspersky 10.2 Encryption uses a form of disk virtualization that bypasses the Unidesk virtualization, and as such is incompatible with Unidesk. When deploying Kaspersky 10.2 make sure to deselec the Encryption options before deploying the application. If you plan to use a new Operating System Layer to deploy the Kaspersky software, install the software on the gold image BEFORE you install the Unidesk Tools. If you plan to use the Kaspersky Administration Server to manage the Desktop, install both Kaspersky Anti-Virus for Workstations and Kaspersky NetAgent on the Installation Machine (for Application Layers or layer revisions) or on a gold image (for a new Operating System Layer). If you do not plan to use the Kaspersky Administration Server, install Kaspersky Anti-Virus for Workstations only on the Installation Machine or the gold image. When you install the Kaspersky NetAgent, clear the selection for the start application during install option. When you install the Kaspersky Anti-Virus for Workstations in a stand-alone configuration, do not enable password protection for any of the administrative options. The password you enter on the Installation Machine or gold image does not work on the Desktop after you deploy the software. After you install the Kaspersky software on an Installation Machine (for Application Layers or layer revisions), a system restart (and Desktop image rebuild) is required. Kaspersky 10.1 special requirement Before adding Kaspersky 10.1 to either the gold image or to a layer, you need to add a value to the Unifltr service in the registry. Here's how: 1. Run regedit. 2. Navigate to the HKLM\Syst em\current Cont rolset \Services\Unif lt r key. 3. Right click in the right hand pane and a DWORD value. 4. Set the name of the value to MiniFilt erbypass. 5. Set the value to Exit regedit. 7. Reboot the machine, as the setting is only read at boot time. Special steps for installing the software on an Application Layer Complete the following steps when you install the Kaspersky software on an Application Layer: 1. Install the Kaspersky software on the Installation Machine. Note: If you will be deploying non-persistent Desktops running Kaspersky, you need to mark the image as a Dynamic VDI so that the Kaspersky Administration Server considers the clones of this image dynamic, and when a clone is turned off, Citrix Systems, Inc. All rights reserved. p.129

130 its information is automatically deleted from the database. To mark the image of a dynamic VDI, install the Kaspersky Network Agent with the Enable dynamic mode f or VDI parameter enabled. For details, see the section of this article on Dynamic VDI Support. 2. Restart the Installation Machine using the Hyper-V client. 3. Finalize the layer in the usual way. If you assign the Application Layer with the Kaspersky software to a Desktop when you create it, the Kaspersky NetAgent might not start the first time a user logs in to the Desktop. Restart the Desktop to start the NetAgent software. Possible issues The following interoperability issues can occur on Unidesk Desktops that have Kaspersky anti-virus software installed. Kasperky NetAgent startup If you use an Application Layer to deploy the Kaspersky NetAgent software to a Desktop, the NetAgent software might not start the first time the Desktops restarts. When this occurs, the Windows Event Viewer might display the following error: #1266 (0) Transport level error while connection to : authentication failure If the NetAgent software doesn't start, restart the Desktop. The NetAgent software should start properly at that time. Kasperky 10 - End-user Pause causes Network Attack Blocker to stop working When using Kaspersky 10, the end-user Pause causes the Network Attack Blocker to stop working. To fix this issue, restart the Kaspersky software. The Network Attack Blocker will continue running as expected. McAfee anti-virus software About deploying McAfee in a Unidesk environment The following procedures describe how to use an Operating System Layer or an Application Layer to deploy the McAfee anti-virus software in a Unidesk environment. These procedures are based on the McAfee Product Guides. You can find McAfee documentation at the following locations: epolicy Orchestrator 4.6: Install the software on a gold image that you import into an Operating System Layer. Install the software on an OS Layer version. Install the software on an Application Layer and assign the layer to new or existing Desktops. The following versions of McAfee anti-virus software have been tested: Citrix Systems, Inc. All rights reserved. p.130

131 epolicy Orchestrator (epo), version McAfee Agent, version VirusScan Enterprise, version Not e: The epolicy Orchestrator server was used to create the McAfee Agent installation package, as described in "Creating custom agent installation packages" in the McAfee epolicy Orchestrator Product Guide. The requirements for installing the McAfee anti-virus software in a Unidesk gold image or Application Layer are the same as those for Including the agent on an image outlined in the McAfee epo product guide. Depending on the McAfee version, you might need to remove the Globally Unique Identifier (GUID) for the McAfee Agent after you install it. Refer to the McAfee documentation for the version of the software you are using to determine if this step is recommended or required. Install the software on a gold image Use this procedure if you plan to use an Operating System Layer to deploy the McAfee anti-virus software on UnideskDesktops. 1. Install the McAfee Agent software on the gold image. The gold image becomes visible in the epolicy Orchestrator System Tree systems list. 2. Install the McAfee VirusScan Enterprise software on the gold image: 1. When prompted to remove Windows Defender, click Yes. 2. Allow the McAfee Agent Updater to complete an update. This step can take several minutes to complete. 3. Click Finish to complete the installation. 3. When the installation completes, the first scan begins. Allow the scan to complete. 4. Change the McAfee Start value: 1. Open the McAfee VirusScan Console, and disable the AccessProtection. 2. Open the registry editor (regedit), go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mfehidk], and change the St art value from 0to a Back in the McAfee VirusScan Console, re-enable the AccessProtection. 5. If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary): 1. Open the registry editor (regedit). 2. Locate the following registry key and delete it: 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID 6. Shut down the gold image and import it in to an Operating System Layer. Install the software on an Application Layer Use this procedure if you plan to use a layer to deploy the McAfee anti-virus software on Unidesk Desktops. 1. In the Unidesk Management Console, complete the Create Layer wizard Citrix Systems, Inc. All rights reserved. p.131

132 2. If you are layering McAfee on the Windows 8.1 OS, turn off Windows Defender. 3. When prompted to install the software, install the McAfee Agent software on the Installation Machine. After this installation completes, the Installation Machine is visible in the epolicy Orchestrator System Tree systems list. This installation causes a system task to start, indicating that a rebuild of the boot image for the Installation Machineis required. 4. Install the McAfee VirusScan Enterprise (VSE) software on the Installation Machine. 1. If prompted to remove Windows Defender, click Yes. 2. If layering McAfee on Windows 8.1, re-install the VSE software on the Installation Machine using files from the McAfee EPO server. Otherwise, allow the McAfee Agent Updater to complete an update. This step can take several minutes to complete. 3. Click Finish to complete the installation. 5. Change the McAfee Start value: 1. Open the McAfee VirusScan Console, and disable the AccessProtection. 2. Open the registry editor (regedit), go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mfehidk], and change the St art value from 0to a Back in the McAfee VirusScan Console, re-enable the AccessProtection. 6. If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary): 1. Open the registry editor (regedit). 2. Locate the following registry key and delete it: 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID 7. Finalize the Application Layer and deploy the Layer in the usual way. Possible interoperability issues The following interoperability issues can occur on Unidesk Desktops that have McAfee anti-virus software installed. If the McAfee anti-virus software on a Unidesk Desktop is configured to scan script files, you can experience long delays when you try to open video files in the Microsoft Internet Explorer web browser. When you try to open these files, the McAfee software and Unidesk try to perform operations on these files at the same time. This conflict causes a delay in running the video file. All other windows and applications continue to function normally. If you encounter this type of delay, wait for the video file to run. Eventually, the McAfee operation times out and the Unideskoperation completes. This issue has no affect on the ability of the anti-virus software to check the video files for viruses. If Desktops with a McAfee layer are not visible from epolicy Orchestrator, you can fix the issue by using the steps outlined in the following McAfee knowledge base article: Citrix Systems, Inc. All rights reserved. p.132

133 McAfee MOVE AntiVirus software About deploying McAfee MOVE AntiVirus software in a Unidesk environment The following procedures describe describes how to deploy the McAfee MOVE AntiVirus software in a Unidesk environment. Not e: These instructions assume that you have installed and configured McAfee MOVE AntiVirus software on McAfee epolicy Orchestrator (epo). Use the following method to deploy the McAfee MOVE AntiVirus software. Install the software on an Application Layer and assign the layer to existing desktops. The following versions of McAfee MOVE AntiVirus software have been tested: McAfee Agent for Windows, version McAfee AV MOVE Multi-Platform client, version McAfee VirusScan Enterprise, version McAfee AV MOVE Multi-Platform Offload Scan Server, version Ensure that the following condition is met before deploying McAfee MOVE AntiVirus software. For Windows 7 and 8.1: Windows Defender is turned off. Create a McAfee Agent MOVE AV CLIENT Application layer Use these steps to create a McAfee Agent MOVE AV CLIENT Application layer in Unidesk. 1. In the Unidesk Management Console (UMC), select Layers > Application Layer > Create Layer. The Create Layer Wizard appears. 2. Complete the Create Layer Wizard and click Create Layer on the Confirm and Complete tab. 3. View the current tasks in the UMC. At first, the Create Application Layer <layer_name> task has a "Running" status. When the status of the Create Application Layer <layer_name> task changes to 'Action Required', log in to the Installation Machine (IM) as Administrator. 4. Push the McAfee Agent software to the IM using the McAfee epolicy Orchestrator. The IM becomes visible in the epo System Tree list and the McAfee icon appears in the taskbar of the IM. 5. Use the Product Deployment task on the epo to install the McAfee MOVE AV [Multi-Platform] Client on the IM. 6. Restart the IM and log in to it again as Administrator. 7. On the IM, delete the value for the registry key named AgentGUID from one of the following locations, depending on your Windows operating system: bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent Citrix Systems, Inc. All rights reserved. p.133

134 8. Shut down the IM. 9. Finalize the Application layer. Microsoft Security Essentials About deploying Microsoft Security Essentials in a Unidesk environment The following procedures describe how to use an Operating System Layer or an Application Layer to deploy the Microsoft Security Essentials anti-virus software in a Unidesk environment. Use one of the following methods to deploy the Microsoft Security Essentials anti-virus software: Install the software on a gold image that you import into an Operating System Layer. Install the software on an OS Layer Version. Install the software on an Application Layer. The following version of Microsoft Security Essentials anti-virus software has been tested: Microsoft Security Essentials 2012, version The Microsoft Security Essentials anti-virus software in a Unidesk gold image, Operating System Layer Version, or Application Layer. You must enable the Windows Update service, but do not use the windows updates themselves. The updates themselves must remain disabled. Configure Microsoft Security Essentials for Windows 7 on a Unidesk Layer Version Use these steps to configure Microsoft Security Essentials on Windows 7 (32- or 64-bit). By default, the Windows Update service is disabled by the Unidesk Optimization scripts, so to correctly deploy Microsoft Security Essentials as either an Operating System or Application Layer on Windows 7, you must do the following. 1. Create a new Operating System or Application Layer version. 2. Go to C:\windows\setup\scripts and re-run the Unidesk Optimization Script Builder (if it was deleted, download it again). 3. In the Unidesk Optimization Script Builder, deselect Disable Windows Updat e Service. 4. Finalize the Layer. The Update service startup type will change from Disabled to Manual. Windows updates will not be enable, which is a Unidesk requirement. During installation, check services.msc and make sure that the Windows Update Service startup type is set to Manual. If it s not, changethe Windows Update Service startup type to Manual and restart Windows. Troubleshooting failed Microsoft Windows Essentials updates Citrix Systems, Inc. All rights reserved. p.134

135 If the Microsoft Security Essentials update fails on a Desktop because Windows updates are turned off, try the following. Unless you have disabled Windows Updates using the Local Group Policy Editor, turn Windows Updates on using the Control Panel. This allows Microsoft Security Essentials to update on the Desktop. If you disabled Windows Updates using the Local Group Policy Editor, you need to: 1. Run regedit and remove the Local Group Policy. 2. Reboot the machine. 3. Enable Windows Updates from Control Panel. Sophos Cloud Anti-Virus - All supported Operating Systems Before you start Create and activate your Sophos Cloud 11.0 account, as described in the Sophos documentation: Install the Sophos Cloud software on a new version of the Operating System Layer 1. In the Unidesk Management Console, select Layers > OS Layers > Add Version. 2. When the task status changes to Action Required,.prepare your Installation Machine (IM) according to the General Guidelines for deploying anti-virus software. 3. Join the Installation Machine to the domain. Note: The Sophos installer creates Groups and puts users to them, so the Installation Machine must be in the domain.. 4. On the Installation Machine, log into your Sophos Cloud console ( ). 5. Download SophosInstall.exe from your Sophos Cloud account. Import ant : Do not use the ed installer for this installation. 6. Install the Sophos Cloud software onto the Installation Machine. 7. When the task to install Sophos has completed (or indicates that an Action is required), restart the Installation Machine. 8. In your Sophos Cloud console, click Report s > Event s and ensure that the computer is managed in Sophos Cloud and up-to-date before continuing. 9. Stop and disable the following Windows services: Sophos MCS Client Sophos MCS Agent 10. Delete the following files: Windows 7 Windows 8.1 C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\Credentials C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\*.xml C:\ProgramData\Sophos\AutoUpdate\data\machine_ID Citrix Systems, Inc. All rights reserved. p.135

136 11. Edit the Sophos configuration: 1. Navigate to the Sophos configuration folder for your operating system: Windows 7 Windows 8.1 C:\ProgramData\Sophos\Management Communications System\Endpoint\Config\ 2. Create or open a file called registration.txt, and add the following lines to this file: [McsClient] Token=value_of_MCS_REGISTRATION_TOKEN where value_of_mcs_registration_token is the value of the MCS_REGISTRATION_TOKEN, which identifies your Sophos Cloud account. You must extract the value of this token from SophosInstall.exe, as described in Sophos Article ID: Edit the Sophos setup file: 1. In the folder listed below, create a file called SophosSetup.cmd. Windows 7 Windows 8.1 C:\Windows\Setup\scripts\kmsdir 2. Add the following lines to this file, including the double quotes: sc config "Sophos MCS Client" start= auto sc config "Sophos MCS Agent" start= auto net start "Sophos MCS Client" net start "Sophos MCS Agent" 13. Edit the commands to run each time Sophos is started: Windows 7 Windows Edit the file c:\windows\setup\scripts\kmsdir\kmssetup.cmd. 2. Add the following script to the section labeled, Commands to run every boot. This script runs the SophosSetup.cmd file. Script details: REM Change Sophos Service to Automatic - once If EXIST SophosSetup.cmd ( echo!date!-!time!-kmssetup.cmd:call SophosSetup.cmd >> SophosSetuplog.txt Call SophosSetup.cmd >> SophosSetuplog.txt Copy SophosSetup.cmd SophosSetupCMD.txt >> SophosSetuplog.txt Del SophosSetup.cmd >> SophosSetuplog.txt ) 14. Join the Installation Machine back to the workgroup. 15. Finalize the Operating System Layer in usual way. 16. To become protected, Persistent Desktops need to be restarted an extra time, Use the Unidesk Management Console Citrix Systems, Inc. All rights reserved. p.136

137 to restart the Desktop. Sophos Cloud net work icon st at us: On Windows 7 Desktops, the Sophos Network icon shows status as disconnected, when in fact the connection is working fine. Sophos Anti-Virus - Windows 7 and Windows 8.1 Desktops About deploying Sophos to new Windows 7 Desktops This section explains how to deploy the Sophos anti-virus software on new or existing Desktops. You can add Sophos Antivirus to either the gold image or to a Version of the Operating System Layer. These procedures are based on the Sophos knowledge base article that describes how to configure a Desktop to communicate with the Enterprise Console when the Desktops are used in a VDI environment. You must always use a gold image or an Operating System Layer Version to deploy Sophos software. You cannot deploy Sophos software as an Application layer. This is because Sophos creates a user account that it uses for updates on the Desktops it manages, and Unidesk supports these user accounts in the gold image or Operating System Layer Version. The following version of Sophos anti-virus software has been installed: Sophos Enterprise Console version Sophos Endpoint Security and Control version Note: If Sophos is unable to update the Sophos Auto Update module, all virus signature updates will also fail. To allow Sophos to update its own updater, edit your OS Layer and delete this directory: C:\ProgramData\Sophos\AutoUpdate\Cache\sau Configure the gold image or the Operating System Layer Version To deploy Sophos in the Unidesk environment: 1. Install the Sophos software on the gold image or Operating System Layer Version. 2. If using a gold image, make sure the Unidesk Tools are installed on the image. If using an Operating System Layer Version, you can skip this step. When prompted, allow the system to restart, but do not shut down the gold image after installation finishes. Instead, complete the rest of this procedure first. 3. Stop and disable only the Sophos services listed in this step. When you deploy the Desktops, a Mini-Setup runs. Disabling the specified services ensures that the Sophos services do not start until the Mini-Setup completes. Sophos Agent Sophos AutoUpdate Service Sophos Message Router Citrix Systems, Inc. All rights reserved. p.137

138 4. Open the registry editor (using regedit) and delete the pkc and pkp values for the following keys: Windows 32-bit systems HKLM\Software\Sophos\Messaging System\Router\Private\ HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private\ Windows 64-bit systems HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private\ HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\ 5. Delete the following files: C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml 6. Rename the directories: From: C:\ProgramData\Sophos\AutoUpdate\Cache\savxp To: C:\ProgramData\Sophos\AutoUpdate\Cache\savxp.copy From: C:\ProgramData\Sophos\AutoUpdate\Cache\rms To: C:\ProgramData\Sophos\AutoUpdate\Cache\rms.copy This step is required because Unidesk blocks attempts to rename directories that exist on a gold image and the Sophos update requires it to rename these directories. 7. Create a file named SophosSetup.cmd and place it in the C:\Windows\Setup\scripts\kmsdir folder. (If the folder doesn't exist, create it). 8. Add the following lines to SophosSetup.cmd (include the double quotes as shown below): cd "c:\programdata\sophos\autoupdate\cache" xcopy savxp.copy\*.* savxp\*.* /s/y xcopy rms.copy\*.* rms\*.* /s/y sc config "Sophos Agent" start= auto sc config "Sophos AutoUpdate Service" start= auto sc config "Sophos Message Router" start= auto net start "Sophos Agent" net start "Sophos AutoUpdate Service" net start "Sophos Message Router" 9. Edit the c:\windows\setup\scripts\kmsdir\kmssetup.cmd file, and add the following script to the section labeled, 'Commands to run every boot'. This script runs the SophosSetup.cmd file. Script details: The script checks for thesophossetup.cmd file, and if it's there, runs it. It then copies the SophosSetup.cmd file to document it, and deletes the file so it only runs once. If the Layer is ever reinstalled, then the SophosSetup.cmd file will come back, and the script will be run again. On a Non-persistent Desktop the script will be run before the Non-persistent disk conversion. Example of kmssetup.cmd with Sophos script Citrix Systems, Inc. All rights reserved. p.138

139 REM Change Sophos Service to Automatic - once If EXIST SophosSetup.cmd ( echo!date!-!time!-kmssetup.cmd:call SophosSetup.cmd >> SophosSetuplog.txt Call SophosSetup.cmd >> SophosSetuplog.txt Del SophosSetupCMD.txt >> SophosSetuplog.txt Copy SophosSetup.cmd SophosSetupCMD.txt >> SophosSetuplog.txt Del SophosSetup.cmd >> SophosSetuplog.txt ) 10. If you are using a gold image, shut down the gold image, and use the Unidesk Management Console to create a new Operating System Layer. This imports the gold image into the new Operating System Layer. If you are using an Operating System Layer Version, finalize the version in the usual way. 11. To become protected, Persistent Desktops need to be restarted an extra time. Use the Unidesk Management Console to restart the Desktop. Optional: Adjust the security identifier After importing the gold into an Operating System Layer, you might need to create a new version for the Operating System Layer to update the security identifier (SID) values in one of the Sophos configuration files. The following Sophos knowledge base article explains how to update the security identifier (SID) values in one of the Sophos configuration files. When do I need to adjust the SID? If you deploy a Desktop using the Operating System Layer with the Sophos software and the user cannot open the Sophos Endpoint Security and Control user interface, you need to adjust the SID. SID adjustment procedure You can do these steps either before or after importing the gold image into the Unidesk environment. Before you have imported the gold image into the Unidesk environment, you can do these steps on the gold image. If you have already imported the gold image, you may do these steps by either editing the latest Operating System Layer revision, or by creating a new revision of the Operating System Layer. 1. Download the script file called UpdateSID.vbs from the Sophos web site. Place this file in the C:\Windows\Setup\Scripts directory. This script is required to fix the machine ID after a Desktop has been deployed. 2. Edit the C:\Windows\Setup\Scripts\SophosSetup.cmd file, and add the following two lines to the end of the file: cd \Windows\setup\scripts cscript.exe UpdateSID.vbs //B 3. If this is a an OS layer version, finalize the version in the usual way. You can now create Desktops using this version of the Operating System Layer. The Desktops should be able to connect to the Enterprise Console, register, and update according to the update schedule. Symantec Endpoint Protection software Citrix Systems, Inc. All rights reserved. p.139

140 About deploying Symantec Endpoint Protection software in a Unidesk environment You can deploy the Symantec Endpoint Protection application using any of the following methods. Install the application on a gold image, then import the gold image into an Operating System Layer. Install the application as an OS Layer version. Install the application as part of an Application Layer. Not e: On-access scanning is recommended in Unidesk Deployments. You can use the Symantec Shared Insight Cache to improve performance by avoiding the rescan of files in a Layer after the files have been marked 'clean.' The following table describes virus scan behavior on Unidesk Desktops. Scan t ype Behavior Onaccess Manual Microsoft Windows 7: On-access scans work as expected on all Unidesk Desktops. Microsoft Windows 7: If you turn off User Account Control (UAC), a manual virus scan examines only the files on the virtual machine's boot volume. You should keep UAC enabled when you install the software. Symantec Endpoint Protection Client and Manager support: v (12.1 RU5 build 5337, ) Install software using Symantec Endpoint Protection Manager If you are using the Symantec Endpoint Protection Manager to install the Symantec Endpoint Protection Client onto a gold image or an Installation Machine, follow these steps. This procedure uses Computer Mode as the deployment method. 1. In the Symantec Endpoint Protection Manager, locate the gold image (if you are using an Operating System Layer) or the Installation Machine (if you are using an Application Layer or layer revision). 1. Select Clients > Find Unmanaged Computers. 2. Enter the appropriate search criteria in the displayed window. 3. Install the software. 2. Log into the Installation Machine and turn T amper Prot ect ion off. 3. Turn off the registry entry for Stealth protection (shown below). This allows scanning to work even if User Account Control (UAC) is turned on. For 32-bit machines: [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Common] "ScanStealthFiles" = (REG_DWORD) 0 For 64-bit machines: Citrix Systems, Inc. All rights reserved. p.140

141 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Common] "ScanStealthFiles" = (REG_DWORD) 0 4. Using regedit, change the Group and Tag values for each ccsettings GUID. 1. Go to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ccSettings_{GUID}]. If there is more than one ccsettings_{guid}, start with the first one. Not e: When you first install Symantec, there is one ccsettings_{guid}, and each time you upgrade the application, another GUID is added. 2. For each ccsettings_{guid}, change the Group value from FSFilt er Bot t om to FSFilt er Virt ualizat ion. 3. Then change the Tag value to an 8 for the first GUID, and add 1 to the value for each succeeding GUID. So, for the next GUID the value will be 9, the one after that will be 10, etc. 5. Restart the Installation Machine or Gold image, then restart the Installation Machine as often as necessary until the post-installation reboot request no longer appears in the Unidesk Manager Console. 6. Turn T amper Prot ect ion back on. 7. For SEP 12.1.x, use the instructions in the following knowledge base article to prepare the machines to deploy the software in a VDI environment. How to prepare a Symantec Endpoint Protection 12.1 client for cloning: 8. Shut down the Gold image and import it in to an Operating System Layer or Finalize IM. Installation considerations When you deploy the Symantec Endpoint Protection application, the Unidesk software needs to rebuild the Desktop or Installation Machine image several times during deployment (depending on how you deploy this application). This behavior is expected, as the Symantec Endpoint Protection software does not complete the full configuration of boot-level components during the initial installation. The Symantec Endpoint Protection software: Installs some of the required drivers and restarts the Desktop or Installation Machine. Updates additional components and restarts the Desktop or Installation Machine again. Completes the installation and restarts the Desktop or Installation Machine one more time. You will need to manually reboot the machine after the Symantec Endpoint Protection software completes each of the remaining configuration tasks, which include: Installation of the required drivers. Update of additional components required on the boot partition. Completion of the installation. You will need to log into the machine and watch the Unidesk Console for System tasks assigned to the Desktop or Installation Machine. To see these System tasks, expand the Task bar, and click Show Hidden Tasks. Each time a system Citrix Systems, Inc. All rights reserved. p.141

142 task appears for the Desktop or installation machine, manually reboot the machine. To complete the installation, repeat this process until system tasks no longer appear. If installing on an installation machine, you are ready to finalize the package. If you are deploying the Symantec software to Non-persistent Desktops, it must be included when creating the Desktop. If you add an Application Layer containing Symantec Endpoint Protection to an existing Non-persistent Desktop, two entries per Desktop will show up in the Symantec Endpoint Protection Manager. 1. In the SEPM console, go to the Admin page, and select Domains. 2. Under T asks, select Edit Domain Propert ies. 3. In the Edit Domain Properties window, on the default General tab, note the option to Delet e client s t hat have not connect ed f or specif ied t ime. A recommended value for large enterprise environments would be 7 to 14 days. 4. For details, see Solution 2 in this SEP article. If you plan to deploy Symantec Endpoint Protection in a layer please note that the Symantec Help (SymHelp) diagnostic tool requires that 2 files be placed in the UEP. In order to do, create a script with the following lines and place the path to it in a script path when applying the Symantec layer. pushd "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\IRON" copy Iron.db Iron.db.save copy Iron.db.save Iron.db /y copy RepuSeed.irn RepuSeed.irn.save copy RepuSeed.irn.save RepuSeed.irn /y popd Trend Micro OfficeScan anti-virus software About deploying Trend Micro OfficeScan software in a Unidesk environment The following procedures describe how to use an Operating System Layer or an Application Layer to deploy the Trend Micro OfficeScan anti-virus software in the Unidesk environment. These procedures are based on the Trend Micro documentation for deploying Desktops in a VDI environment. Please refer to the following Trend Micro document, as it is important to understand their recommendations when installing the software: For Knowledge base articles and Forum discussions on other Trend Micro products, search the Unidesk site. Use any of the following methods to deploy the Trend Micro anti-virus software: Install the software on a gold image and import it to a new Operating System Layer. Install the software on an OS Layer version Citrix Systems, Inc. All rights reserved. p.142

143 Install the software on an Application Layer and assign the layer to new or existing Desktops. Important If you install Trend Micro OfficeScan on a gold image or OS Layer version, you must run the OfficeScan TCacheGen.exe file on the gold image or Operating System Layer, and on every Application Layer that uses that gold image or Operating System Layer. In addition, whenever you create an Application Layer or layer version, you must run TCacheGen.exe again on every layer that uses the Operating System Layer containing Trend Micro OfficeScan. Once you run TCacheGen.exe, do not run the Installation Machine again. You can copy TCacheGen.exe from the OfficeScan server, as specified in the Trend Micro documentation. Typically, this file is located in the \\<TrendServerName>\ofcscan\Admin\Utility\TCacheGen folder. The following version of Trend Micro anti virus has been tested: Trend Micro OfficeScan Client and Server version 11. Trend Micro OfficeScan Client and Server version Install the software on a gold image 1. Install the Unidesk Tools on the gold image. This procedure requires that the Globally Unique Identifier (GUID) for the Trend Micro software is removed before you import the gold image in to an Operating System Layer (see step 4). When you install the Unidesk Tools, a system restart is required, which creates a new GUID. Therefore, you must install the Unidesk Tools first, allow the installation to restart the machine, and then remove the GUID that the restart created. 2. For OfficeScan 11, Unauthorized Change Prevention service is not supported by Unidesk. Therefore, this service has to be disabled for whole OfficeScan Server: 1. In the web console, go to Agent s > Agent Management. 2. Select Of f icescan Server. Right-click Of f icescan Server and go to Set t ings > Addit ional service set t ings. An Additional service settings window appears. 3. Clear the check box Enable service on t he f ollowing operat ing syst ems for Unaut horized Change Prevent ion service. 3. Install the Trend Micro Micro OfficeScan Client on the Installation Machine. If prompted, restart the Installation Machine to allow the boot image to rebuild. 4. Copy the TCacheGen.exe file from the OfficeScan server, as documented in step 1 in the Trend Micro documentation. Typically, this file is located in the \\<TrendServerName>\ofcscan\Admin\Utility\TCacheGen folder. 5. Run the TCacheGen.exe as described in Step 2 of the Trend Micro documentation. 6. Click Remove GUID from the Template and click OK. 7. Shut down the gold image. 8. Create an Operating System Layer using the gold image in the usual way Citrix Systems, Inc. All rights reserved. p.143

144 Important: Any time you add a version to this layer, you must run the TCacheGen.exe and remove the GUID again. This ensures that the Desktops that use this layer operate correctly. Install the software on an Application Layer 1. In the Unidesk Management Console, complete the Create Layer Wizard in usual way. 2. For OfficeScan 11, Unauthorized Change Prevention service is not supported by Unidesk. Therefore this service has to be disable for whole OfficeScan Server: 1. In the web console, go to Agent s > Agent Management. 2. Select Of f icescan Server. Right-click Of f icescan Server and go to Set t ings > Addit ional service set t ings. An Additional service settings window appears. 3. Clear the check box Enable service on t he f ollowing operat ing syst ems for Unaut horized Change Prevent ion service. 3. Install the Trend Micro OfficeScan Client on the Installation Machine. If prompted, restart the Installation Machine to allow the boot image to rebuild. 4. After the Installation Machine restarts, copy the TCacheGen.exe file from the OfficeScan server, as documented in step 1 in the Trend Micro documentation. Typically, this file is located in the \\ <TrendServerName>\ofcscan\Admin\Utility\TCacheGen folder. 5. Run the TCacheGen.exe as detailed in Step 2 of the Trend Micro documentation. 6. Click Remove GUID from the Template and click OK. 7. Finalize the layer. Important: Any time you add a version to this layer, you must run the TCacheGen.exe and remove the GUID again. This ensures that the Desktops that use this layer operate correctly Citrix Systems, Inc. All rights reserved. p.144

145 Deploy Windows 8.1 applications in Layers Jun 28, 2017 To deliver applications on Windows 8.1 via Unidesk Layers, you need to build the applications so they can be centrally managed. This is because Windows Store Apps are managed via each user's profile and can only be deployed to one user. Regular Windows Store apps, like Bing Finance and Weather, cannot be sideloaded or layered. You can, however, deliver centrally managed applications on Windows 8.1 by sideloading Enterprise applications, also called Line of Business (LoB) applications. Requirements to run Windows 8.1 Enterprise Line of Business (LoB) apps include: Apply a Security Certificate. (Manual or automatic) During the creation of the application, a security certificate.cer file is created (building a test app creates a simple certificate, actual enterprise apps will use more robust certificates that are applied through GPOs) and needs to be applied before the app is applied. Install Root Certificate for LoB apps. Enable app Sideloading. Enable Allow all t rust ed apps t o inst all. This policy setting is under Computer Configuration\Policies\Administrative Templates\Windows Components\App Package Deployment. Join a domain. Make sure the system is in a domain. Microsoft provides several resources for building Windows Store LoB apps, including: Design case study: Enterprise line of business Windows Runtime app Building Windows Store Line-of-Business Applications Building Windows 8 Line of Business Apps Microsoft lets you deploy an LoB app by sideloading it for all users or for one user, and you can do either with Unidesk. Sideloading an app is done by running a few commands in Windows PowerShell. Sideload the app for all users You can sideload an app for all users by using the Deployment Image Servicing and Management (DISM) tool. DISM is a command-line tool that you can use to service a Windows image, either online or offline. You can use DISM to provision a Windows Store app in an online Windows image for all users who share the computer. To do that, you use the DISM Add- ProvisionedAppxPackage option, as follows: 1. Log on using an account with administrative privileges on the computer. You must use an administrator account here, because you are provisioning an app in the image. 2. On the Start screen, type PowerShell and press Ct rl/shif t /Ent er. 3. On the User Account Control dialog box, click Yes Citrix Systems, Inc. All rights reserved. p.145

146 4. At the Windows PowerShell prompt, run the following command, where SampleApp is the path and file name of the package file you created (e.g., c:\myapps\mysample_ _anycpu_debug.appx): DISM /Online /Add-ProvisionedAppxPackage /PackagePath: SampleApp /skiplicense 5. Monitor the installation, and close the Windows PowerShell window after it finishes. For more about DISM, see the Microsoft Deployment Image Servicing and Management Technical Reference. Sideload the app for a user You can sideload the app for the current user account. If another user were to log onto the computer, the app would not be available to them. Here are the steps to sideload an app for a user: 1. Log onto the domain using the target account, because you cannot run the sample app by using the built-in local or domain Administrator account. You can use a standard user account. 2. On the Start screen, type PowerShell and press Enter. 3. At the Windows PowerShell prompt, run the following commands, where SampleApp is the path and name of the package file you created (e.g., c:\myapps\mysample_ _anycpu_debug.appx): import-module appx add-appxpackage SampleApp 4. Monitor the installation, and close the Windows PowerShell window after it finishes. Launch the LoB app On the Start screen, click the app's tile. You will find it on the far right side of the Start screen. You can also type the app s name, and click the tile. For example, we named our app MySample. On the Start screen, we just type MySample, and then click the MySample tile. Of course, there is not much to the app, but you have successfully sideloaded it, and sideloading other Windows Store apps works the same way. Remove an LoB app from a Unidesk Application Layer If installed as an Application Layer, removing the Layer from a Desktop will cause the LoB app to stop working, but will still appear on the start page. When the Layer is removed, the app will no longer be applied to new users, since the DISM action is no longer executing. If installed on an Operating System Layer Version: 1. Use the usual provisionapp removal procedures, for example: Remove-AppxProvisionedPackage -Online -PackageName MyAppxPkg Or, at a command prompt, type: Citrix Systems, Inc. All rights reserved. p.146

147 DISM.exe /Online /Remove-ProvisionedAppxPackage /PackageName:microsoft.app1_ _neutral_enus_ac4zc6fex2zjp Try It Out: Sideload Windows Store Apps Sideload Apps with DISM Packaging your Windows Store app using Visual Studio 2012 Create an app package Managing apps Citrix Systems, Inc. All rights reserved. p.147

148 Administer Jun 28, 2017 Unidesk Management Console Unidesk Layers Desktops, Session Hosts, and Collections Hosts and appliances Appliance health Brokers Users Troubleshoot Citrix Systems, Inc. All rights reserved. p.148

149 Unidesk Management Console Jun 28, 2017 The Unidesk Management Console is a Web-based management application on the Management Appliance that you use to manage the Unidesk environment. The Unidesk Management Console lets you: Create and manage virtual Unidesk Machines (Desktops or Session Hosts) for users. Create and manage operating system and application layers. Shut down and restart virtual Unidesk Machines. Manage users and groups who you can assign to Unidesk Machines. Manage system settings. Unidesk Management Console basics To manage items in the Unidesk system, you navigate between different modules in the Unidesk Management Console and select the appropriate actions. This topic explains how to do the following tasks: Select modules To manage the items in a module, select the module in the menu bar. You can select the following modules: Desktops - allows you to manage Desktops. A Desktop is a virtual machine that a user interacts with on their local computer. Session Hosts - allows you to manage Session Hosts. A Session Host is a virtual machine that multiple users interact with on their local computers. Layers - allows you to manage Operating System and Application Layers. Operating System and Application Layers are components in a Unidesk Machine. Users - allows you to manage local and directory service users, including administrators, in the Unidesk system. It also allows you to organize users into groups. System - allows you to perform tasks related to managing and using the Unidesk system. The following image shows an example of the items in the menu bar. Select actions After selecting a module, the Action bar displays the actions associated with the selected module and selected objects. If you do not select an object, only the Create actions are enabled. To select an action, complete either of the following tasks: To create a new item, select the create action in the Action bar. To modify or manage an existing item, select it and select the appropriate action in the Action bar. The following image shows an example of the Action bar when the Layers module is the selected module and a layer is selected. In this example, you can create a layer, modify the selected item, add a version to it, or delete a version. The Finalize action is not active because you need to start to create an Application Layer or add a version first. Change Unidesk Management Console views Citrix Systems, Inc. All rights reserved. p.149

150 Change the administrator password Jun 28, 2017 Use these steps to change the password for the original Administrator account created for the Unidesk Management Console. 1. Log into the Unidesk Management Console. 2. Select User > Administrators. 3. In the list of Administrators select Administrator and click Edit Properties. 4. Enter the new password and type it again in the Conf irm Password field. 5. On the Confirm and Complete tab, click Update User Citrix Systems, Inc. All rights reserved. p.150

151 Change the session timeout Jun 28, 2017 You can set a timeout for the Unidesk Management Console so that if there is no user-initiated activity for a specified length of time, the console ends the session. Session activity includes user interaction with the console, for example, starting tasks and editing settings. Tasks in progress will not keep a session from timing out, nor will simply selecting an object or clicking inside the console window. If you have just installed Unidesk software, the Session Timeout is set to 15 minutes by default. If you have upgraded from an earlier version of Unidesk, the Session Timeout will be set to zero (0) by default, effectively leaving this function turned off. To set a session timeout 1. Select System > Settings and Conf iguration. 2. Scroll to Security Settings. 3. Select Session Timeout, and click the Edit button. 4. Enter the number of minutes after which the session will timeout. Valid values include numbers from (A value of 0 turns off this feature.) 5. Click Save Citrix Systems, Inc. All rights reserved. p.151

152 Manage your license and software version Jun 28, 2017 You can access your Unidesk Version and License information in the About box for the Unidesk Management Console. There you can see the Unidesk version installed on the Management Appliance, and the details about your license. You can also opt in or out of generic usage statistics gathering designed to provide you with a better support experience. View your license and MA software version To view the License for your deployment: 1. Log into the Unidesk Management Console. 2. To view the License details, click About in the upper right corner. The license information is displayed. 3. To view the software version installed on the Management Appliance, click the Version tab. The MA Software Version is displayed. Update your Unidesk license (MA has web access) If you receive a message that your license needs updating, and your Management Appliance has web access: 1. In the License Expired message, click License. This opens the Update License wizard. 2. Select the first choice, Download your license f rom the Unidesk website. 3. Enter your credentials for the Unidesk website. 4. On the Conf irm Your License tab, click Finish. 5. You can return to the Licensing wizard at any time by logging into the Unidesk Management Console and clicking About, and then the License tab. Update your Unidesk license (MA does not have web access) If you receive a message that your license needs updating, and your Management Appliance does not have web access: 1. Obtain a license file from Unidesk Sales or Support, and move the file to a drive that the Management Appliance can access. 2. If the License Expired message, is still open, click License in the message. If not, click About, then the Update License button. This opens the Update License wizard. 3. Select the second choice, Upload your license f ile f rom a local drive. 4. Click Browse, and select the license file. 5. On the Confirm Your License tab, click Finish. 6. You can return to the Licensing wizard at any time by logging into the Unidesk Management Console and clicking About, and then the License tab. Opt in or out of usage statistics f or Support You can opt in or out of allowing generic usage statistics to be sent to Unidesk Support. We strongly recommend getting more information from Support before opting out. This generic information is used solely to give you the best possible user experience. 1. Log into the Unidesk Management Console. 2. Click About in the upper right corner. The About box is displayed. 3. To opt in, make sure the checkbox to Allow usage statistics to be sent to Unidesk is selected Citrix Systems, Inc. All rights reserved. p.152

153 4. To opt out, deselect the checkbox to Allow usage statistics to be sent to Unidesk Citrix Systems, Inc. All rights reserved. p.153

154 Manage Unidesk tasks Jun 28, 2017 Every time you complete an action that affects the contents or state of a Desktop, Session Host, or layer, you initiate a task that you can monitor in the Task bar. For example, if you add a version to a layer or shut down a Desktop, the Task bar displays a task for that action. Task type Description User tasks Most tasks are tasks that an administrator initiates. You can filter the Task view to see only the tasks that the currently logged-in user initiated or you can view tasks that all users initiated. System tasks Tasks that occur automatically, for example, synchronization with a directory service, are system tasks. Because a system task is not a task that the current user initiates, you must display the All Users view to see these tasks in the Task bar. Stalled tasks Tasks that have been running longer than it normally would take to complete. If you think a stalled task will not finish, you can cancel it. Interrupted tasks If a system or connectivity occurs, the software maintains information about the state of active tasks before the interruption occurred. When the problem resolves, the software tries to complete all interrupted tasks. Use the Task bar to track progress The Task bar displays information about the status of tasks. This includes tasks that are running, and those that have completed; tasks initiated by the logged in user, or tasks belonging to all users, including the system. System tasks are tasks that result from scheduled maintenance. Task status bar, minimized A minimized Task status bar is displayed across the bottom of the console Citrix Systems, Inc. All rights reserved. p.154

155 Task status bar Description Task in progress A rolling marquee of recently completed tasks. Status indicator T he color icon next to each task indicates whether the task is progressing or completed normally, or if there are issues with it. For details, see the Status Indicator table below. Expander bar Opens and closes the expanded view of Task status. Task status bar, expanded When you click the Expander tab to open the Task status bar, a list of the tasks in progress and recently completed is displayed. By default, this includes tasks for all users, including the system. Tasks owned by the system include scheduled maintenance tasks Citrix Systems, Inc. All rights reserved. p.155

156 You can change the Task listing by sorting, filtering, and hiding the tasks included in the grid. Sorting: Click any column title to display tasks based on that category in ascending or descending order. Filters: Select a Tasks filter and a Users filter to control which tasks are displayed. For Filter details, see the table below. Show Hidden Tasks: Hidden tasks are any running tasks whose Hide check boxes are selected. By default, all system tasks are marked Hide. When you deselect the Show Hidden Tasks checkbox, any tasks marked Hide are excluded from the list. Filters on the Task status bar Task status details To see more information about a task, for example, what is happening during a Desktop rebuild, you can open a detailed status window on the task. Click the Inf o button next to the task to open a window with details on Task status. The task status details window lists any subtasks required to complete a task. Like the Task status bar, you can reorganize the list by clicking any of the column titles. Cancel subtasks You can cancel subtasks individually or all at once: Click x to cancel individual subtasks. Click Cancel All to cancel all subtasks that are not yet completed. Cancel tasks Most tasks include one or more subtasks. While a task is in progress, you can cancel one or more subtasks, for example, if a system problem occurs and the subtask is unlikely to complete. 1. Open the Task bar and view the active tasks Citrix Systems, Inc. All rights reserved. p.156

157 2. Click i to open the information view for a task. 3. Click x next to the subtask you want to cancel (in some cases, the information view displays more than one subtask). 4. When the subtask stops, the Task bar changes its status to Canceled Citrix Systems, Inc. All rights reserved. p.157

158 Unidesk Layers Jun 28, 2017 Layer are components that the Unidesk software uses to deliver a complete virtual machine to an end user. You can create and manage the following types of layers: Operating System Layer - The Operating System Layer contains the operating system that the software imports from a gold image. It can also include configuration settings, printer settings, applications (for example, anti-virus software), and all other aspects of the gold image at the time of import. Application Layers - Application Layers contain software programs that you can deploy to any Unidesk Machine (Desktop or Session Host) with the compatible operating system. A Layer can also include patches or plug-ins for programs. Personalization Layer - The Personalization Layer contains a user's personalized data; applications, configuration settings, and data. When you create a Unidesk Machine, the software creates this layer. As users modify their Unidesk Machine, the Unidesk Machine stores all of their changes in the Personalization Layer associated with their Desktop or Session Host. Creating an Operating System Layer The following table provides details about each phase in the creation process for Operating System Layers. Phase Description Prepare the gold image You prepare a gold image that is optimized for the Unidesk environment and includes an answer file for unattended setup on each Unidesk Machine. Create the Layer You use the Create Operating System Layer wizard to create the Operating System Layer, specify the gold image, and associate an icon with the Layer. T he Boot image is created. T he Unidesk software imports the operating system, configuration settings, and applications from the specified gold image and uses them to create a bootable image. Creating an Application Layer The following table provides details about each phase in the creation process for Application Layers Citrix Systems, Inc. All rights reserved. p.158

159 Phase Description Not deployable T he layer is not ready for assignment to Unidesk Machines. Either the software is in the process of preparing the layer for deployment or a system problem occurred that is preventing the layer from becoming deployable. Check the status in the Task bar and in the layer's information view for additional information about the layer's status. Editing T he software is in the process of creating or changing the layer. If you are creating an Application Layer, this status usually indicates that the system is waiting for you to install the application on an Installation Machine and finalize the layer. Deployable T he layer is ready for assignment to Unidesk Machines. Layer version status description The following table describes the status messages for layer versions. To see these status messages, open the Information view for the layer. Status Description Editing One of these conditions exist: Application Layers - T he software is preparing the Installation Machine for installation of the application. Operating System Layers - T he software is importing the files from a gold image before it creates the bootable image. T his status applies to new Application Layers and all layer versions that you add. T he software is waiting for an administrator to install the software on an Installation Machine. T he software then imports the application software into the layer. Deployable T he layer is available for use when you create Desktops and Application Layers Citrix Systems, Inc. All rights reserved. p.159

160 Assign the new version of an OS Layer to a collection and its desktops or session hosts Jun 28, 2017 You can assign the new version of an Operating System Layer to a Collection and the Unidesk Machines (Desktops or Session Hosts) in it, as described below. Note Unidesk Machines are locked to the OS layer on which they were created. You cannot switch a Unidesk Machine to a different Operating System Layer, even if the Layer has the same OS as the one on which the Unidesk Machine was created. So, although you can move a Unidesk Machine to a new Collection, the new Collection must use the same Operating System Layer as the current Collection. To deploy the new Operating System Version to a Collection and its Unidesk Machines: 1. Add the version you want to deploy to an existing Operating System Layer. 2. In the Unidesk Management Console, click Desktops > Collections or Session Hosts > Collections. 3. Select the Collection and click Edit Collection in the Action bar. This opens the Edit Collection wizard. 4. In the OS Assignment tab, select the operating system version that you want to assign to the Collection and its Unidesk Machines. 5. In the Confirm and Complete tab, verify that the details are correct, enter a comment if required, and click Update Collection. If you enter comments, they appear in the Information view Audit History Citrix Systems, Inc. All rights reserved. p.160

161 Update an OS layer with a new version Jun 28, 2017 To upgrade an operating system, add a new version to the Operating System Layer. When you assign the Operating System Layer to a Unidesk Machine (Desktop or Session Host), you can select the new version that you created. Bef ore you start Ensure that the following items are available: An Installation Machine. The installation program for the service pack or operating system upgrade. Optionally, shut down the Unidesk Machine you are changing. Changing the operating system requires the software to create a new bootable image for the Unidesk Machine. The Unidesk Machine must be in a stopped state for this task to complete. You can choose to restart the Unidesk Machines after you finish the application assignment. Add a new version to a layer 1. Select Layers > OS Layers and then select the Operating System Layer for which you are adding a new Version. 2. Select Add Version in the Action bar. This opens the Create OS Version Wizard. 3. In the Version Details tab, enter a version identifier and select an Installation Machine. 4. If you want a script to run when the Unidesk Machine starts for a user running this operating system version, enter a version description and a path for the script. 5. In the Conf irm and Complete tab, review the version details, enter a comment if required, and click Create Version. If you enter comments, they appear in the Information view Audit History. 6. Monitor this task in the Task bar. When prompted to do so, install the new operating system service pack or upgrade on the Installation Machine. 7. After installing the service pack or upgrade, select the Operating System Layer and select Finalize in the Action bar. After you create the new version of the Layer, assign it to the Unidesk Machines that require the operating system upgrade. You must restart the Unidesk Machines before the changes take effect. Layer integrity check When finalizing a Layer, Unidesk checks to see if the Layer is ready. If any tasks remain to be completed, for example, Microsoft NGen or other Windows operations, it waits until all Windows operations that are in progress on the Installation Machine have completed before finalizing the Layer. Otherwise, the new Layer or Layer version that uses this Installation Machine would have issues. A Layer integrity message, lets you know what you can do to expedite the completion of queued tasks that must be completed before a Layer is finalized. Layer Integrity Message: The new version version-name of Layer layer-name on Installation Machine (IM) im-name can only be finalized when the following conditions have been addressed: A reboot is pending to update drivers on the boot disk - please check and reboot the IM. A post-installation reboot is pending - please check and reboot the IM. A Microsoft NGen operation is in progress in the background - (Click here for help with this condition). An MSI install operation is in progress - please check the IM. See if you can expedite Microsof t NGen operations Citrix Systems, Inc. All rights reserved. p.161

162 About Microsof t NGen operations NGen is the Microsoft "Native Image Generator". It is part of the.net system, and basically re-compiles.net byte code into native images and constructs the registry entries to manage them. Windows will decide when to run NGen, based on what is being installed and what Windows detects in the configuration. When NGen is running, you must let it complete. An interrupted NGen operation can leave you with non-functioning.net assemblies or other problems in the.net system. You have the choice of waiting for the NGen to complete in the background or you can force the NGen to the foreground. Forcing the NGen to the foreground will allow you to view the progress and once the output has completed you should be able to finalize the layer. Force an NGen operation to the foreground Normally, NGen is a background operation and will pause if there is foreground activity. Bringing the task into the foreground can help the task to complete as quickly as possible Open a command prompt as Administrator. Go to the Microsoft.NET Framework directory for the version currently in use: Command COPY cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX 3. Enter the NGen command to execute the queued items: Status COPY ngen update /force This brings the NGen task to the foreground in the command prompt and lists the assemblies being compiled. Note It s okay if you see several compilation failed messages 4. Look in the Task Manager to see if an instance of MSCORSVW.EXE is running. If it is, you must allow it to complete, or re-run ngen update /force. Do not reboot to stop the task. You must allow it to complete. Check the status of an NGen operation Citrix Systems, Inc. All rights reserved. p.162

163 If you would prefer to wait for the NGen to complete you can check the status as described here. However, every time you check the queue status, you are creating foreground activity, which might cause the background processing to temporarily pause Open a command prompt as Administrator. Check status by running this command: Command COPY ngen queue status 3. When you receive the following status, the NGen is complete, and you can finalize the Layer. Status COPY The.NET Runtime Optimization Service is stopped Run Scripts When you create a Layer or Layer Version, you can specify a.cmd or.bat script to run the first time the Unidesk Machine (Desktop or Session Host) is deployed. For example, you can use a script to complete the setup for an application. The.cmd or.bat file is installed on the Installation Machine. New Layer Versions - When you create a new Layer Version, the new Version does not inherit the script from the original Layer. If you want to include the script from the original Layer, you need to set the script for the Layer Version. To set a script for a Layer or Layer Version: 1. Add the script file to the Installation Machine you are using to create the Layer or Layer Version. Note: To see whether a Layer Version already has a script configured, check by opening the Layer's Information view and expand the Version entries. 2. Enter the script's path in the Layer or Layer Version's Script Path field. For example, enter C:\Scripts\SpecialScript.bat in the Script Path field. Once the script runs on a Unidesk Machine, it will not run again because the scripts are executed only once. To run a script more than once, you can: Remove the Layer from the Unidesk Machine and then re-add it. Click Desktop > Edit Desktop or Session Host > Edit Session Host, select the Application Assignment tab, and select Repair for the layer Citrix Systems, Inc. All rights reserved. p.163

164 Upgrade an application Jun 28, 2017 You can upgrade an application by installing a new version of it on a new Version of an Application Layer. An Application Layer can include several Layer Versions, each containing a different application version. You can deploy different Layer Versions to selected Unidesk Machines (Desktops or Session Hosts). Before you start You'll need: A compatible Installation Machine. The installation program for the new version of the application. Application Layers that the new version requires (prerequisite Layers). If applications af f ect boot-level components Installing applications such as service packs, hot fixes, and antivirus applications can affect boot-level components, which means you'll need to restart the Installation Machine. This will generate a system task to rebuild the Unidesk Machine's boot image. Once Unidesk rebuilds the boot image, it shuts down the Installation Machine copies the boot-level components to the boot volume, and restarts the Installation Machine. You can then finalize the layer or version. Note If the Installation Machine restarts before the boot image rebuild is complete, you will see a STOP message screen. T his is temporary. About setting a script to run the first time the user logs in When you create a Layer or Layer Version, you can specify a.cmd or.bat script to run the first time the Unidesk Machine (Desktop or Session Host) is deployed. For example, you can use a script to complete the setup for an application. The.cmd or.bat file is installed on the Installation Machine. New Layer Versions - When you create a new Layer Version, the new Version does not inherit the script from the original Layer. If you want to include the script from the original Layer, you need to set the script for the Layer Version. How to set a script To set a script for a Layer or Layer Version: 1. Add the script file to the Installation Machine you are using to create the Layer or Layer Version. Note: To see whether a Layer Version already has a script configured, check by opening the Layer's Information view and expand the Version entries. 2. Enter the script's path in the Layer or Layer Version's Script Path field. For example, enter C:\Scripts\SpecialScript.bat in the Script Path field. Once the script runs on a Unidesk Machine, it will not run again because the scripts are executed only once Citrix Systems, Inc. All rights reserved. p.164

165 How to set a script to run more than once To run a script more than once, you can: 1. Remove the Layer from the Unidesk Machine and then re-add it. 2. Click Desktop > Edit Desktop or Session Host > Edit Session Host, select the Application Assignment tab, and select Repair for the layer. Upgrade an application 1. Select Layers > Application Layers and select an Application Layer. 2. Select Add Version in the Action bar. This opens the Create Application Version wizard. 3. In the Version Details tab, enter a version identifier. This can be the application version, or anything you choose. 4. (Optional) Type a description of the version. 5. In the OS Layer tab, select the Operating System Layer. The Operating System Layer that is used to create the Application Layer appears. 6. Select any version of the Operating System Layer. 7. Select an Installation Machine. 8. In the Prerequisite Layers tab, select any Layers required to install the new Application Layer Version. 9. In the Confirm and Complete tab, verify your choices, and click Create Version. 10. Monitor this task in the Task bar. When prompted to do so, install the new operating system service pack or upgrade on the Installation Machine. 11. After installing the upgrade, select the Application Layer and select Finalize. When the task is done, you can deploy the new Application Layer Version to Unidesk Machines that have a compatible Operating System Layer. Layer integrity check When finalizing a Layer, Unidesk checks to see if the Layer is ready. If any tasks remain to be completed, for example Microsoft NGen or other Windows operations, it waits until all Windows operations that are in progress on the Installation Machine have completed before finalizing the Layer. Otherwise, the new Layer or Layer version that uses this Installation Machine would have issues. A Layer integrity message, lets you know what you can do to expedite the completion of queued tasks that must be completed before a Layer is finalized. Layer Integrity Message: The new version version-name of Layer layer-name on Installation Machine (IM) im-name can only be finalized when the following conditions have been addressed: A reboot is pending to update drivers on the boot disk - please check and reboot the IM. A post-installation reboot is pending - please check and reboot the IM. A Microsoft NGen operation is in progress in the background - (Click here for help with this condition). An MSI install operation is in progress - please check the IM. See if you can expedite Microsof t NGen operations About Microsof t NGen operations NGen is the Microsoft "Native Image Generator". It is part of the.net system, and basically re-compiles.net byte code into native images and constructs the registry entries to manage them. Windows will decide when to run NGen, based on what is being installed and what Windows detects in the configuration. When NGen is running, you must let it complete. An Citrix Systems, Inc. All rights reserved. p.165

166 interrupted NGen operation can leave you with non-functioning.net assemblies or other problems in the.net system. You have the choice of waiting for the NGen to complete in the background or you can force the NGen to the foreground. Forcing the NGen to the foreground will allow you to view the progress and once the output has completed you should be able to finalize the layer. Force an NGen operation to the foreground Normally, NGen is a background operation and will pause if there is foreground activity. Bringing the task into the foreground can help the task to complete as quickly as possible. 1. Open a command prompt as Administrator. 2. Go to the Microsoft.NET Framework directory for the version currently in use: Open a command prompt as an Administrator. Go to the Microsoft.NET Framework directory for the version currently in use: Command COPY cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX 3. Enter the NGen command to execute the queued items: Command COPY ngen update /force This brings the NGen task to the foreground in the command prompt, and lists the assemblies being compiled. Note It s okay if you see several compilation failed messages 4. Look in the Task Manager to see if an instance of MSCORSVW.EXE is running. If it is, you must allow it to complete, or re-run ngen update /force. Do not reboot to stop the task. You must allow it to complete. Check the status of an NGen operation If you would prefer to wait for the NGen to complete you can check the status as described here. However, every time you Citrix Systems, Inc. All rights reserved. p.166

167 check the queue status, you are creating foreground activity, which might cause the background processing to temporarily pause Open a command prompt as Administrator. Check status by running this command: Command COPY ngen queue status 3. When you receive the following status, the NGen is complete, and you can finalize the Layer. Status COPY The.NET Runtime Optimization Service is stopped Citrix Systems, Inc. All rights reserved. p.167

168 Edit Layer properties Jun 28, 2017 You can change the following properties for an Operating System or Application Layer, including: The name of the Layer. The description of the Layer. The icon associated with the Layer. To edit Layer properties: 1. Select Layers and select the Operating System or Application Layer that you want to edit. 2. Select Edit Properties. This opens the Edit Layer wizard. 3. In the Layer Details tab, change the name or the description of the Layer. 4. In the Icon Assignment tab, select a new icon from the Layer Icon box or upload a new one. 5. In the Conf irm and Complete tab, enter a comment, if required, and click Update Layer. If you enter comments, they appear in the Information view Audit History. The Unidesk Machines (Desktops or Session Hosts) that include this Layer must restart before the changes can take effect Citrix Systems, Inc. All rights reserved. p.168

169 Assign icons to Layers of Collections Jun 28, 2017 When you create or edit an Operating System Layer, Application Layer, or Collection, you can assign an icon to it. Icons help to identify these items in the Unidesk Management Console. About editing and assigning icons When using the Create or Edit wizard for any Layer or Collection, the Icon Assignment tab gives you the opportunity to: Choose an icon: Use the default icon, choose another icon from the included samples, or upload a custom icon. Delete an icon you no longer need. Note Icons are automatically assigned to Session Hosts and Installation Machines from the appropriate Collection or OS Layer, respectively. Def ault icon Unidesk uses the following icon by default when you create a Layer or Collection, or delete an icon that is in use. Recommended icon specifications The following image specifications are recommended for Unidesk icons. Although other sizes and resolutions are supported, the file type must be PNG or JPG. Specif ication Details File Type PNG or JPG Size 64 x 64 pixels Resolution 96 DPI Preview icon You can preview a custom icon before applying it: 1. For best results, adjust your icon image to conform to the Recommended icon specifications above. 2. In the Icon Assignment tab, click Browse. 3. Select the icon image you want to upload and click Open. The image appears along with the other icons, and a preview is displayed on the right Citrix Systems, Inc. All rights reserved. p.169

170 Upload an icon You can upload a custom icon to add to your collection: 1. Adjust your icon image to conform to these Recommended icon specifications above. 2. In the Icon Assignment tab, click Browse. 3. Select the icon image you want to upload, and click Open. The image appears in the icon collection, and a preview of the icon as it will appear on the selected Layer is displayed on the right. Note: If you browse and select an icon, but then choose a different one for your Layer, the first one you had selected will not be uploaded. The icon is only uploaded once you have finalized the Conf irm and Complete tab. 4. To complete the upload, use the Conf irm and Complete tab to finalize the wizard. Delete an icon You can delete an icon, and it will be removed from the database. Note: The software does not let you delete the following icons shipped with the system: If the icon is in use by any Layer or Collection, you will receive a warning, and the default icon will be used in its place. To delete an icon, do the following: 1. In the Icon Assignment tab, select the icon you want to delete. 2. Click the Delete button. This immediately removes the icon from the database, even if you do not complete the wizard Citrix Systems, Inc. All rights reserved. p.170

171 Manage an Installation Machine Jun 28, 2017 An Installation Machine is a virtual machine that acts as a staging area for the creation of Layers and new Layer Versions. You need an Installation Machine to create an Application Layer, a new Version of an Application Layer, or an Operating System Layer Version. The Master CachePoint Appliance hosts all Installation Machines. When you first create an Installation Machine, it is powered off. When you select an Installation Machine to use in creating an Application Layer, the Installation Machine is powered on and you can use RDP to log into it and install the Applications you want to include in the Application Layer. Log into an Installation Machine To log into an Installation Machine: 1. Select System > Installation Machines. 2. Hover over the Installation Machine you want to log into and click the i icon. Use the IP Address displayed to connect to the IM using RDP. The Hyper-V authentication window opens. 3. Enter your directory service credentials. The Windows login screen appears. 4. Enter your Windows Administrator password. You can now install applications on the Installation Machine. Delete an Installation Machine You can delete an Installation Machine from the virtual infrastructure. The Delete action is only active if the Installation Machine is not in use. 1. Select System > Installation Machines. 2. Select one or more Installation Machines to delete and select Delete from the Action bar. Result: This action opens the Delete Installation Machines wizard. 3. In the Conf irm and Delete tab, verify that you selected the correct Installation Machines, enter a comment if required, and click Delete Installation Machines. Note If you delete an OS layer, all associated are deleted as well Citrix Systems, Inc. All rights reserved. p.171

172 Repair an application Jun 28, 2017 As users customize their Unidesk Machines (Desktops or Session Hosts), they can change or remove files that affect how an application functions. Or, users may uninstall applications that need to be part of the Unidesk Machine, based on corporate requirements. To resolve these issues, you can repair the original application as it is configured in an Application Layer. What happens when you repair an application? The Edit Desktop and Edit Session Host wizards let you specify applications to repair for one or more selected Unidesk Machines. If you select Repair in the Edit Desktop or Edit Session Host wizard's Application Assignment tab, the following actions occur the next time the Desktop shuts down: 1. The software removes all of the changes for the selected applications from the Personalization Layer, with the exception of changes made to the Registry hive HKEY_LOCAL_MACHINE\SYSTEM. 2. The software creates a new bootable image for the Unidesk Machine that contains the selected application versions Citrix Systems, Inc. All rights reserved. p.172

173 Search Jun 28, 2017 The Search feature lets you find Desktops, Session Hosts, users, or layers: Desktops Select the Desktops module or the System > Installation Machines module. Session Hosts Select the Session Hosts module. Select the Desktops module. Users Use the search feature in the User Assignment tab of the Create or Edit Desktop wizard. Select the Users module. Layers Select the Layers > OS Layers or Layers > Application Layers module. Using the Search box The Search box is located in the Display tool bar in the Desktops, Session Hosts, Layers, and System > Installation Machines modules. To start a search, enter a letter, a word, or a phrase in the Search box and click Search. The Unidesk Management Console displays the search results in the selected icon or list view. To refine the search results, use Search for Desktops, Session Hosts, Layers, or users. Avoid using the Search keywords in the names of any Unidesk object. Using these keywords in names can cause inaccurate search results. To use advanced search, select the arrow next to the Search box. Advanced search is available in the Unidesk Machines (Desktops or Session Hosts) modules only. To clear the search result and redisplay the default display click x next to the Search box. Search criteria When you search for items, the search results match the text and keywords that you enter in the Search box. The following table provides information about the search criteria for each module Citrix Systems, Inc. All rights reserved. p.173

174 For this module: Your search criteria can match any of these properties: Desktop or Session Host Unidesk Machine name. T he login or domain name for the user logged into the Unidesk Machine. First or Last name of the user assigned to the Unidesk Machine. Phone number of the user assigned to the Unidesk Machine. address of the user assigned to the Unidesk Machine. Name of a layer assigned to the Unidesk Machine. Maintenance schedule that the Unidesk Machine is using. Name of the CachePoint Appliance assigned to the Unidesk Machine. Name of a Collection that the Unidesk Machine is assigned to. Layer (OS and Applications) Layer name. System > Installation Machine Installation Machine name. Search rules The following table provides information about the search rules Citrix Systems, Inc. All rights reserved. p.174

175 Rule Example All searches are case-insensitive, including words or phrases enclosed in double quotes (" "). Searching for Firefox or firefox displays all items whose names contain either word. Searching for words or phrases enclosed in double quotes results in an exact match. Searching for "MS Word," displays items whose names include the words MS Word but not WordPad. If, in a keyword search, you specify a name that includes words separated by spaces, search finds only the items whose names include the same words separated by spaces. If you specify a name that includes words separated by spaces and then enclose any part of the name in double quotes, search finds only the items whose names include the same words separated by spaces as long as they also include the double quotes. Searching for Layer: antivirus t displays items whose names include the words antivirus test and antivirus trial, but not antivirustest. Searching for Layer:"antivirus" test displays items whose names include the words "antivirus" test but not antivirus test. AND is implied in all searches except for those enclosed in double quotes. Searching for Windows Server, the search looks for words or phrases that include Windows AND Server. T herefore, the search results could include the following layers: Windows Server 2012 Windows Server 2008 Windows Nano Server T he search results would not include a layer named Windows for Finance because its name does not include "Server." Search uses an implied wildcard at the beginning and end of the words you enter in the Search box. Searching for Word displays all items whose names include MS Word, Word for Windows, and WordPad. Search keywords You can use one or more keywords to refine the search results for Desktops or Session Hosts. To enter multiple keywords, separate each keyword and value with a space, as shown in the following example: layer:chrome group:sales In this example, the search results display all of the machines that are using the layer, chrome, and have owners that are members of the group, sales. The following table provides information about the supported keywords. Use... To search for... CachePoint:<text> Unidesk Machines that are assigned to a CachePoint Appliance with a name that includes the specified text. Example: Searching for CachePoint:NYO displays Unidesk Machines (Desktops or Session Hosts) assigned to any of the following CachePoint Appliances: Master-CP-NYO, CP1-NYO, and CP2-NYO Citrix Systems, Inc. All rights reserved. p.175

176 Use... CachePoint:<"text"> Desktops or Session Hosts that are assigned to a CachePoint Appliance with a name that matches the specified text exactly. To search for... Example: Searching for CachePoint:"CP1-NYO" displays Unidesk Machines that are assigned to a CachePoint Appliance named CP1-NYO. Layer:<text> Unidesk Machines that have an assigned layer with a name that includes the specified text. Example: Searching for Layer:SQL displays Unidesk Machines that have any of the following layers assigned to them: MySQL, OracleSQL, SQL Server. Layer:<text>;<version> Unidesk Machines that have an assigned layer with a name that includes the specified text or version number. You can enter any type of version number, for example, 5, 5.1, or Example: Searching for Layer:SQL;5.displays Unidesk Machines that have any of the following layers assigned to them: MySQL, version 5, OracleSQL, version 15, SQL Server 5.1. Layer:<"text">; <"version"> Unidesk Machines that have an assigned layer with a name that matches the specified text or version exactly. Example: Searching for Layer:"SQL";5.5 displays Unidesk Machines that have the following layer version assigned to them: SQL, version 5.5. Group:<text> (Desktop modules only) Desktops that have owners who are members of a group with a name that includes the specified text. Example: Searching for Group:Sales displays Unidesk Machines whose owners belong to any of the following groups: Sales-NorthAmerica or Sales-Europe. Group: <"text"> (Desktop modules only) Desktops that have owners who are members of a group with a name that matches the specified text exactly. Example: Searching for Group:"Sales-Asia" displays Unidesk Machines whose owners belong to the Sales-Asia group. MaintenanceSchedule: <text> Unidesk Machines that are using a maintenance schedule with a name that includes the specified text. Example: Searching for MaintenanceSchedule:weekend displays Unidesk Machines that are using any of the following maintenance schedules: weekend-marketing, weekend-accounting. MaintenanceSchedule: <"text"> Unidesk Machines that are using a maintenance schedule with a name that matches the specified text exactly. Example: Searching for MaintenanceSchedule:"weekend-management" displays Unidesk Machines that are using a maintenance schedule named weekend-management. Unidesk Machines that have configuration changes pending and need to restart to have the changes take effect. T he values for this keyword include: 1, true, yes, or y. 0, false, no, or n. ChangesPending:<yes no> Examples: Searching for any of the following keywords displays Unidesk Machines that have pending configuration changes and need to restart: ChangesPending:1 ChangesPending:true ChangesPending:yes ChangesPending:y Searching for any of the following keywords displays Unidesk Machines that do not need to restart (no configuration changes are pending): ChangesPending:0 ChangesPending:false Citrix Systems, Inc. All rights reserved. p.176

177 Use... ChangesPending:no ChangesPending:n To search for... Search filters To refine the search display, use any or all of the following filters: Filter list: The Filter list allows you to select a category that defines the type of items the Unidesk Management Console displays when a search matches your search criteria. The options in the Filter list change depending on the displayed page. View Flagged Items: If you select View Flagged Items before starting a search, the search displays only those items that match the search criteria and are also flagged items. Advanced search The Desktop and Session Host modules include Advanced search that lets you locate Unidesk Machines using complex search queries. Search criteria Advanced search lets you to find Unidesk Machines using one or more of the criteria described in the table below. If you specify more than one criteria, the search will be treated as an AND Citrix Systems, Inc. All rights reserved. p.177

178 Advanced search criteria Description Contain these words One or more words (or partial words) included in any of the Unidesk Machines search properties. To match a specific word or phrase exactly, enclose the value in double quotes (" "). Have owners in this group (Desktop modules only) Full or partial name of the group that includes the Desktop owners. If you type a portion of the name, all groups containing this string will be included in the results, whether they are local Unidesk or LDAP groups. For example, if you search on CHI, Desktops with owners in both the LDAP group CHIGROUP and the Unidesk group ICHI will be included in the results. You can use the Browse button to select the group. If you select an LDAP group, the group's Distinguished Name appears in the field. For example, if you select CHIGROUP, a name like the following would appear in the field: CN=CHIGROUP,OU=CHI,DC=mycompanydom3,DC=local Are hosted on CachePoint Full or partial name of the CachePoint Appliance assigned to the Unidesk Machine. Use this maintenance schedule Full or partial name of a maintenance schedule. Are using this Collection Full or partial name of a Collection. Are using this layer Full or partial name of a layer. You can specify a version. To add more layers to the query, click And. When you specify multiple layers, the search results display the Unidesk Machines that contain ALL of the specified layers. Have pending configuration changes Yes - finds Unidesk Machines that need to restart because they have pending configuration changes. No - finds Unidesk Machines that do not have pending configuration changes. N/A - this criteria is not applicable to your search. Using advanced search 1. In the Desktop or Session Host module, click the down arrow next to the Search box. 2. Specify values for any or all of the advanced search criteria. 3. Click Search. Example Assume that you've assigned new versions of the QuickQuote and AddUp Application Layers to all of the Sales Unidesk Machines in the New York territory. You want to find the Unidesk Machines that have not yet restarted and received the new configuration. To find these Unidesk Machines only, you specify the following advanced search criteria: Citrix Systems, Inc. All rights reserved. p.178

179 For this search criteria: You enter... Contain these words Sales- Are hosted on CachePoint NYO Use this layer Quickquote Version 2 Addup Version 2 Have pending configuration changes Yes This search query finds all of the Unidesk Machines that: Have the word, Sales- in their name. For example, Sales-BobWilson and Sales-SallySeashell. Are hosted on CachePoint Appliances that have NYO in their names. For example, NYO-CP-Master and NYO-CP1. Use version 2 of the layers, QuickQuote and AddUp. Have pending configuration changes and need to restart that is, the Unidesk Machines have not yet restarted after you assigned new layers to them. Search query example The following example shows how Unidesk constructs a search query based on the search criteria specified in the advanced search example. Sales- CachePoint:NYO Layer:quickquote;C=Version:2 Layer:addup;Version:2 NeedsRestart:yes Citrix Systems, Inc. All rights reserved. p.179

180 Desktops, Session Hosts, and Collections Jun 28, 2017 A Unidesk Desktop or Session Host is a virtual machine composed of an Operating System layer and Application Layers. You create the Operating System Layer and Application Layers, and assign them to Desktops and Session Hosts, as needed. A Desktop also includes a User Personalization Layer. Unidesk creates the Personalization Layer, one for each Desktop, and you can create two types of Desktops, Persistent or Non-persistent. In the case of a Persistent Desktop, the Personalization Layer stores all changes made by the Desktop s user, including files and installed applications. In a Nonpersistent Desktop, the Personalization Layer is cleared on each Desktop reboot or log off, unless you are using RDS in which case it is cleared only on a log off. Desktops can be deployed to a connection broker such as Microsoft s RDCB or can simply be deployed to the virtual infrastructure and accessed via a connection client like RDP. How it works The Unidesk software lets you make the following choices when deploying new Desktops and Session Hosts: Choose a Unidesk Collection, and: For Desktops, choose a user or group. For Session Hosts, choose the number of them to create. Specify a cluster or server where the Desktops or Session Hosts will be hosted, and a Virtual Switch (network). Note You can now create Unidesk Desktops on clustered hosts that do not have active CachePoints, as long as there is one host in the cluster with an active CachePoint. T his minimizes both the storage requirements and the need for more resources, allowing you to create Desktops across multiple hosts using fewer CachePoints. Assign an Operating System Layer. Assign one or more Application Layers. Specify Desktop or Session Host settings, for example, CPUs, memory, storage allowance for user data, page file size, and core dump type. Maintenance schedule for updating Layers and other tasks that may require rebooting the Desktop or Session Hosts. A Desktop or Session Host behaves in the same manner as any other Desktop virtual machine or Session Host, with the following exceptions: When changes to the configuration result in the need to rebuild the bootable image, Unidesk places the Desktop or Session Host in Maintenance Mode while the rebuild is in progress Citrix Systems, Inc. All rights reserved. p.180

181 Manage Desktops Jun 28, 2017 About changing Desktop Layers and attributes About managing a Desktop's bootable image The components that comprise a Desktop come from a variety of Layers. For example: An Operating System Layer includes the operating system that the software imports from a gold image. The gold image might include applications, as well. Individual Application Layers include applications that you create as separate components. When you create a Desktop, you specify virtual machine settings for CPUs, memory, network adapters and disk storage. Each Desktop has a configuration associated with it. The configuration references all of the components and versions that define what end users interact with when they use the Desktops. If the configuration changes, the software needs to create a new bootable image that matches the new configuration. A Desktop receives new bootable image when it is shut down or during a restart. The Unidesk software uses the new configuration to create a new bootable image. Changes that affect the Desktop bootable image Any time a user makes a change to a Desktop, the Desktop sends this information to the server or cluster that is hosting it. Based on the content of the messages it receives, the server or cluster determines whether it needs to create a new bootable image for the Desktop. A Desktop requires a new bootable image when you change the configuration, or when a change to the Desktop affects system-level files, for example, when adding new services, changing services to start automatically, or modifying system boot files. Note: Typically, changes to keys in the HTLM\SYSTEM\CurrentControlSet\Services key cause the Desktop to receive a new bootable image. The configuration for a Desktop changes when any of the following events occur: Changes to the Desktop affect system-level files. (for example, adding new services, changing services to start automatically, or modifying system boot files). You assign a new application to a Desktop. You remove an application from a Desktop. You add a new version of an existing application. You update a version of an existing application or the operating system. You change the priority order of applications assigned to one or more Desktops. Changes implemented during a Desktop shut down If a Desktop requires a new bootable image, the Desktop must remain in a shut down state while the CachePoint Appliancecreates the image. If a user initiates a system restart and the Desktop requires a new bootable image, the Desktop remains in a shut down state until the CachePoint Appliance finishes creating the bootable image. While this Citrix Systems, Inc. All rights reserved. p.181

182 action is in progress, users can experience a one minute delay in the system restart. They may also notice that the Desktop is in a powered-off state during this time. It is important that no one attempts to power on the Desktop while the CachePoint Appliance is creating the bootable image.attempting to start the Desktop while the CachePoint Appliance is creating the image can result in the Desktop not being able to restart. Example A user installs a new application on the Desktop. The installation program prompts the user to restart the computer to complete the installation. After the user clicks OK to restart the computer, she watches the Desktop shut down and restart. During the restart, the screen is blank. When the screen remains blank longer than usual, the user contacts the Desktop administrator. The Desktop administrator logs in to the Unidesk Management Console and notices that status of the Desktop is Creating image, indicating that the Desktop needs a new bootable image. The administrator asks the user to wait for a few minutes and explains that changes to the Desktop resulted in the need to create a new system image. After a short wait, the Desktop restarts normally. IP address assignment for Desktops When you create a Desktop, the software uses DHCP to acquire an IP address for it. If you look at the settings for the Desktop, however, the Internet Protocol settings for the Desktop show that a specific IP address is assigned to it, as shown in the following illustration. This assignment is normal behavior. Do not change these settings. How Desktops obtain IP addresses Each time a Desktop boots, a custom DHCP client runs during the early stages of the start-up process. This client is responsible for renewing or rebinding the current IP address, if possible. If the current IP address is not available, the custom DHCP client obtains a new address for the Desktop. There is no need for you to change any of the Internet Protocol properties. Because the software uses an internal ID, not the IP address, to identify the Desktop, communication is not affected if the Desktop's IP address changes. View the Desktop's configuration Desktop visualization panel The Desktop Visualization panel provides a graphic display of a desktop configuration while you create and edit a desktop. As you select layers and settings for the desktop configuration, the Desktop Visualization panel displays the layers, in order of priority, and all of the desktop settings. The priority order for layers is the order in which the desktop deployment process applies the layer, from the highest priority (applied last) to the lowest. Desktop views Citrix Systems, Inc. All rights reserved. p.182

183 If you select multiple Desktops for editing, you can choose which one to display in the Desktop Visualization panel. Just expand the list at the top of the panel and select a Desktop. Update a Desktop's applications Before you start If you are adding applications to the Desktops, make sure the Application Layers you need are available in the Layers > Application Layers module, and that they use the same OS Layer as the Desktops to which you want to assign them. Assign a new Operating System Layer Version to Desktops You can update the operating system assigned to one or more Desktops by creating a new Layer version containing the operating system update and assigning the new version of the Layer to the Desktop's Collection. As part of this process, the Unidesk software creates a new bootable image for the Desktop. The Desktop must be stopped for this task to complete. The new Layer version is assigned to the Desktop based on the Desktop's maintenance schedule. To view and edit the Desktop's maintenance schedule: 1. In the Unidesk Management Console, click Desktops > Desktops and select the Desktop. 2. Select Edit Desktops in the Action bar. 3. In the Maintenance Schedule tab, you can view and edit the deployment method for Desktop changes. Select or create a maintenance schedule. A maintenance schedule deploys changes during a specified time frame. For more about maintenance schedules, click here. As soon as possible. This option deploys the configuration changes after you shut down the Desktops. Selecting this option overrides the current maintenance schedule. Defer deployment until a specified date and time. This option defers deployment of configuration changes until the specified time elapses. At that time, Unidesk deploys the configuration changes if the Desktops are shut down. Selecting this option overrides the current maintenance schedule. 4. In the Confirm and Complete tab, enter a comment about the upgrade, if required, and click Update Desktop.If you enter comments, they appear in the Information view Audit History. Unidesk deploys the configuration changes as specified by your Maintenance Schedule selection. Assign new applications or updates to Desktops You can Edit Desktops from the Desktop module or by selecting the Desktops' Collection in the Collections module. The changes will be applied in accordance with the selected maintenance schedule option. Desktops are always restarted during updates. 1. Create a new Application Layer or Layer Version. 2. Select the Desktops that you want to edit from the Desktops module, or right-click the Desktops' Collection in the Collections module to update all machines at one time Citrix Systems, Inc. All rights reserved. p.183

184 3. Select Edit Desktops in the Action bar. 4. In the Application Assignment tab, expand the item for the application that you want to upgrade and select the appropriate version. 5. In the Maintenance Schedule tab, select a deployment method for the configuration changes. You can deploy them in any of the following ways: Select a maintenance schedule. A maintenance schedule deploys changes during a specified time frame. For more about maintenance schedules, click here. As soon as possible. This option deploys the configuration changes after you shut down the Desktops. Selecting this option overrides the current maintenance schedule. Defer deployment until a specified date and time. This option defers deployment of configuration changes until the specified time elapses. At that time, Unidesk deploys the configuration changes if the Desktops are shut down. Selecting this option overrides the current maintenance schedule. Defer deployment until the user logs out or reboots. A maintenance schedule deploys changes when the user logs out or reboots the Desktop. 6. In the Confirm and Complete tab, enter a comment about the upgrade, if required, and click Update Desktop.If you enter comments, they appear in the Information view Audit History. Unidesk deploys the configuration changes as specified by your Maintenance Schedule selection. Edit Desktop attributes Desktop settings you cannot change You cannot change the following settings when you modify a Desktop: Size of the storage for user data (the Personalization Layer) Desktop type, Persistent or Non-persistent Connection broker Operating System Layer Move the Desktop to a different Collection Requirements You can move a Desktop to a different Collection as long as the new Collection has the following settings in common with the Desktop's current Collection: Connection broker, if one is selected Collection Type, Persistent or Non-persistent Operating System Layer Note: In an RD Connection Broker (RDCB) collection, a user can have only one Desktop. If you attempt to move a Desktop into an RDCB collection where there is already a Desktop owned by that user, the Desktop will not be moved. You can Edit Desktops from the Desktop module. The changes will be applied in accordance with the selected maintenance schedule option. Desktops are always restarted during update. As with any other Desktop edit, selecting a new Collection Citrix Systems, Inc. All rights reserved. p.184

185 creates a task that will rebuild the Desktop and move it into the new Collection at the next Maintenance Window. Change the Desktop name When you create Desktops, you either enter a name for it or allow the system to generate names for you. The Desktop name must be unique to the host that is storing it and adhere to the following standards: When the software creates the Desktop, it uses the specified or generated name as follows: Uses the name for the Desktop that the Unidesk Management Console displays. Creates a virtual machine with the specified name. Uses the name as the DNS name assigned to the virtual machine in the virtual infrastructure. Uses the name as the Windows machine name. If you change the name of a Desktop after you create it, the change affects only the name that the Unidesk Management Console displays. The virtual machine name, the DNS name associated with the Desktop, and the Windows machine name do not change. If you want the names to match, you must change the names manually. To change the name of a Desktop: 1. You can Edit Desktops from the Desktop module or by selecting the Desktops' Collection in the Collections module. 2. Select the Desktop Details tab, and change the Desktop Name. 3. Select the Conf irm and Complete tab, and click Update Desktop. Configure a network connection for Desktops By default, the setting for a Desktop's network connection is the same as the network assigned to the gold image that you used to create the Operating System Layer. Depending on the organization of your virtual infrastructure, you may want to configure specific Desktops to use different network connections. You can set the network connection when you create Desktops or you can change the network connection for deployed Desktops. 1. You can Edit Desktops from the Desktop module or by selecting the Desktops' Collection in the Collections module. 2. In the Desktop Details tab, select different values for the Virtual Switch and VLAN Tags, as needed. If you need to add new VLAN Tags, click the Manage button and use the wizard to do so. 3. Complete the create or edit task. 4. If you modified an existing Desktop, restart it to ensure the changes take effect. Change the Physical Attributes of a Desktop You can change the physical settings of the virtual Desktop at any time. For example, if you are installing an application that requires additional memory, you can adjust these settings, as required. 1. You can Edit Desktops from the Desktop module or by selecting the Desktops' Collection in the Collections module. 2. Select Edit in the Action bar. The Edit Desktop wizard opens. 3. Select the Desktop Settings tab and change the settings as necessary. Non-persistent Desktop - Delay before shutdown When you shut down a Non-persistent Desktop, there is a 5-second delay to ensure that the logoff message makes it Citrix Systems, Inc. All rights reserved. p.185

186 through the RDS integration services. You can change the length of the delay by editing the Registry value System\CurrentControlSet\Services\Uniservice\ShutdownDelayMS.You must make this change in the Operating System Layer or in an Application Layer. Restart or shut down a Desktop Restart Desktops Use the Restart/Shut Down action in the Desktops module to start a Desktop that is shut down or to have changes to the Desktop take effect. During the restart process, the Unidesk software instructs the virtual infrastructure to perform a clean shut down of the virtual machine, if it is still running, and then starts it again. Before you start Before restarting a Desktop, verify that the screen saver is disabled. The Desktop does not shut down properly if the screen saver is enabled. During a restart If you make changes to a Desktop while it is running (for example, you change the application assignment), the software will wait for the Desktop to shut down before completing the tasks required to rebuild the Desktop. When you initiate a restart of a Desktop, the software deploys the queued changes once the Desktop shuts down. The desktop is restarted after it the rebuild is complete. You can monitor the detailed view of the Restart task in the Task bar to see the sub tasks related to creating the new bootable image. Steps 1. Select Desktops and select one or more Desktops. 2. Select Restart/Shut Down in the Action bar. This opens the Shut Down wizard. 3. In the Restart or Shutdown tab, select the Restart option. 4. In the Confirm and Complete tab, enter a comment that explains why the restart is necessary, if required.if you enter comments, they appear in the Information view Audit History. 5. Click Restart/Shut Down Desktop. The Unidesk software causes the virtual infrastructure to restart the appropriate virtual machines. 6. Monitor the Task bar to see when this task completes. If the software needs to create a new bootable image for the Desktop, the restart takes a few extra minutes to complete. 7. When the restart task completes, notify the end users that their Desktops are available for use. Shut down Desktops Use the Restart/Shut Down action in the Desktops module to shut down a Desktop Citrix Systems, Inc. All rights reserved. p.186

187 You may need to shut down Desktops for maintenance purposes, to update a Desktop's configuration, or to prevent end users from selecting a specific Desktop. Before you start Before shutting down a Desktop, verify that the screen saver is disabled. The Desktop does not shut down properly if the screen saver is enabled. Steps 1. Click Desktops, select the Desktops you want to shut down, and click Restart/Shut Down. This opens the Shutdown Wizard 2. In the Restart or Shutdown tab, select Shut Down. If the selected Desktops are integrated with a connection broker, the Put in Maintenance Mode option becomes active. 3. If you do not want to put the Desktops in Maintenance Mode, clear Put in Maintenance Mode. 4. If needed, enter a comment that describes why the shutdown is necessary. If you enter comments, they appear in the Information view Audit History. 5. Click Restart/Shut Down Desktop. During a shutdown If you make changes to a Desktop while it is running (for example, you change the application assignment), the software will wait for the Desktop to shut down before completing the tasks required to create a new bootable image for the Desktop. When you initiate a shutdown of a Desktop, the software deploys the queued changes once the Desktop shuts down. You can monitor the detailed view of the Shut Down task in the Task bar to see the sub tasks related to creating the new bootable image. Improve Windows 8.1 Desktop login times If you want to speed up login times for Windows 8.1 Desktops, you can disable some of the more costly and less necessary GUI actions. Turn off new user arrows You can turn off new user arrows, by making the following Registry edits: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EdgeUI DisableHelpSticker DWORD 0 = Enable help tips 1 = Disable help tips Turn off startup animation You can turn off startup animation with these Registry edits: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Citrix Systems, Inc. All rights reserved. p.187

188 EnableFirstLogonAnimation DWORD 0 = Disable first sign-in animation 1 = Enable first sign-in animation Disable bootlog and boot animation You can disable bootlog and boot animation. 1. Open a command window. 2. Enter these commands: bcdedit /set {default} bootlog no bcdedit /set {default} quietboot yes Disable lock screen Disable lock screen: 1. Open the Group Policy Editor by right-clicking Computer. 2. Select Conf iguration > Administrative Templates > Control Panel > Personalization 3. Set Do not display the lock screen to Enabled. If you prefer to make this change by editing the Registry: 1. In the Registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalizationcreate a new DWORD (32-bit) Value named NoLockScreen with a value of Restart the system. Troubleshooting Desktops What if a Desktop doesn't start? If a user reports that a Desktop is not starting as expected, log in to the Unidesk Management Console and check the status of the Desktop. If the status indicates the creation of a new bootable image is in progress, ask the user to wait for a few minutes. A bootable image can take 5-30 minutes to rebuild. Do not try to power on the machine or take any other action in the virtual infrastructure. If the Desktop does not restart within a reasonable amount of time, contact Technical Support. Delete a Desktop Delete one or more Desktops 1. Select the Desktops tab, and then the Desktops subtab Citrix Systems, Inc. All rights reserved. p.188

189 2. Select one or more Desktops. 3. Select Delete in the Action bar. This opens the Delete Desktop wizard. 4. In the Confirm and Complete tab, verify that the list of selected Desktops is correct. 5. Enter a comment that explains why the deletion is necessary, if required. 6. Click Delete Desktops. The Desktops are deleted. 7. Monitor the Task bar to see when this task completes Citrix Systems, Inc. All rights reserved. p.189

190 Manage Session Hosts Jun 28, 2017 About changing Session Host Layers and attributes About managing a Session Host's bootable image The components that comprise a Session Host come from a variety of Layers. For example: An Operating System Layer includes the operating system that the software imports from a gold image. The gold image might include applications, as well. Individual Application Layers include applications that you create as separate components. When you create a Session Host, you specify virtual machine settings for CPUs, memory, network adapters and disk storage. Each Session Host has a configuration associated with it. The configuration references all of the components and versions that define what end users interact with when they use the Session Hosts. If the configuration changes, the software needs to create a new bootable image that matches the new configuration. A Session Host receives new bootable image when it is shut down or during a restart. The Unidesk software uses the new configuration to create a new bootable image. Changes that affect the Session Host bootable image Any time a user makes a change to a Session Host, the Session Host sends this information to the server or cluster that is hosting it. Based on the content of the messages it receives, the server or cluster determines whether it needs to create a new bootable image for the Session Host. A Session Host requires a new bootable image when you change the configuration, or when a change to the Session Host affects system-level files, for example, when adding new services, changing services to start automatically, or modifying system boot files. Note: Typically, changes to keys in the HTLM\SYSTEM\CurrentControlSet\Services key cause the Session Host to receive a new bootable image. The configuration for a Session Host changes when any of the following events occur: Changes to the Session Host affect system-level files. (for example, adding new services, changing services to start automatically, or modifying system boot files). You assign a new application to a Session Host. You remove an application from a Session Host. You add a new version of an existing application. You update a version of an existing application or the operating system. You change the priority order of applications assigned to one or more Session Hosts. Changes implemented during a Session Host shut down If a Session Host requires a new bootable image, the Session Host must remain in a shut down state while the CachePoint Appliance creates the image. If a user initiates a system restart and the Session Host requires a new bootable image, the Citrix Systems, Inc. All rights reserved. p.190

191 Session Host remains in a shut down state until the CachePoint Appliance finishes creating the bootable image. While this action is in progress, users can experience a one minute delay in the system restart. They may also notice that the Session Host is in a powered-off state during this time. It is important that no one attempts to power on the Session Host while the CachePoint Appliance is creating the bootable image. Attempting to start the Session Host while the CachePoint Appliance is creating the image can result in the Session Host not being able to restart. Example A user installs a new application on the Session Host. The installation program prompts the user to restart the computer to complete the installation. After the user clicks OK to restart the computer, she watches the Session Host shut down and restart. During the restart, the screen is blank. When the screen remains blank longer than usual, the user contacts the Session Host administrator. The Session Host administrator logs in to the Unidesk Management Console and notices that status of the Session Host is Creating image, indicating that the Session Host needs a new bootable image. The administrator asks the user to wait for a few minutes and explains that changes to the Session Host resulted in the need to create a new system image. After a short wait, the Session Host restarts normally. IP address assignment for Session Hosts When you create a Session Host, the software uses DHCP to acquire an IP address for it. If you look at the settings for the Session Host, however, the Internet Protocol settings for the Session Host show that a specific IP address is assigned to it, as shown in the following illustration. This assignment is normal behavior. Do not change these settings. How Session Hosts obtain IP addresses Each time a Session Host boots, a custom DHCP client runs during the early stages of the start-up process. This client is responsible for renewing or rebinding the current IP address, if possible. If the current IP address is not available, the custom DHCP client obtains a new address for the Session Host. There is no need for you to change any of the Internet Protocol properties. Because the software uses an internal ID, not the IP address, to identify the Session Host, communication is not affected if the Session Host's IP address changes. View the Session Host's configuration Session Host visualization panel The Session Host Visualization panel provides a graphic display of a Session Host configuration while you create and edit a Session Host. As you select layers and settings for the Session Host configuration, the Session Host Visualization panel displays the layers, in order of priority, and all of the Session Host settings. The priority order for layers is the order in which the Session Host deployment process applies the layer, from the highest Citrix Systems, Inc. All rights reserved. p.191

192 priority (applied last) to the lowest. Session Host views If you select multiple Session Hosts for editing, you can choose which one to display in the Session Host Visualization panel of the Unidesk Management Console. Just expand the list at the top of the panel and select a Session Host. Update a Session Host's applications Before you start If you are adding applications to the Session Hosts, make sure the Application Layers you need are available in the Layers > Application Layers module, and that they use the same OS Layer as the Session Hosts to which you want to assign them. Changing a Session Host's properties will create a new bootable image for the Session Host, and it must be in a stopped state for this task to complete. You can shut down the Session Hosts either before you start editing their properties, or restart the Session Hosts after you select the new properties. Assign a new Operating System Layer Version to Session Hosts You can update the operating system assigned to one or more Session Hosts by creating a new Layer version containing the operating system update and assigning the new version of the Layer to the Session Host's Collection. As part of this process, the Unidesk software creates a new bootable image for the Session Host. The Session Host must be stopped for this task to complete. The new Layer version is assigned to the Session Host based on the Session Host's maintenance schedule. To view and edit the Session Host's maintenance schedule: 1. In the Unidesk Management Console, click Session Hosts > Session Hosts and select the Session Host. Or, right-click the Collection in the Collections module to update all machines in the Collection at one time. Or, click the Collection to select all Session Hosts in the Collection. 2. Select Edit Session Hosts in the Action bar. 3. In the Maintenance Schedule tab, you can view and edit the deployment method for Session Host changes. Select or create a maintenance schedule. A maintenance schedule deploys changes during a specified time frame. For more about maintenance schedules, click here. As soon as possible. This option deploys the configuration changes after you shut down the Session Hosts. Selecting this option overrides the current maintenance schedule. Defer deployment until a specified date and time. This option defers deployment of configuration changes until the specified time elapses. At that time, Unidesk deploys the configuration changes if the Session Hosts are shut down. Selecting this option overrides the current maintenance schedule. 4. In the Confirm and Complete tab, enter a comment about the upgrade, if required, and click Update Session Host.If you enter comments, they appear in the Information view Audit History. Unidesk deploys the configuration changes as Citrix Systems, Inc. All rights reserved. p.192

193 specified by your Maintenance Schedule selection. Assign new applications or updates to Session Hosts You can edit Session Hosts from the Session Host module, or by selecting the Session Hosts' Collection in the Collections module. The changes will be applied in accordance with the selected maintenance schedule option. Session Hosts are always restarted during update. 1. Create a new Application Layer or Layer Version. 2. Select the Session Hosts that you want to edit from the Session Hosts module or by selecting the Session Hosts' Collection in the Collections module. 3. Select Edit Session Hosts in the Action bar. 4. In the Application Assignment tab, expand the item for the application that you want to upgrade and select the appropriate version. 5. In the Maintenance Schedule tab, select a deployment method for the configuration changes. You can deploy them in any of the following ways: Select a maintenance schedule. A maintenance schedule deploys changes during a specified time frame. For more about maintenance schedules, click here. As soon as possible. This option deploys the configuration changes after you shut down the Session Hosts. Selecting this option overrides the current maintenance schedule. Defer deployment until a specified date and time. This option defers deployment of configuration changes until the specified time elapses. At that time, Unidesk deploys the configuration changes if the Session Hosts are shut down. Selecting this option overrides the current maintenance schedule. Defer deployment until there are no more sessions or the Session Host is rebooted. A maintenance schedule deploys changes when the session count becomes zero or when the Session Host is rebooted. 6. In the Confirm and Complete tab, enter a comment about the upgrade, if required, and click Update Session Host.If you enter comments, they appear in the Information view Audit History. Unidesk deploys the configuration changes as specified by your Maintenance Schedule selection. Edit other Session Host attributes Before you start Modifying Session Host properties requires the software to create a new bootable image for the Session Host, and the Session Host must be in a stopped state for this task to complete. You can either shut down the Session Hosts you are planning to modify before you start editing their properties, or you can choose to restart the Session Hosts after you select the new properties. Session Host settings you cannot change You cannot change the following settings when you modify a Session Host: Citrix Systems, Inc. All rights reserved. p.193

194 Operating System Layer User Data Storage size Move the Session Host to a different Collection Requirements You can move a Session Host to a different Collection as long as the new Collection has the following settings in common with the Session Host's current Collection: Operating System Layer Select a different Collection for the Session Host 1. In the Unidesk Management Console, select the Session Hosts that you want to edit from the Session Hostsmodule. 2. Click Edit Session Hosts. 3. Select the Collection Reassignment tab, and choose an eligible Collection from the list. 4. Select the Conf irm and Complete tab, and click Update Session Host. As with any other Session Host edit, selecting a new Collection creates a task that will rebuild the Session Host and move it into the new Collection at the next Maintenance Window. Change the Session Host name When you create Session Hosts, you either enter a name for it or allow the system to generate names for you. The Session Host name must be unique to the host that is storing it and adhere to the following standards: When the software creates the Session Host, it uses the specified or generated name as follows: Uses the name for the Session Host that the Unidesk Management Console displays. Creates a virtual machine with the specified name. Uses the name as the DNS name assigned to the virtual machine in the virtual infrastructure. Uses the name as the Windows machine name. If you change the name of a Session Host after you create it, the change affects only the name that the Unidesk Management Console displays. The virtual machine name, the DNS name associated with the Session Host, and the Windows machine name do not change. If you want the names to match, you must change the names manually. To change the name of a Session Host: 1. In the Unidesk Management Console, select the Session Hosts that you want to edit from the Session Hostsmodule. 2. Click Edit Session Hosts. 3. Select the Session Host Details tab, and change the Session Host Name. 4. Select the Conf irm and Complete tab, and click Update Session Host. Configure a network connection for Session Hosts By default, the setting for a Session Host's network connection is the same as the network assigned to the gold image that you used to create the Operating System Layer. Depending on the organization of your virtual infrastructure, you may want to configure specific Session Hosts to use different network connections Citrix Systems, Inc. All rights reserved. p.194

195 You can set the network connection when you create Session Hosts or you can change the network connection for deployed Session Hosts. 1. In the Unidesk Management Console, select the Session Hosts that you want to edit from the Session Hostsmodule or by selecting the Session Hosts' Collection in the Collections module and click Edit. 2. In the Session Host Details tab, select different values for the Virtual Switch and VLAN Tags, as needed. If you need to add new VLAN Tags, click the Manage button and use the wizard to do so. 3. Complete the create or edit task. 4. If you modified an existing Session Host, restart it to ensure the changes take effect. Change the Physical Attributes of a Session Host You can change the physical settings of the virtual Session Host at any time. For example, if you are installing an application that requires additional memory, you can adjust these settings, as required. 1. In the Unidesk Management Console, select the Session Hosts that you want to edit from the Session Hostsmodule or by selecting the Session Hosts' Collection in the Collections module. 2. Select Edit in the Action bar. The Edit Session Host wizard opens. 3. Select the Session Host Settings tab and change the settings as necessary. Restart or shut down a Session Host Restart Session Hosts Use the Restart/Shut Down action in the Session Hosts module to start a Session Host that is shut down or to have changes to the Session Host take effect. During the restart process, the Unidesk software instructs the virtual infrastructure to perform a clean shut down of the virtual machine, if it is still running, and then starts it again. Before you start Before restarting a Session Host, verify that the screen saver is disabled. The Session Host does not shut down properly if the screen saver is enabled. During a restart If you make changes to a Session Host while it is running (for example, you change the application assignment), the software will wait for the Session Host to shut down before completing the tasks required to create a new bootable image for the Session Host. When you initiate a restart of a Session Host, the software deploys the queued changes once the Session Host shuts down. After building the new bootable image, the software initiates the restart. You can monitor the detailed view of the Restart task in the Task bar to see the sub tasks related to creating the new bootable image. Steps 1. Select Session Hosts and select one or more Session Hosts Citrix Systems, Inc. All rights reserved. p.195

196 2. Select Restart/Shut Down in the Action bar. This opens the Shut Down wizard. 3. In the Restart or Shutdown tab, select the Restart option. 4. In the Confirm and Complete tab, enter a comment that explains why the restart is necessary, if required.if you enter comments, they appear in the Information view Audit History. 5. Click Restart/Shutdown Session Host. The Unidesk software causes the virtual infrastructure to restart the appropriate virtual machines. 6. Monitor the Task bar to see when this task completes. If the software needs to create a new bootable image for the Session Host, the restart takes a few extra minutes to complete. 7. When the restart task completes, notify the end users that their Session Hosts are available for use. Shut down Session Hosts Use the Restart/Shut Down action in the Session Hosts module to shut down a Session Host. You may need to shut down Session Hosts for maintenance purposes, to update a Session Host's configuration, or to prevent end users from selecting a specific Session Host. Before you start Before shutting down a Session Host, verify that the screen saver is disabled. The Session Host does not shut down properly if the screen saver is enabled. Steps 1. Click Session Hosts, select the Session Hosts you want to shut down, and click Restart/Shut Down. This opens the Shut Down wizard 2. In the Restart or Shutdown tab, select Shut Down. If the selected Session Hosts are integrated with a connection broker, the Put in Maintenance Mode option becomes active. 3. If you do not want to put the Session Hosts in Maintenance Mode, clear Put in Maintenance Mode. 4. If needed, enter a comment that describes why the shutdown is necessary. If you enter comments, they appear in the Information view Audit History. 5. Click Restart/Shut Down Session Host. During a shutdown If you make changes to a Session Host while it is running (for example, you change the application assignment), the software will wait for the Session Host to shut down before completing the tasks required to create a new bootable image for the Session Host. When you initiate a shutdown of a Session Host, the software deploys the queued changes once the Session Host shuts down. You can monitor the detailed view of the Shut Down task in the Task bar to see the sub tasks related to creating the new bootable image. Delete a Session Host Delete one or more Session Hosts Citrix Systems, Inc. All rights reserved. p.196

197 1. Select the Session Hosts tab, and then the Session Hosts subtab. 2. Select one or more Session Hosts. 3. Select Delete in the Action bar. This opens the Delete Session Host wizard. 4. In the Confirm and Complete tab, verify that the list of selected Session Hosts is correct. 5. Enter a comment that explains why the deletion is necessary, if required. 6. Click Delete Session Hosts. The Session Hosts are deleted. 7. Monitor the Task bar to see when this task completes Citrix Systems, Inc. All rights reserved. p.197

198 Manage Unidesk Collections Jun 28, 2017 You can browse and search, edit, or delete Collections. Browse and search Unidesk Collections Search f or Collections 1. In the Unidesk Management Console, select Desktops > Collections or Session Hosts > Collections. 2. Search by a word in the Collection name: 1. Type a word in the Search box and click Search. 3. Search by a specific Operating System Layer and Version 1. Click the Down-arrow next to the Search button to open the Advanced Search window. 2. Enter the Operating System Layer name. 3. Enter the Layer version (optional). 4. Click Search. View the Unidesk Machines (Desktops or Session Hosts) in one or more Collections You can quickly see which Unidesk Machines are in one or more Collections. This is especially helpful when you have large numbers of Unidesk Machines and Collections, and you want to browse or search on a more manageable number of Unidesk Machines. To view the Unidesk Machines in one or more Collections: 1. In the Unidesk Management Console, select Desktops > Collections or Session Hosts > Collections. 2. Select the Collection whose Unidesk Machines you want to see, and click View Desktops or View Session Hosts. To select more than one Collection, use CTRL-Click. This displays the Desktops or Session Hosts tab with only the Unidesk Machines belonging to the selected Collection(s). View and Edit Unidesk Collection Details View Unidesk Collection Details You can view detailed information about a Collection, including the Collection Name, broker, Collection Type, description, Desktop or Session Host count, and Audit History. 1. In the Unidesk Management Console, select Desktops > Collections or Session Hosts > Collections. 2. Click the i on the Collection icon to see the details. Edit a Unidesk Collection You can change the settings for a Unidesk Collection by editing it. To edit a Unidesk Collection: 1. In the Unidesk Management Console, select Desktops > Collections or Session Hosts > Collections. 2. Select the Collection, click Edit Collection, and change the following settings, as needed. Name and Description tab - Edit the description. Select a different icon for the Collection. Broker and Entitlements - Change the Groups and Users entitled to access this collection. To see a list of entitled Citrix Systems, Inc. All rights reserved. p.198

199 users and groups, check the Visualization panel to the right. OS Assignment - Choose a different version of the Operating Layer for this collection. (You cannot change the Operating System Layer itself, just the version.) Expand the Layer to see the versions that have been added. 3. On the Confirm and Complete tab, click Update Collection. Delete a Unidesk Collection Before you start Before you can delete a Unidesk Collection, the Collection must not contain any Desktops or Session Hosts. If there are any Desktops or Session Hosts in the Collection you must remove them. Delete a Unidesk Collection To delete a Unidesk Collection: 1. In the Unidesk Management Console, select Desktops > Collections or Session Hosts > Collections. 2. Select the Collection and click Delete. 3. On the Confirm and Complete tab, verify that you've selected the correct Collection, and type a comment (optional). 4. Click Delete Collection Citrix Systems, Inc. All rights reserved. p.199

200 Use Windows Remote Assistance to manage Desktops Jun 28, 2017 Windows Remote Assistance provides a mechanism included with Microsoft Windows to provide help desk, remote control support for Windows Desktops. Remote Assistance is enabled using Group Policy Objects and the client is accessed from Windows Help. In this article we will outline options for designing the Remote Assistance process as well as the steps requires to deploy and use Remote Assistance in your organization. To learn more about the Windows Remote Assistance feature, see these Microsoft articles: Offering Remote Assistance Step by Step Guide to Remote Assistance Turn Remote Assistance On Remote Assistance is enabled by configuring the Remote Assistance Policies found in Computer Configuration>Administrative Templates>System>Remote Assistance. The configurable policies are: 1. Allow only Vista or later connections 2. Turn on session logging 3. Turn on bandwidth optimization 4. Customize warning messages 5. Solicited remote Assistance 6. Offer remote Assistance The two settings that are required are 5 and Citrix Systems, Inc. All rights reserved. p.200

201 These settings can be defined in the OS Layer or an application Layer or as a Domain GPO. I would recommend using if using 5- Solicit or Easy Connect if using 6-Offer. Solicited Remote Assistance With solicited Remote Assistance the user initiates the session. This can be performed using or by saving a file to a share. is probably the best method to transport the invitation file. to the support representative. To configure Solicited Remote Assistance via update the GPO settings as seen below: Unsolicited Remote Assistance Most organizations will likely want to enable unsolicited remote assistance. In this model, the support representative enters the computer name into the Remote Assistance tool and it connects directly to the Desktop. The user must accept assistance and accept remote control if that is desired. To enable unsolicited Remote Assistance, modify the Offer Remote Assistance GPO settings as seen below: Citrix Systems, Inc. All rights reserved. p.201

202 Remember to add your "Help Desk" Active Directory group into the helpers dialogue. Click 'Show" next to Helpers and enter Domain\Group. Use Remote Assistance to manage Windows 7 Desktops Remote Assistance is very easy to use. However initiating the connection from the user side is much harder than doing so from the support side. Both methods are discussed here. Administrators will want to create shortcuts with the appropriate command line to make it easy to initiate a session. Solicited Remote Assistance The process to initiate a session from the user side is as follows: 1. User opens the Remote Assistance shortcut 2. This open an with the invitation attached 3. User adds the support representative address and sends 4. Support rep receives and opens invitation 5. User reads password to support rep 6. Support rep type password into utility 7. User accepts the connection 8. Support rep requests control as desired 9. User assents to control You can see this method has many steps. To keep it this short, you must create a shortcut to run the Remote Assistance utility directly jumping to the attachment. To do this, create a shortcut in the desired location with a command line of "msra.exe / ". When opened Citrix Systems, Inc. All rights reserved. p.202

203 this will directly create the invitation opened in an . The shortcut should be installed in the same Layer where you add the GPO settings if using a Layer, or just on the Operating System Layer if using a Domain GPO. Unsolicited Remote Assistance This is by far the easier method. The process to initiate a session from the user side is as follows: 1. Support rep opens the Remote Assistance utility 2. Support rep types in the users computer name 3. The user accepts the connection 4. Support rep requests control as desired 5. User assents to control To keep it this short you must create a shortcut to run the Remote Assistance utility on the support reps computer directly opening the Remote Administration utility to the request computer name form.. To do this create a shortcut in the desired location with a command line of "msra.exe /offerra" Citrix Systems, Inc. All rights reserved. p.203

204 Edit Layer and Collection icons Jun 28, 2017 When you create or edit an Operating System Layer, Application Layer, or Collection, you can assign an icon to it. Icons help to identify these items in the Unidesk Management Console. About editing and assigning icons When using the Create or Edit wizard for any Layer or Collection, the Icon Assignment tab gives you the opportunity to: Choose an icon: Use the default icon, choose another icon from the included samples, or upload a custom icon. Delete an icon you no longer need. Note Icons are automatically assigned to Session Hosts and Installation Machines from the appropriate Collection or OS Layer, respectively. Default icon Unidesk uses the following icon by default when you create a Layer or Collection, or delete an icon that is in use. Recommended icon specifications The following image specifications are recommended for Unidesk icons. Although other sizes and resolutions are supported, the file type must be PNG or JPG. Specif ication Details File type PNG or JPG Size 64 x 64 pixels Resolution 96 DPI Assign or delete an icon Preview an icon You can preview a custom icon before applying it: Citrix Systems, Inc. All rights reserved. p.204

205 For best results, adjust your icon image to conform to the Recommended icon specifications above. 1. In the Icon Assignment tab, click Browse. 2. Select the icon image you want to upload and click Open. The image appears along with the other icons, and a preview is displayed on the right. Upload an icon You can upload a custom icon to add to your collection: 1. Adjust your icon image to conform to the Recommended icon specifications above. 2. In the Icon Assignment tab, click Browse. 3. Select the icon image you want to upload, and click Open. The image appears in the icon collection, and a preview of the icon as it will appear on the selected Layer is displayed on the right. Note: If you browse and select an icon, but then choose a different one for your Layer, the first one you had selected will not be uploaded. The icon is only uploaded once you have finalized the Confirm and Complete tab. 4. To complete the upload, use the Confirm and Complete tab to finalize the wizard. Delete an icon You can delete an icon, and it will be removed from the database. Note: The software does not let you delete the following icons shipped with the system: If the icon is in use by any Layer or Collection, you will receive a warning, and the default icon will be used in its place. 1. In the Icon Assignment tab, select the icon you want to delete. 2. Click the Delete button. This immediately removes the icon from the database, even if you do not complete the wizard Citrix Systems, Inc. All rights reserved. p.205

206 Schedule Desktop or Session Host maintenance Jun 28, 2017 A maintenance schedule controls when a Unidesk administrator deploys layer assignment changes or configuration changes that require a rebuild of the bootable image. A maintenance schedule includes one or more maintenance windows, or time periods, within which Unidesk can shut down Desktops or Session Hosts and deploy configuration changes to them. When configuring this window, you can specify whether or not to wait for users to log off before shutting down the Desktops or Session Hosts. About maintenance schedules Unless you configure the settings, Unidesk assigns a default maintenance schedule to all Desktops or Session Hosts when you create them. You can modify the system default maintenance schedule but you cannot delete it. If you don't want to use the default maintenance schedule, you can create custom maintenance schedules and use them instead. You create or edit maintenance schedules using the System > Settings and Configuration options. Once you have created a maintenance schedule, you can assign it to any Desktop or Session Host when you create or edit the Desktop or Session Host. Note T he time that maintenance schedules use is based on the system clock of the Management Appliance. T he system clock on Desktops, Session Hosts, or CachePoint Appliances does not affect maintenance schedules. What happens during a maintenance window? During a maintenance window, Unidesk: Determines whether any of the Desktops or Session Hosts using the maintenance schedule have outstanding configuration changes. Unidesk includes all outstanding configuration changes when it rebuilds the Desktop's or Session Host's bootable image. Therefore, if you edit the Desktop or Session Host multiple times before a maintenance window occurs, Unidesk incorporates all of these changes into the new bootable image. Starts to shut down these Desktops or Session Hosts (if they are not already shut down) and rebuild their bootable images. Unidesk shuts down four Desktops or Session Hosts at a time on each CachePoint Appliance and starts rebuilding the bootable images for these Desktops or Session Hosts. As one rebuild completes, Unidesk shuts down the next Desktop or Session Host in its queue and starts to rebuild its bootable image. When a maintenance window ends, deployment tasks that are already in progress continue until complete. If Unidesk did not have sufficient time to start all of the outstanding deployment tasks, it waits until the next maintenance window occurs and starts those tasks during that time. Maintenance schedule overrides Citrix Systems, Inc. All rights reserved. p.206

207 You can override a maintenance schedule in the following ways: Deploy changes as soon as possible. Unidesk tries to start the deployment tasks as soon as it can, instead of waiting for a maintenance window to occur.unidesk shuts down the Desktops or Session Hosts and deploys the configuration changes, even if users are still logged on to the Desktops or Session Hosts. Deploy changes at a specified time. Unidesk deploys the changes after the specified time occurs instead of waiting for a maintenance window to occur. At that time, Unidesk shuts down the Desktops or Session Hosts and deploys the configuration changes, even if users are still logged on to the Desktops or Session Hosts. Deploy changes after the user logs off or restarts a Desktop or Session Host. This option allows the user to control when Unidesk deploys configuration changes. Unidesk waits for the first time when a user logs off or restarts the Desktop or Session Host, instead of waiting for a maintenance window to occur.unidesk deploys the configuration changes as soon as the user logs off or restarts the Desktop or Session Host. After you select a maintenance schedule override, it remains in effect until the next time Unidesk rebuilds the bootable images for the Desktops or Session Hosts. Afterward, the selected maintenance schedule applies to future changes. Ef f ect of shutting down Desktops or Session Hosts outside of a maintenance schedule If you shut down Desktops or Session Hosts outside of the time periods specified in a maintenance schedule, Unidesk does not deploy pending configuration changes unless you select one of the maintenance schedule override options. Instead, Unidesk waits until the next maintenance window in the schedule occurs before starting the deployment tasks. For example, if the maintenance schedule for a Desktop specifies that deployment tasks should occur between 6 PM and 11 PM and you shut down the Desktop at 5 PM, Unidesk waits until 6 PM occurs before starting deployment tasks for that Desktop. Configure maintenance schedules and windows Create a maintenance schedule You can create or edit maintenance schedules by using System > Settings and Configuration. Once the maintenance schedule has been created, you can assign the new maintenance schedule to Desktops or Session Hosts when you create or edit them. To create a maintenance schedule. 1. Select System > Settings and Conf iguration and scroll to the Maintenance Schedule Configuration options, and click Add. This opens the Create Maintenance Schedule window. 2. Enter a name for the schedule. 3. Add a maintenance window. 1. Click Add below the Maintenance Windows box. 2. Select the start and end day for the maintenance window. If you want to constrain the maintenance window to a single day, select that day as both the start and end day. For example, selecting Monday through Monday defines a maintenance window for that day only. 3. Select the start and end time for each day in the maintenance window Citrix Systems, Inc. All rights reserved. p.207

208 4. Click Apply. 5. Repeat these steps to add additional maintenance windows. 4. For Desktops, specify when you want Unidesk to deploy configuration changes during a maintenance window (not applicable for Session Hosts): After the user is logged off for at least 10 minutes: If you select this option, logged-on users must log off and remain logged off for at least 10 minutes before Unidesk deploys configuration changes to those Desktops or Session Hosts. If a user remains logged in, Unidesk waits for the next maintenance window before it tries to deploy the configuration changes. Unidesk deploys configuration changes to any selected Desktop that has no active users. As soon as possible: If you select this option, Unidesk shuts down Desktops or Session Hosts and deploys the changes, even if users are still logged on. 5. Click Create. 6. Complete the wizard to save the new maintenance schedule. Specif y a custom maintenance schedule f or selected Desktops or Session Hosts Use the System > Settings and Configuration module to create a custom maintenance schedule. After you create a custom maintenance schedule, you can assign it to any Desktop or Session Host in the Unidesk environment. To assign a custom maintenance schedule to a Desktop or Session Host, do the following: 1. Create a new maintenance schedule using the System > Settings and Conf iguration options as described in Create a maintenance schedule. 2. When creating or editing a Desktop or Session Host, select the Maintenance Schedule tab. 3. On the Maintenance Schedule tab, select the new maintenance schedule from the list. 4. Complete the wizard to save the new maintenance schedule. The wizard does not save the new maintenance schedule until you complete the wizard. View maintenance schedules 1. Select System > Settings and Conf iguration. 2. Navigate to Maintenance Schedule Configuration. 3. Select a maintenance schedule from the list. The schedule displays the Maintenance schedule name and the Maintenance windows. Schedule Desktop or Session Host maintenance Once created, you can assign a maintenance schedule to any Desktop or Session Host, and manage the schedule using System > Settings and Configuration. Modif y a maintenance schedule Use the following procedure to modify the maintenance windows in a maintenance schedule. 1. Select System > Settings and Conf iguration, scroll to the Maintenance Schedule Configuration options and select the schedule you want to modify from the schedule list. 2. Click Edit. 3. Click Modif y. This action opens the Modify Maintenance Schedule window. 4. If you want to change the name for the schedule, enter a new name for the schedule. 5. Select a maintenance window that you want to change and click Modif y. 6. Select the days of the week and the time frame for the maintenance window. If you want to constrain the Citrix Systems, Inc. All rights reserved. p.208

209 maintenance window to a single day, select that day in both day lists. For example, selecting Monday through Monday defines a maintenance window for that day only. 7. Click Apply. 8. Click Save. Add maintenance windows to a maintenance schedule Use the following procedure to add maintenance windows to a maintenance schedule. 1. Select System > Settings and Conf iguration, scroll to the Maintenance Schedule Configuration options and select a schedule from the schedule list. 2. Click Edit. 3. Click Modif y. This action opens the Modify Maintenance Schedule window. 4. Click Add. 5. Select the days of the week and the time frame for the new maintenance window. If you want to constrain the maintenance window to a single day, select that day in both day lists. For example, selecting Monday through Monday defines a maintenance window for that day only. 6. Click Apply. 7. Click Save. Delete a maintenance window in a maintenance schedule Use the following procedure to delete a maintenance window in a maintenance schedule. 1. Select System > Settings and Conf iguration, scroll to the Maintenance Schedule Configuration options and select a schedule from the schedule list. 2. Click Edit. 3. Click Modify. 4. Select one or more maintenance window windows and click Delete. 5. When prompted to confirm whether you want to delete the selected windows, click Save. 6. Complete the wizard to save the changes Citrix Systems, Inc. All rights reserved. p.209

210 Unidesk for Hyper-V Backup and Recovery Jun 28, 2017 This document explains how to back up and recover Unidesk appliances and Persistent Desktops. Backups for the Management Appliance and Master CachePoint Appliance Basic recovery for these components can be achieved by creating backups of the files that make up the Management Appliance and Master CachePoint Appliance on the Hyper-V host where they were installed using a frequency that is based on the desired RPO. The Management Appliance is fairly small and easy to back up. The size of a Master CachePoint Appliance can be between 120 GB and 250 GB or more. Creating full backups for CachePoint Appliances takes longer than backing up the Management Appliance. There are many options for backing up by using backup products designed for Windows Server 2012 R2. You can use Windows Server Backup which is included with Server 2013 R2. Of course, you can also use third party products like VEEAM to do your backups with more options but beware many virtual machine backup products may not be suited to backup layer disks used by Unidesk because they are not uniquely attached to a virtual machine. Management Appliance Backup The management appliance is a normal virtual machine, it can be backed up by backing up the file system of the Hyper-V server it is installed on or using a VM image backup. Master CachePoint Appliance Backup The Master CachePoint Appliance is a normal virtual machine but it also manages the master copy of all the layer disks in Unidesk. Therefore to properly backup the MCP you must also backup these extra disk files. Backup File Structure Looking at the drive used for Unidesk in Hyper-V. First under the MCP Name is the appliance virtual machine. Then, under the UnideskLayers folder we have all of the layer disks for that CP and in the case of the MCP it is the master copy of all the layer disks Citrix Systems, Inc. All rights reserved. p.210

211 To properly backup the MCP you must back up both of these. The easiest way to do this is to back up the file system rather than backing up the MCP as a VM and then adding in the UnideskLayers folders from the file system though that is possible. Backups for secondary CachePoint Appliances How you decide to back up desktops and CachePoint Appliances depends a great deal on your RTO and whether you can provide a recovery desktop immediately while you recover the user s normal desktops. Recovery of a CachePoint Appliance In order to recover a CP appliance and the desktops managed by that appliance in Hyper-V you must make regular backups of the appliance and the User folders. The OS and App layers can be copied from the MCP if necessary but you will want to document which layers you need. Unidesk has reporting tools to help with this. Recovery of a CachePoint Appliance and Its Desktops using SAN snapshots If your organization s RTO is very short (for example, one hour), recovering an entire CachePoint Appliance and its desktops from a backup is impossible. In this case, the only viable option is to use SAN-based snapshot technology for the CachePoint appliance and its CP and Boot Volumes/Folders. This approach allows you to recover back to the latest snapshot very quickly. Just remember that the Management Appliance database must be in sync with the snapshot. You should create snapshots on a frequent enough basis to ensure that you don't have to use a very old snapshot, ensuring that Management Appliance database will still match the database on the CachePoint Appliance after it is restored. If you lose desktops from the CachePoint Appliance after completing a snapshot restore you should be able to delete the object in the UMC and then recreate the desktops. Unidesk Persistent Desktop and Session Host Backups To back up Unidesk Persistent Desktops or Session Hosts, there are two separate disks that should be backed up for each Desktop or Session Host; the boot disk and each UEP disk. These disks are located in two places. Boot disks are located the folder you defined for boot disks and the UEP disk is stored under UnideskLayers\User folder structure as seen below Citrix Systems, Inc. All rights reserved. p.211

212 Note You should not use Hyper-V checkpoints to save the state of a Persistent Desktop or Session Host, either manually or via a backup product. Starting in 3.1, when a Persistent Desktop or Session Host is edited, all checkpoints will be deleted, and the changes they contain will be merged into the machine's Personalization Layer. Recovery of a single Desktop or Session Host Recovery of a single Desktop or Session Host is easy as long as it is still available in the UMC. Just restore the two vhdx files that make up the writable portion of the Desktop or Session Host (see the beginning of this section), then REBIC the Desktop or Session Host Citrix Systems, Inc. All rights reserved. p.212

213 Backup Example Using Windows Server Backup Jun 28, 2017 Windows Server Backup (WSB) is an included product with Server 2012 R2. WSB offers the ability to backup the Windows Server itself as well as the Unidesk virtual appliances and virtual desktops. If a low RTO is desired consider backing up the entire Windows server as well as the Unidesk appliance and desktop components. If you only need backups in order to recreate virtual desktops without redoing all the work done to create the infrastructure and layers you can choose to just backup the Unidesk Management Appliance and MasterCachePoint including the UnideskLayers folder. This would allow you to restore these files on a new Hyper-V host, import the appliances and then create and manage new or existing Desktops or Session Hosts if they are on hosts/storage that did not fail. WSB can be configured to write to a locally mounted volume or a network share. When using a locally attached volume there are two operational modes possible; one where backup owns the entire volume and one where the backup shares the volume. If the backup is allowed to own the volume then block level incremental backups are possible so that you can restore back to any previous backup. If the entire volume is not dedicated to backup then only a single backup is retained. If you choose to backup to a Windows Share only a single backup is retained as well. Installing Windows Server Backup There are two ways to install the backup utility. You can add the Windows Server Essentials Experience Role, then add the Windows Server Backup feature or you can use PowerShell to just install Windows Server Backup directly. The PowerShell command is: Install-WindowsFeature Windows-Server-Backup. Setting up the backup The first step in setting up the backup after installing the software is to create a volume or share to backup to. In my lab I created a new LUN and masked the LUN to my Hyper-V host. I then opened Windows Server Backup and clicked on Backup Schedule to define the backup. On the first screen choose custom Citrix Systems, Inc. All rights reserved. p.213

214 Then in select items for backup choose the folders for the MA and MCP if you are backing up only the MA and MCP. If you are backing up a Secondary CP choose the folders for the CP Appliance which will include the CP itself and all of the layers and include the boot drive location you defined when you created the CP. This will of course backup the boot disks. If you do not want to back up the APP and OS layers for a secondary CP you can add exclusions for these folders in the advanced settings tab of the selection dialog. First select the items to back up If you are backing up an SCP and you decide not to backup the layers then you must do two things. First document which layers have been deployed to the CP on a regular basis and add an exclusion to not back up the layers. To add an exclusion click on advance settings then Exclusions and Add Exclusion. Then choose backup times. Here you can choose once a day or multiple times a day. If you want to backup the MA and MCP less frequently choose once a day and then edit the scheduled task created for the backup after completing the process Citrix Systems, Inc. All rights reserved. p.214

215 Next you specify the location type that matches your plan. The first option dedicates the entire LUN or drive to backups and allows for multiple backups to be kept. The second choice works the same way but it can share the drive. The second option runs slower. The third option is for storing backups on a file share. Using this option you will only have one copy of a backup. If using a volume you will see Citrix Systems, Inc. All rights reserved. p.215

216 That s it. Now wait for a backup to run and check the status. Recover the MA, MCP or a Secondary CP How you approach recovery of the MA and MCP depend on the failure scenario. If for some reason the appliance becomes corrupted you can just restore the files from backup. If you have to recover the entire host. You will first recreate or recover the host. If you have used bare metal backup and have restored everything on the C drive including the Hyper-V configuration then you can restore the files for the MA and MCP and everything will work. If you are backing up Secondary CPs you will want to use this option otherwise adding all the desktops back in to Hyper-V will be very difficult. If you are creating a new Hyper-V host and installing Hyper-V from scratch then you will also install the Unidesk Hyper-V Agent (setup_unidesk_hyper-v_agent.exe) from the Unidesk Installation media and then restore the MA and MCP from backup. Then import both appliances back into Hyper-V. If you have restored the entire host or created a new host and need to import a secondary CP and its desktops, we provide a utility called the Unidesk Hyper-V Load Utility. This utility will read throught the boot drive folder and add import all the desktops it finds into Hyper-V. To restore the MA and MCP from backup follow this procedure. Select Recover. Choose this server. Caricature Choose the desired date and time of the backup if you have a choice Citrix Systems, Inc. All rights reserved. p.216

217 Select Files and Folders. Here you can specify the folder for the MA or the MCP or the root of both to restore both. Then choose to overwrite the existing files in the original location Citrix Systems, Inc. All rights reserved. p.217

218 Make sure that the selected paths are correct and perform the recovery operation. Remember to also create the boot disk folder if this was not included in the backup/recovery path. Recover a Desktop or Session Host To recover a single Desktop or Session Host from backup you will be restoring just the three disks that make up the writable portion of a desktop. These are the boot disk and the personalization disk. This assumes the Desktop or Session Host is still defined in Hyper-V and all we want to do is to roll back to an earlier version of the machine. Note to perform this operation, you must backup the Desktop or Session Host servers and Secondary CPs. Select Recover. Choose this server. Choose the desired date and time of the backup if you have a choice. Select Files and Folders Citrix Systems, Inc. All rights reserved. p.218

219 Under Items to recover first select the UEP disk under UnideskLayers\User Then choose to overwrite the existing files in the original location Ensure the confirmation screen looks correct then recover the UEP disk Citrix Systems, Inc. All rights reserved. p.219

220 Now perform the process again for the boot disk. Then you can start the desktop, log in, and test. Unidesk Hyper-V Load Utility If you have a whole host failure and you do not keep bare-metal backups to recover from, you can still recover the Unidesk MA, CP and Desktops from backup. Create a new Hyper-V host. Use the same hostname as the failed host. Install the Unidesk Hyper-V agent. Restore the Boot folder and CP appliance folder from backup. Then use the Unidesk Hyper-V Load Utility to import the applances and desktops from the storage folders. To install the utility download the zip and first check its properties to unblock the file if it is blocked Citrix Systems, Inc. All rights reserved. p.220

221 On the Hyper-V server that you will restore on, create a folder off the root of the C drive with no spaces in the name and unpack the zip file into that folder. Then run the utility as administrator (LoadDesktops.exe). Choose get for the desired folders then click save to save this information to the files used by the scripts. Then you can either test or run. Test will create a log of what the utility would do if it were run but it will not import any VMs. Press run when you are ready to import the appliances and desktops Citrix Systems, Inc. All rights reserved. p.221

222 Hosts and appliances Jun 28, 2017 Manage Hyper-V hosts Manage appliances Manage network storage Open firewall ports for Unidesk Unidesk for Hyper-V Backup and Recovery Citrix Systems, Inc. All rights reserved. p.222

223 Manage Hyper-V hosts Jun 28, 2017 You can add a Hyper-V host to the Unidesk environment, and then configure your CachePoint Appliances to use the new host. If this is a new Unidesk deployment, follow the instructions for Installing Unidesk appliances. Bef ore you start Unidesk requirements Once you have the required hardware in place, please be sure to meet the following detailed requirements before running the Unidesk Installer. Windows Server 2012 R2 system (with Hyper-V Role enabled), or Hyper-V Server 2012 R2. The.NET Framework 4.5 Features selected on the server. Credentials required You need the credentials for the server Administrator. You can either log in as Administrator or as a User with Administrator privileges. Port opened by the Unidesk Installer The Unidesk Installer opens a port on the local server's firewall for the TCP protocol. This port is used for communications between the Hyper-V Agent service and the Unidesk Appliances. By default this is port 8014, but you can change the port number during installation. Use host names in the Unidesk environment You can set up your environment to use host names in addition to IP addresses so that a change in an IP address will not affect communications between the Management Appliance and its CachePoint Appliances. If you set the host name on your Hyper-V server, Unidesk will automatically use it instead of the IP address. Then the IP address can change without causing any problems, as long as the host name does not change. Similarly, if you set a host name for you MA and use it when you register the host (via the Unidesk installer, or manually as described next) then you can change the IP address of the MA without issues, as long as the host name does not change. Add and remove Hyper-V hosts Add a new host to the environment You can add a new host to the environment by installing the Unidesk Hyper-V Agent on the server, and registering the host with your Management Appliance. 1. Download the Hyper-V Agent Installer from the Unidesk Hyper-V Download Center onto one of the local drives on your new Hyper-V server. 2. Run the installer and when prompted, enter the host name or IP address of your Management Appliance. This installs the Hyper-V agent on the host, and registers the host with the Management Appliance. 3. If the host is being added to a cluster, the Unidesk Management Appliance must be restarted to recognize the cluster configuration change Citrix Systems, Inc. All rights reserved. p.223

224 Remove a host f rom the environment Requirement Before you can delete a host, any appliances or Unidesk Machines (Desktops or Session Hosts) running on it must be removed. Delete a host 1. Log into the Unidesk Management Console, and select System > Manage Appliances. 2. Click Remove Hosts. Hosts that are not in use for Unidesk appliances or Unidesk Machines are active on the list. Others are crossed off. 3. Select the host(s) to delete and click Remove. 4. On the Conf irm and Complete tab, verify the selected hosts, and click Remove Hosts. 5. If the host is being removed from a cluster, the Management Appliance must be restarted to recognize the cluster changes. Manage host IP address changes Troubleshooting issues due to host IP address changes If the Management Appliance IP address changes Issue: Things will continue to operate, but you may not see some updates from the Hyper-V agent, for example, updates about storage being added or removed. Solution: To avoid problems, simply restart the Management Appliance. If the Agent IP address changes Issue: The Management Appliance will not be able to communicate with the agent, so it won t be able to deploy or edit Unidesk Machines among other issues. Solution: Restart the Agent (or reboot the Hyper-V server). If both the Management Appliance and Agent IP addresses change Issue: The Management Appliance will not be able to communicate with the agent, so it won t be able to deploy or edit Unidesk Machines among other issues. Solution: Re-register the Agent with the Management Appliance, as described below. Re-register a host with the Management Appliance, if needed You can avoid the need to re-register hosts with the Management Appliance by setting up your environment to use host names, as described earlier in this topic. If you are not using host names, and the Unidesk Hyper-V Agent loses communication with the Management Appliance, you can recover communications. The way to do this depends on which IP address changes. If both the Management Appliance and Agent IP addresses change, you can re-register the host with the Management Appliance. 1. Open a new command prompt as Administrator. 2. Change to the directory: Citrix Systems, Inc. All rights reserved. p.224

225 Command COPY C:\Program Files (x86)\unidesk\hyper-v Agent 3. Run the command: Command COPY Uni.HyperVAgent.exe register /m:ma-ip-address /u:username-for-umc /i Where username-for-umc is the name of a Unidesk Management Console user. 4. Enter the UMC password for the specified user when prompted Citrix Systems, Inc. All rights reserved. p.225

226 Manage appliances Jun 28, 2017 After you deploy and power on the Management Appliance and CachePoint Appliances, you can edit settings for each of them, mainly using the Linux command line. If you are not comfortable using this command line, please contact Support for assistance. For CachePoint Appliances, you can also edit the name and boot image location where new Unidesk Machines (Desktops or Session Hosts) will be created. Configure log file retention You can configure the retention settings for the virtual appliance Log files. 1. Select System > Settings and Conf iguration. 2. In the Log File RetentionSettings box, click Edit. 3. Enter the number of days to retain logs on the system. 4. Enter the maximum disk space size, in MB, for all logs. 5. Optionally, enter a comment that describes the changes you made. If you enter comments, they appear in the Information view Audit History. 6. Click Save to save the new changes or click Cancel to exit Edit mode without saving any changes. Monitor the Health of your Unidesk Appliances View the status of your Unidesk appliances 1. Select System > Manage Appliances to monitor the status and health of the Unidesk virtual appliances. 2. Click i next to the name of the Management Appliance to view appliance details. CachePoint Appliance status messages The following table provides information about the status messages for the CachePoint Appliance Citrix Systems, Inc. All rights reserved. p.226

227 Status Description Not provisioned A virtual appliance does not exist yet. T his status indicates that a configuration issue may exist. T his condition can occur on the Master CachePoint Appliance the first time you log in to the Unidesk Management Console if the initial provisioning tasks are still in progress. It can also occur if the task that creates the virtual appliance fails. In that situation, you need to edit the CachePoint Appliance to finish provisioning it. Never started A virtual appliance exists but provisioning is not complete and the virtual appliance is not running. T his status indicates that the final provisioning steps are not complete or an operational issue may exist. T his condition can occur during provisioning while the CachePoint Appliance is formatting its cache and preparing to start for the first time. Started, no health status T he CachePoint Appliance was running for less than three hours, which is not enough time to collect and report meaningful performance information. Running Performance for this CachePoint Appliance is within acceptable operational limits. You can continue to assign Unidesk Machines to it. Not operational T he CachePoint Appliance is powered off or completely nonfunctional. No other Unidesk components can communicate with it. Manage a CachePoint Appliance Edit CachePoint Appliance properties CachePoint name - Changing the name of the CachePoint will also update the name of the CachePoint virtual machine, as it appears in the Hyper-V manager, but it will not change the location of the CachePoint virtual machine files and Layers. Boot image location - Changing the location of the boot image will change the location in which all future Unidesk Machines are created. Changing the boot image location does not alter the location of existing Unidesk Machines. Unidesk Machines created using the previous location will continue to be manageable by Unidesk. To edit CachePoint properties, do the following: 1. Log in to the Unidesk Management Console. 2. Select System > Manage Appliances. 3. Select the CachePoint Appliance to edit, and select Edit Properties. This opens the Edit CachePoint wizard. 4. Change the name as needed. 5. Choose a new location for Unidesk Machines boot images, as needed. 6. In the Confirm and Complete tab review the settings that you have specified and if you would like, enter a comment for the Audit History. Click Update CachePoint. Change CachePoint Appliance settings You can change the following CachePoint settings as described. IP Address Citrix Systems, Inc. All rights reserved. p.227

228 1. In Hyper-V, select the CachePoint Appliance, and if it is not running, power it on. 2. Using either the Hyper-V console or SSH, log into the appliance as administrator (default password Unidesk1) This opens the Setup Utility. 3. At the Setup utility's Action prompt, enter C (for Configure Networking), and press Return. 4. At the next prompt, type D for Dynamic (DHCP) or S for Static. If you choose Static, you will need to provide the IP address, subnet mask, and default gateway. 5. When prompted, enter Y to save settings. 6. At the Action prompt, enter Q to quit. 7. Restart the appliance. CachePoint's IP Address for its MA If the IP address for the Management Appliance changes, run this procedure on each CachePoint Appliance so it can communicate with the Management Appliance again. 1. In Hyper-V, select the CachePoint and power it on. 2. Using either the Hyper-V console or SSH, log into the appliance as administrator (default password Unidesk1) This opens the Setup Utility. 3. In the Setup utility enter M for Modify. 4. Enter the MA's IP address, and then Y to confirm it. 5. Enter Y to exit the Setup utility. Administrator password 1. In Hyper-V, select the appliance, and if it is not running, power it on. 2. Using either the Hyper-V console or SSH, log into the appliance as administrator (default password Unidesk1) This opens the Setup Utility. 3. At the Setup utility's Action prompt, enter P (for Password change), and press Return. 4. When prompted, enter the new password, and then confirm the password. A message confirms that the ** Password changed successfully. 5. Press the Enter key to continue. 6. At the Action prompt, enter Q to quit. root password* If you are comfortable using Linux, use SSH to log into the appliance as root (for the default password, please contact Support), and enter Linux commands to change the root password. If you need the root password or are not used to changing the root password via Linux commands, the Unidesk Support team would be happy to help. NTP configuration* Using the Hyper-V console or SSH, log into the appliance as root (for the default password, please contact Support). This brings you to the Linux command line. Open the NTP configuration file for editing. Disable or enable the NTP daemon, by changing which command is commented out. This example enables NTP. Command COPY Citrix Systems, Inc. All rights reserved. p.228

229 # chkconfig ntpd off chkconfig ntpd on 4. Edit the NTP clock server(s) to use by adding and subtracting servers. Code COPY # Use public servers from the pool.ntp.org project # Please consider joining the pool ( server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org 5. Type Ctrl-X, and choose Y to save the file, then reboot the appliance. For more about configuring NTP 1. Register with the Redhat Customer Portal. 2. See the RedHat NTP documentation. Time and Date* 1. Using the Hyper-V console or SSH, log into the appliance as root (for the default password, please contact Support). This brings you to the Linux command line. 2. Enter the date command. For example: Command COPY Citrix Systems, Inc. All rights reserved. p.229

230 # date * This procedure requires you to log into the appliance as root, use the Linux command line, and/or edit a Linux.config file. If you are not familiar with Linux, our Support team will be happy to do this for you. Configure a Management Appliance Change Management Appliance settings You cannot edit Management Appliance properties, but you can change the following Management Appliance settings as described. Important If you change the Management Appliance's IP address, you must also log into each CachePoint and change the address that the CachePoint has for the Management Appliance. You can change the following CachePoint settings as described below. IP Address 1. In Hyper-V, select the CachePoint Appliance, and if it is not running, power it on. 2. Using either the Hyper-V console or SSH, log into the appliance as administrator (default password Unidesk1) This opens the Setup Utility. 3. At the Setup utility's Action prompt, enter C (for Configure Networking), and press Return. 4. At the next prompt, type D for Dynamic (DHCP) or S for Static. If you choose Static, you will need to provide the IP address, subnet mask, and default gateway. 5. When prompted, enter Y to save settings. 6. At the Action prompt, enter Q to quit. 7. Restart the appliance. 8. Change the MA IP address on each CachePoint. (See below.) Administrator password 1. In Hyper-V, select the appliance, and if it is not running, power it on. 2. Using either the Hyper-V console or SSH, log into the appliance as administrator (default password Unidesk1) This opens the Setup Utility. 3. At the Setup utility's Action prompt, enter P (for Password change), and press Return. 4. When prompted, enter the new password, and then confirm the password. A message confirms that the ** Password changed successfully. 5. Press the Enter key to continue Citrix Systems, Inc. All rights reserved. p.230

231 6. At the Action prompt, enter Q to quit. NTP configuration* Using the Hyper-V console or SSH, log into the appliance as root (for the default password, please contact Support). This brings you to the Linux command line. Disable or enable the NTP daemon, by running the chkconfig ntpd command with the value set to off or on. For example, this command enables the NTP daemon: Command COPY # chkconfig ntpd on 3. Open the NTP configuration file (/etc/ntp.conf) for editing using either emacs or vi. For example: Command COPY # emacs /etc/ntp.conf 4. Edit the NTP clock server(s) to use by adding and subtracting servers in the list at the bottom of the configuration file. Command COPY Citrix Systems, Inc. All rights reserved. p.231

232 # Use public servers from the pool.ntp.org project. # Please consider joining the pool ( server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org Type Ctrl-XCtrl-C, and choose Y to save the file. Reboot the appliance. For more about configuring NTP 1. Register with the Redhat Customer Portal. 2. See the RedHat NTP documentation. Time and Date* 1. Using the Hyper-V console or SSH, log into the appliance as root (for the default password, please contact Support). This brings you to the Linux command line. 2. Enter the date command. For example: Command COPY # date * This procedure requires you to log into the appliance as root, use the Linux command line, and/or edit a Linux.config file. If you are not familiar with Linux, our Support team will be happy to do this for you Citrix Systems, Inc. All rights reserved. p.232

233 Manage network storage Jun 28, 2017 You can make network storage locations that have been set up in your environment available to Unidesk Appliances using HyperV clusters and hosts. You can also remove or change the availability of these storage locations in the Unidesk environment. View network storage You can see all storage locations available to hosts registered with the Unidesk Management Appliance. 1. Select System > Manage Appliances. 2. Click the i next to the Management Appliance, and scroll to the list of Hosts and Storage. 3. Expand each cluster and host to see which network shares are assigned to each. Add a network share to the Unidesk environment To add network storage locations to the Unidesk environment: Select System > Manage Appliances. Click Manage Network Storage on the action bar. This opens the Manage Network Host wizard. Click New, and type the name of the network storage location, in the format: Code COPY \\server.example.com\share 4. Click Add. By default, the share is assigned to all hosts registered with the Management Appliance. Move (migrate) storage Moving a Unidesk CachePoint (CP) from one database to another using standard Hyper-V tools is problematic because the layers created by the CP are independent disks and not attached to the CP appliance. If the CP is moved with a storage Move using the Hyper-V manager or SCVMM, the layers will be left behind. All the desktops using the CP will have the wrong path to the layer files since the layers will no longer reside under the CP. If you want to change your storage, create a new CP on the destination storage and create new, Non-Persistent desktops. Change network share host assignments By default, when you add a network share to the Unidesk environment, all hosts that are registered with the Management Appliance have access to it. You can deselect specific hosts so they no longer have access to the share. 1. Select System > Manage Appliances Citrix Systems, Inc. All rights reserved. p.233

234 2. Click Manage Network Storage on the action bar. This opens the Manage Network Host wizard. 3. In the Storage Assignments tab, expand the share so you can see all clusters and hosts with access to the share. 4. Deselect any hosts that you do not want to access the share. 5. Click the Next arrow, and click Submit Network Storage Changes. Remove a network share f rom the Unidesk environment You can remove a network share from the Unidesk environment, as long as the storage location is not in use by any Unidesk Desktops, Session Hosts, or CachePoints. To remove a network share from the Unidesk environment: 1. Select System > Manage Appliances. 2. Click Manage Network Storage on the action bar. This opens the Manage Network Host wizard. 3. Select the storage location, and click Remove. The network storage location is crossed off, but not yet removed. 4. If you decide not to remove the storage location, click the Restore button. 5. To save any changes, click Submit Network Storage Changes Citrix Systems, Inc. All rights reserved. p.234

235 Open firewall ports for Unidesk Jun 28, 2017 When setting up the Unidesk environment, you need to open the following ports in your firewall for internal connections, including those between: The Unidesk Admin User and the management consoles you'll use. Each virtual appliance and the various appliances and services with which it needs to communicate. Admin User Open the following ports in your firewall for the Unidesk Admin User to use when connecting to the Unidesk Management console. Destination Activity Protocol Ports Any Unidesk appliance VMware Studio Console (Ships with Unidesk. Lets you manage appliance settings.) TCP 5480 Management Appliance Unidesk Management Console TCP 80, 443 Management Appliance Open the following ports in your firewall for internal connections between the Unidesk Management Appliance and each of the destinations listed below Citrix Systems, Inc. All rights reserved. p.235

236 Destination Activity Protocol Ports CachePoint Appliance ActiveMQ Service TCP CachePoint Appliance NFS TCP, UDP 111, 2049, 892, 662 NFS TCP NFS UDP Management Appliance ActiveMQ Console TCP 8161 Management Appliance Log deliveries from Unidesk Hyper-V Agent and Broker Agent TCP 8787 Management Appliance Log deliveries from users TCP 8888 Unidesk Hyper-V Agent Communication TCP 8014* 14243** Unidesk Broker Agent Communication TCP 8015* AD-DC/LDAP LDAP TCP 389, 636 * The agent installer enables this port by default. When installing the Unidesk Broker Agent, if you specify a different port, you must remember to use the new port number when configuring the Broker settings in the Unidesk Management Appliance (System > Settings and Configuration). ** This port must be opened manually before installing the agent, and it is not configurable. CachePoint Appliance Open the following ports in your firewall for internal connections between each CachePoint and the destinations listed below Citrix Systems, Inc. All rights reserved. p.236

237 Destination Activity Protocol Ports Management Appliance ActiveMQ Service TCP Management Appliance NFS TCP, UDP 111, 2049, 892, 662 NFS TCP NFS UDP CachePoint Appliance ActiveMQ Console TCP 8161 Log Delivery TCP 8888 Unidesk Hyper-V Agent Communication TCP 8014* Unidesk Broker Agent Communication TCP 8014* 14243** * The agent installer enables this port by default. When installing the Unidesk Broker Agent, if you specify a different port, you must remember to use the new port number when configuring the Broker settings in the Unidesk Management Appliance (System > Settings and Configuration). ** This port must be opened manually before installing the agent, and it is not configurable. Gold Image virtual machine Open the following port in your firewall for internal connections between the Unidesk Gold Image virtual machine and the Unidesk Management Appliance. Destination Activity Protocol Ports Management Appliance Unidesk Tools TCP 80 Desktop Open the following port in your firewall for internal connections between each Unidesk Desktop and the destination Management Appliance and CachePoint Appliances Citrix Systems, Inc. All rights reserved. p.237

238 Destination Activity Protocol Ports CachePoint Appliance, Management Appliance uniservice TCP Citrix Systems, Inc. All rights reserved. p.238

239 Unidesk for Hyper-V Backup and Recovery Jun 28, 2017 This document explains how to back up and recover Unidesk appliances and Persistent Desktops. Backups for the Management Appliance and Master CachePoint Appliance Basic recovery for these components can be achieved by creating backups of the files that make up the Management Appliance and Master CachePoint Appliance on the Hyper-V host where they were installed using a frequency that is based on the desired RPO. The Management Appliance is fairly small and easy to back up. The size of a Master CachePoint Appliance can be between 120 GB and 250 GB or more. Creating full backups for CachePoint Appliances takes longer than backing up the Management Appliance. There are many options for backing up by using backup products designed for Windows Server 2012 R2. You can use Windows Server Backup which is included with Server 2013 R2. Of course, you can also use third party products like VEEAM to do your backups with more options but beware many virtual machine backup products may not be suited to backup layer disks used by Unidesk because they are not uniquely attached to a virtual machine. Management Appliance Backup The management appliance is a normal virtual machine, it can be backed up by backing up the file system of the Hyper-V server it is installed on or using a VM image backup. Master CachePoint Appliance Backup The Master CachePoint Appliance is a normal virtual machine but it also manages the master copy of all the layer disks in Unidesk. Therefore to properly backup the MCP you must also backup these extra disk files. Backup File Structure Looking at the drive used for Unidesk in Hyper-V. First under the MCP Name is the appliance virtual machine. Then, under the UnideskLayers folder we have all of the layer disks for that CP and in the case of the MCP it is the master copy of all the layer disks Citrix Systems, Inc. All rights reserved. p.239

240 To properly backup the MCP you must back up both of these. The easiest way to do this is to back up the file system rather than backing up the MCP as a VM and then adding in the UnideskLayers folders from the file system though that is possible. Backups for secondary CachePoint Appliances How you decide to back up desktops and CachePoint Appliances depends a great deal on your RTO and whether you can provide a recovery desktop immediately while you recover the user s normal desktops. Recovery of a CachePoint Appliance In order to recover a CP appliance and the desktops managed by that appliance in Hyper-V you must make regular backups of the appliance and the User folders. The OS and App layers can be copied from the MCP if necessary but you will want to document which layers you need. Unidesk has reporting tools to help with this. Recovery of a CachePoint Appliance and Its Desktops using SAN snapshots If your organization s RTO is very short (for example, one hour), recovering an entire CachePoint Appliance and its desktops from a backup is impossible. In this case, the only viable option is to use SAN-based snapshot technology for the CachePoint appliance and its CP and Boot Volumes/Folders. This approach allows you to recover back to the latest snapshot very quickly. Just remember that the Management Appliance database must be in sync with the snapshot. You should create snapshots on a frequent enough basis to ensure that you don't have to use a very old snapshot, ensuring that Management Appliance database will still match the database on the CachePoint Appliance after it is restored. If you lose desktops from the CachePoint Appliance after completing a snapshot restore you should be able to delete the object in the UMC and then recreate the desktops. Unidesk Persistent Desktop and Session Host Backups To back up Unidesk Persistent Desktops or Session Hosts, there are two separate disks that should be backed up for each Desktop or Session Host; the boot disk and each UEP disk. These disks are located in two places. Boot disks are located the folder you defined for boot disks and the UEP disk is stored under UnideskLayers\User folder structure as seen below Citrix Systems, Inc. All rights reserved. p.240

241 Note You should not use Hyper-V checkpoints to save the state of a Persistent Desktop or Session Host, either manually or via a backup product. Starting in 3.1, when a Persistent Desktop or Session Host is edited, all checkpoints will be deleted, and the changes they contain will be merged into the machine's Personalization Layer. Recovery of a single Desktop or Session Host Recovery of a single Desktop or Session Host is easy as long as it is still available in the UMC. Just restore the two vhdx files that make up the writable portion of the Desktop or Session Host (see the beginning of this section), then REBIC the Desktop or Session Host Citrix Systems, Inc. All rights reserved. p.241

242 Backup Example Using Windows Server Backup Jun 28, 2017 Windows Server Backup (WSB) is an included product with Server 2012 R2. WSB offers the ability to backup the Windows Server itself as well as the Unidesk virtual appliances and virtual desktops. If a low RTO is desired consider backing up the entire Windows server as well as the Unidesk appliance and desktop components. If you only need backups in order to recreate virtual desktops without redoing all the work done to create the infrastructure and layers you can choose to just backup the Unidesk Management Appliance and MasterCachePoint including the UnideskLayers folder. This would allow you to restore these files on a new Hyper-V host, import the appliances and then create and manage new or existing Desktops or Session Hosts if they are on hosts/storage that did not fail. WSB can be configured to write to a locally mounted volume or a network share. When using a locally attached volume there are two operational modes possible; one where backup owns the entire volume and one where the backup shares the volume. If the backup is allowed to own the volume then block level incremental backups are possible so that you can restore back to any previous backup. If the entire volume is not dedicated to backup then only a single backup is retained. If you choose to backup to a Windows Share only a single backup is retained as well. Installing Windows Server Backup There are two ways to install the backup utility. You can add the Windows Server Essentials Experience Role, then add the Windows Server Backup feature or you can use PowerShell to just install Windows Server Backup directly. The PowerShell command is: Install-WindowsFeature Windows-Server-Backup. Setting up the backup The first step in setting up the backup after installing the software is to create a volume or share to backup to. In my lab I created a new LUN and masked the LUN to my Hyper-V host. I then opened Windows Server Backup and clicked on Backup Schedule to define the backup. On the first screen choose custom Citrix Systems, Inc. All rights reserved. p.242

243 Then in select items for backup choose the folders for the MA and MCP if you are backing up only the MA and MCP. If you are backing up a Secondary CP choose the folders for the CP Appliance which will include the CP itself and all of the layers and include the boot drive location you defined when you created the CP. This will of course backup the boot disks. If you do not want to back up the APP and OS layers for a secondary CP you can add exclusions for these folders in the advanced settings tab of the selection dialog. First select the items to back up If you are backing up an SCP and you decide not to backup the layers then you must do two things. First document which layers have been deployed to the CP on a regular basis and add an exclusion to not back up the layers. To add an exclusion click on advance settings then Exclusions and Add Exclusion. Then choose backup times. Here you can choose once a day or multiple times a day. If you want to backup the MA and MCP less frequently choose once a day and then edit the scheduled task created for the backup after completing the process Citrix Systems, Inc. All rights reserved. p.243

244 Next you specify the location type that matches your plan. The first option dedicates the entire LUN or drive to backups and allows for multiple backups to be kept. The second choice works the same way but it can share the drive. The second option runs slower. The third option is for storing backups on a file share. Using this option you will only have one copy of a backup. If using a volume you will see Citrix Systems, Inc. All rights reserved. p.244

245 That s it. Now wait for a backup to run and check the status. Recover the MA, MCP or a Secondary CP How you approach recovery of the MA and MCP depend on the failure scenario. If for some reason the appliance becomes corrupted you can just restore the files from backup. If you have to recover the entire host. You will first recreate or recover the host. If you have used bare metal backup and have restored everything on the C drive including the Hyper-V configuration then you can restore the files for the MA and MCP and everything will work. If you are backing up Secondary CPs you will want to use this option otherwise adding all the desktops back in to Hyper-V will be very difficult. If you are creating a new Hyper-V host and installing Hyper-V from scratch then you will also install the Unidesk Hyper-V Agent (setup_unidesk_hyper-v_agent.exe) from the Unidesk Installation media and then restore the MA and MCP from backup. Then import both appliances back into Hyper-V. If you have restored the entire host or created a new host and need to import a secondary CP and its desktops, we provide a utility called the Unidesk Hyper-V Load Utility. This utility will read throught the boot drive folder and add import all the desktops it finds into Hyper-V. To restore the MA and MCP from backup follow this procedure. Select Recover. Choose this server. Caricature Choose the desired date and time of the backup if you have a choice Citrix Systems, Inc. All rights reserved. p.245

246 Select Files and Folders. Here you can specify the folder for the MA or the MCP or the root of both to restore both. Then choose to overwrite the existing files in the original location Citrix Systems, Inc. All rights reserved. p.246

247 Make sure that the selected paths are correct and perform the recovery operation. Remember to also create the boot disk folder if this was not included in the backup/recovery path. Recover a Desktop or Session Host To recover a single Desktop or Session Host from backup you will be restoring just the three disks that make up the writable portion of a desktop. These are the boot disk and the personalization disk. This assumes the Desktop or Session Host is still defined in Hyper-V and all we want to do is to roll back to an earlier version of the machine. Note to perform this operation, you must backup the Desktop or Session Host servers and Secondary CPs. Select Recover. Choose this server. Choose the desired date and time of the backup if you have a choice. Select Files and Folders Citrix Systems, Inc. All rights reserved. p.247

248 Under Items to recover first select the UEP disk under UnideskLayers\User Then choose to overwrite the existing files in the original location Ensure the confirmation screen looks correct then recover the UEP disk Citrix Systems, Inc. All rights reserved. p.248

249 Now perform the process again for the boot disk. Then you can start the desktop, log in, and test. Unidesk Hyper-V Load Utility If you have a whole host failure and you do not keep bare-metal backups to recover from, you can still recover the Unidesk MA, CP and Desktops from backup. Create a new Hyper-V host. Use the same hostname as the failed host. Install the Unidesk Hyper-V agent. Restore the Boot folder and CP appliance folder from backup. Then use the Unidesk Hyper-V Load Utility to import the applances and desktops from the storage folders. To install the utility download the zip and first check its properties to unblock the file if it is blocked Citrix Systems, Inc. All rights reserved. p.249

250 On the Hyper-V server that you will restore on, create a folder off the root of the C drive with no spaces in the name and unpack the zip file into that folder. Then run the utility as administrator (LoadDesktops.exe). Choose get for the desired folders then click save to save this information to the files used by the scripts. Then you can either test or run. Test will create a log of what the utility would do if it were run but it will not import any VMs. Press run when you are ready to import the appliances and desktops Citrix Systems, Inc. All rights reserved. p.250