Anyone else seeing Trusted Installer kicking in, stealing CPU even when WSUS is set to Disabled on WS2016? And system is deploy from WIM already patched w latest CU. Very strange. Weak internet connection makes it even worse, so for now disabling WU/ TrustedInstaller (Class)

For BIS-F possible to enable scheduled task, called sih on private image boot and disable it with BIS-F if image is in shared mode and WSUS service is disabled

After you change the central Logshare in the BIS-F ADMX, the LogShaare is also stored with the old value in HKLM:\Software\Login Consultants\BISF and never updated with the new one

From @matthias-schimm on March 12, 2018 20:35

During automated Installation customer uses often AutoAdminLogon, during sealing with BIS-F you can reset this registry value if configured in the ADMX

AutoAdminLogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Data type
Range
Default value

REG_SZ
0 | 1
0

Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
Value
Meaning

0
Disables automatic logon.

1
Enables automatic logon.

Copied from original issue: #18

From @matthias-schimm on March 12, 2018 20:12

If you have enabled the Delay of the Citrix Desktop Service in the BIS-F ADMX and run the preparation the Service is set to manual. If you configure the ADMX back to disable to Service will not be reconfigured to automatic, you must change the Citrix Desktop Service manually

Copied from original issue: #4

SCOM 2016 is using a new certificate store named "Microsoft Monitoring agent" so the current SCOM prep script does not work.
Working command for scom 2016:
& Invoke-Expression "certutil -delstore ""Microsoft Monitoring Agent"" 0"

From @matthias-schimm on March 12, 2018 20:13

If you sealing up a layer and from this message it appears that BIS-F believes the layer is not in the ELM but it is and not running the uniservice –L

Copied from original issue: #5

SophosCentralEndpointPrep.ps1.txt

https://community.sophos.com/kb/en-us/120560
https://community.sophos.com/kb/en-us/28591
https://community.sophos.com/kb/en-us/117702
https://community.sophos.com/kb/en-us/12561
http://www.stephenjc.com/2011/08/23/sophos-duplicate-ids/
https://community.sophos.com/products/sophos-central/f/sophos-central/83127/vdi-gold-image-updating
https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/2115/manual-update-via-command-line-script
Sophos.docx

Please add a feature to check if there's enough disk space on P2V Custom UNC-Path - Right now the error is just logged to P2PVS.txt

Saturday, November 25, 2017 7:49:21 AM
11/25/17 07:49:21: Provisioning Services 7.15.0 Copyright (c) 2001-2017 Citrix Systems, Inc. All rights reserved.
11/25/17 07:49:21: Microsoft Windows 6.2.9200 Server
11/25/17 07:49:21: Suite=0x00000090
11/25/17 07:49:21: Processor Architecture: x64
11/25/17 07:49:21: Number of processors: 4
11/25/17 07:49:21: WindowsFreePercentage that can be set in [parameters] section of P2PVS.ini: 25
11/25/17 07:49:21: PartitionOffsetBase that can be set in [parameters] section of P2PVS.ini: 1048576
11/25/17 07:49:21: VolumeDiscoveryTimeoutAsSeconds that can be set in [parameters] section of P2PVS.ini: 30
11/25/17 07:49:21: VolumeShadowCopyPollTimeAsMs that can be set in [parameters] section of P2PVS.ini: 0
11/25/17 07:49:21: Physical to VHDX started at Saturday, November 25, 2017 7:49:21 AM
11/25/17 07:49:21: There is not enough free space on volume \pvs-01\c$\vDisks.
11/25/17 07:49:21: Physical to VHDX stopped at Saturday, November 25, 2017 7:49:21 AM
11/25/17 07:49:21: Physical to VHDX lasted 0.0 seconds
11/25/17 07:49:21: Failed to convert!
11/25/17 07:49:21: There is not enough free space on volume \pvs-01\c$\vDisks.

ADMX Extension: Configure different configurations based on AppLayer

LIC_BISF_CLI_AppLayOSCfg | DWORD | 1 | If CheckBox is enabled, registry Data is set to 1, otherwise not exist
LIC_BISF_CLI_AppLayAppPltCfg | DWORD | 1 | If CheckBox is enabled, registry Data is set to 1, otherwise not exist
LIC_BISF_CLI_AppLayPltCfg | DWORD | 1 | If CheckBox is enabled, registry Data is set to 1, otherwise not exist
LIC_BISF_CLI_AppLayNoELM | DWORD | 1 | If CheckBox is enabled, registry Data is set to 1, otherwise not exist

LIC_BISF_POL_AppLayCfg | DWORD | 1 | If Policy is enabled Registry Data is set to 1, otherwise it not exist
LIC_BISF_CLI_AppLayCfg | REG_SZ | YES, NO | IF Policy is enabled Registry Data is set to YES, if disabled set to NO; otherwise not exist.

as describes here, the Service must set to automatic http://docs.splunk.com/Documentation/Forwarder/7.1.0/Forwarder/Makeauniversalforwarderpartofahostimage

Currently BIS-F set it to manualy

IF BIS-F Change a service to start or stop, it's possible to test the state after if has be changed succesfully and write a eventlog entry information or warning.

if you prepare the VM step by step before import them into ELM and run BIS-F to finalize the image, BIS-F prompt the Error: Layer Finalized is blocked

29/03/2018 11:38:47 | Administrator | INFORMATION... | Processing function Test-BISFAppLayeringSoftware
29/03/2018 11:38:47 | Administrator | INFORMATION... | Processing function Test-BISFService
29/03/2018 11:38:47 | Administrator | INFORMATION... | Service UniService exists
29/03/2018 11:38:48 | Administrator | INFORMATION... | Product Citrix AppLayering (Version 4.9.0.74172) installed
29/03/2018 11:38:48 | Administrator | INFORMATION... | AppLayering MachineState is set to 3
29/03/2018 11:38:48 | Administrator | INFORMATION... | Processing function Test-BISFRegistryValue
29/03/2018 11:38:48 | Administrator | INFORMATION... | Registrypath HKLM:\SYSTEM\CurrentControlSet\Services\UniService, Value OSLayerEdit NOT exists !!
29/03/2018 11:38:48 | Administrator | INFORMATION... | Processing function Test-BISFRegistryValue
29/03/2018 11:38:48 | Administrator | INFORMATION... | Registrypath HKLM:\SYSTEM\CurrentControlSet\Services\UniService, Value VolumeSerialNumber NOT exists !!
29/03/2018 11:38:48 | Administrator | INFORMATION... | Processing function Test-BISFRegistryValue
29/03/2018 11:38:48 | Administrator | INFORMATION... | Registrypath HKLM:\SYSTEM\CurrentControlSet\Services\UniService, Value PrevBICTaskID NOT exists !!
29/03/2018 11:38:48 | Administrator | WARNING......... | Not defined - AppLayering MachineState is set to 3

detect errors, test Test-AppLayering function must re-developed based on the following matrix
BIS-F AppLayering RegValues.xlsx

From @matthias-schimm on March 12, 2018 20:22

#HINT (Citrix XenDesktop 7.6-7.11 customers)
The NVIDIA GRID API provides direct access to the frame buffer of the GPU, providing the fastest possible frame rate for a smooth and interactive user experience. If you install NVIDIA drivers before you install a VDA with HDX 3D Pro, NVIDIA GRID is enabled by default.
To enable NVIDIA GRID on a VM, disable Microsoft Basic Display Adapter from the Device Manager. Run the following command and then restart the VDA: Montereyenable.exe -enable -noreset
If you install NVIDIA drivers after you install a VDA with HDX 3D Pro, NVIDIA GRID is disabled. Enable NVIDIA GRID by using the Montereyenable tool provided by NVIDIA.
To disable NVIDIA GRID, run the following command and then restart the VDA: Montereyenable.exe -disable -noreset
#HINT (Citrix XenDesktop 7.12/7.13 customers)
The NVIDIA GRID API provides direct access to the frame buffer of the GPU, providing the fastest possible frame rate for a smooth and interactive user experience. If you install NVIDIA drivers before you install a VDA with HDX 3D Pro, NVIDIA GRID is enabled by default.
To enable NVIDIA GRID on a VM, disable Microsoft Basic Display Adapter from the Device Manager. Run the following command and then restart the VDA: NVFBCEnable.exe -enable -noreset
If you install NVIDIA drivers after you install a VDA with HDX 3D Pro, NVIDIA GRID is disabled. Enable NVIDIA GRID by using the NVFBCEnable tool provided by NVIDIA.
To disable NVIDIA GRID, run the following command and then restart the VDA: NVFBCEnable.exe -disable -noreset

enable or disable possible with ADMX to set
Servicename: nvsvc
DisplayName: nVIDIA Diplay Driver Service

Copied from original issue: #12

From @matthias-schimm on March 12, 2018 20:17

After copy the custom scripts to the temp folder, clean the entire BIS-F folder. If a customer place own scripts to the other folders (not custom folder), this files are being kept from the installer.

Copied from original issue: #8

PVS: Format WriteCacheDisk on private Image would skipped, but performed a reboot loop

From @matthias-schimm on March 12, 2018 20:42

If you can use it, I have been troubleshooting a lot with Solarwinds Ncentral with there N-Abel agent, witch include AV Defender(white label of bitdefender)
Use the follow shutdown script, to clean the PVS image, before settings in production (Requires other steps as well, but there guide to not work out of the box https://support.solarwindsmsp.com/kb/solarwinds_n-central/Installing-N-central-Agents-in-a-Citrix-VDI-environment?q=citrix%20vdi)

#Start-Process powershell -Verb runAs
Stop-Service "Windows Agent Maintenance service"
Stop-Service "Windows Agent service"

#CleanUP N-able
cmd.exe /C "C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\NcentralAssetTool.exe" + "-d"

#Change values in ApplianceConfig.xml
$filePathToTask = "C:\Program Files (x86)\N-able Technologies\Windows Agent\config\ApplianceConfig.xml"
$xml = New-Object XML
$xml.Load($filePathToTask)
$element = $xml.SelectSingleNode("//ApplianceID")
$element.InnerText = "-1"

$element2 = $xml.SelectSingleNode("//CheckerLogSent")
$element2.InnerText = "False"

$element3 = $xml.SelectSingleNode("//CustomerID")

Type in you site name in sted of xxx

$element3.InnerText = "xxx"

$element4 = $xml.SelectSingleNode("//CompletedRegistration")
$element4.InnerText = "False"

$xml.Save($filePathToTask)

Copied from original issue: #22

From @matthias-schimm on March 12, 2018 20:25

check root path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun

Copied from original issue: #13

issues with Event log redirections on some Projects, i beleive the commonality is IF BIS-F is run to move the event logs to say "D: but then that needs to be changed to "E" - I am not sure why, but it only changes some event logs and leaves the rest broken

Fix it with the following script
https://gallery.technet.microsoft.com/scriptcenter/Change-the-path-of-the-f86d2427

Annoyingly, the PVS Optimization tool disables the windows search service. This is a bit silly in this day and age, particularly when dealing with FSLogix and Outlook Indexing

Would be good to have a setting that is applied at the end the sealing routine that reverses this, and sets the search back to automatic. This would be ideal via an ADMX setting as not all environments will want search

From @matthias-schimm on March 12, 2018 20:31

I have a feature request - can we make the move of the WEM cache optional?? At the moment i believe BIS-F moves it to the PVS Cache Drive, I don't always want that Happening

seeing more and more problems with the cache being moved to non standard location - seems to be far more reliable to run the refreshcache startup script and leave the cache in the default location. Its tiny, has basically zero impact on the environment, and you avoid weird stuff going on. Don't get me wrong, there is obviously come current guidance that says do it - but there really isnt a clear explanation as to why - and if you use MCS, there is no move of the Cache.. I think it would be nice to have it optional so you aren't forced to move it if you don't want to - its better to have the latest version of the cache baked into the Image for computer based settings - and then just let the user refresh happen on logon

Copied from original issue: #17

From @matthias-schimm on March 12, 2018 20:18

Rearm state for Office and Operating system not detected in real time, value is stored in the BIS-F registry location during first run

Copied from original issue: #9

From @matthias-schimm on March 12, 2018 20:16

If the System Reserved Partition exists, the formating of the WriteCacheDisk run in a endless reboot, beacuse in the script 00_PersBISF_WriteCacheDisk.ps1, line 102 -> If ((Get-WmiObject -Class Win32_volume).count -lt 3) it checks the count of the drives <3, means SystemDrive and WriteCache only.

Workaround:
IF you have System Reserverd Partation increase the above value from 3 to 5 manualy, we are working on a fix for this

Copied from original issue: #7

From @matthias-schimm on March 12, 2018 20:20

IF XA/XD 7.x is installed, the Cache folder will be created in PVSWriteCacheDisk\Citrix\Cache or C:\Windows\Logs\

Copied from original issue: #10

https://www.reddit.com/r/Citrix/comments/4k2pim/citrix_xendesktop_76_and_the_endless_war_with/
https://helpx.adobe.com/creative-cloud/packager/provisioning-toolkit-enterprise.html

There's the problem. Look into Adobe Provisioning Toolkit Enterprise (PRTK). I wrestled with this same problem when we rolled Acrobat DC out in our PVS environment. Even though I did everything the PRTK documentation said to do with creating a XML file and the --stream switch, my target devices still seemed to randomly require activation.
The answer to this was to create a batch script that ran at system start via Scheduled Task. My batch script is one line.
adobe_prtk.exe --tool=VolumeSerialize --provfile=c:\temp\prov.xml --stream

Fslogix - When in the GPO specify "Configure FSLogix central rule share" to Disabled, the script still prompt for the path when is executed.

From @matthias-schimm on March 12, 2018 20:48

Service Name = RAS RD Session Host Agent
Display Name = RAS RD Session Host Agent
EXE = C:\Program Files (x86)\Parallels\ApplicationServer\2XAgent.exe

Parallels Remote Appilcation Server // https://www.parallels.com/products/ras/remote-application-server/

RAS is a add on product to regular RDSH so treat it as that

basically one or two controllers and then x number of session hosts with or without their agent, because it can be push directly from their admin console.

these days it's all agents for VMW, CTX and Parallels // The rest is the same

Copied from original issue: #25

From @matthias-schimm on March 12, 2018 20:38

Script to enable or disable RSS via Policy. If enabled via Policy then configuration should take place to try and set performance-based results. 2017 "best practices" are to configure RSS as follows:

• Use "N-1" CPU's and assign to RSS.
  EG, if a system has 4 CPU's, assign 3 to RSS for a single NIC
• Use NUMA for RSS and divide CPU time along NUMA configurations. eg, in a 2 x 6 vCPU system (12 total) with a single NIC assign 5 CPU's on NUMA node 0 to the NIC. If two NIC's are present, then assign 5 vCPU's on NUMA 0 to NIC1 and 5 vCPU's on NUMA1 to NIC2

Copied from original issue: #20

From @matthias-schimm on March 12, 2018 20:57

For simpler Handling consolidate scripts from Prep and Pers to one script for each product

use the global variable $State for Preparation or Personalization

Copied from original issue: #31

It‘s possible to use the runMode to detect the right layer. Got this informations behind

1: Published image, all normal filtering takes place

2: Not used

3: Editing the OS Layer, no filtering takes place

4: Editing any app or platform layer

KEY_NAME="HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\unifltr"

VALUE_NAME=RunMode

Symptoms:

the BIS-F scheduled task is created with an empty pat
personalization will not be run
if the enabled Citirx Desktop Service is configured, it will not be started. All VDA's will be in unregistered state

Please disable sysprep in ADMX POlicy

From @matthias-schimm on March 12, 2018 20:15

we discovered a bug when using VMware Paravirtual SCSI disk controller (get disk ID 1) compared to default OOTB LSI Logic SAS (disk 0). Goes into a endless reboot

More info : https://www.vladan.fr/performance-optimized-vm-of-windows-server-2016-on-esxi-6-5-creation-steps-guide/

Copied from original issue: #6

From @matthias-schimm on March 12, 2018 20:28

add a central function to get back the installed Hypervisortools and the version of it

• VMware ESXI
• Hyper-V
• XenServer
• Nutanix AHV

Copied from original issue: #15

From @matthias-schimm on March 12, 2018 20:30

if using Citrix MCS, VMware Horizon View, Microsoft only sDelete can be run on the Systemdrive during sealing only.

IF Citrix PVS is used, if sDelete is enabled in the ADMX, it runs on the PVS WriteCacheDisk if the Disk is in shared Mode only every boot.

sdelete can alos be run on:
MCS (c:drive)
AppLayering - outside ELM

Copied from original issue: #16

It would be great to be able to continue with the BIS-F Routines even IF the PVS Target is installed, but we DON'T want BIS-F to do any conversion....A setting to say do nothing would be great

After a System reboot, sometimes BIS-F detect also a pending system reboot

From @matthias-schimm on March 12, 2018 20:21

For some customers is possible to configure the $MaximumExecutionMinutes = 60 through ADMX

Copied from original issue: #11

Optimization Templates are not being picked up when NOT specified via ADMX.

This is when looking for default templates.

Issue is looking like the "90_PrepBISF_CTX.ps1" file. The Template names are incorrect

Example
(current = $template = 'Citrix_WindowsServer2016_x64' actual = Citrix_WindowsServer2016_1607.xml")

From @matthias-schimm on March 12, 2018 20:26

ADMX Extension:
add checkbock -> enable additional time
add number field -> Delay in seconds (default: 0)

If BIS-F is finished with the personalization task, you can enter here an additional time value to start the Desktop Service after this time value.
Please Note: if BIS-F is crashed during personalization, the Desktop Service is not started and the Machine(s) are not registered on the XenDesktop Broker

Copied from original issue: #14

From @matthias-schimm on March 12, 2018 20:37

See https://blog.thesysadmins.co.uk/deploying-microsoft-laps-non-persistent-vdi.html

Or make use of the PowerShell Module...

Copied from original issue: #19

From @matthias-schimm on March 12, 2018 20:56

possible to create BISF Service instead of scheduled task

Copied from original issue: #30

additional option to export the Shared Configuration to xml and json file, default is xml file

From @matthias-schimm on March 12, 2018 20:50

Returns a version object of a file to compare against known values. Eg, Is the Symantec version greater than .

This will allow BISF to operate in a more precise if-then paradigm for working around bugs and issues in 3rd party products.

Copied from original issue: #26

From @matthias-schimm on March 12, 2018 20:53

ADMX or shared configuration required only, otherwise BIS-F will not be run.

Copied from original issue: #28

From @matthias-schimm on March 12, 2018 20:51

If No Image Management Software is detected (like Citrix PVS, VDA or VMware View) BIS-F ask with an popup message to personalize the system next time if the Computername starts with the character WIN-

No: The Computername would we checked, if matched WIN- some personalization scripts does not start his service to prevent wrong GUID's in the Management Server, the services would only be started if the final Computername is set.
Services would be set to manual during preparation phase and would be started only if the Computername not matched WIN-

YES: The Computername would not be checked on computer startup, services leave at it is

Copied from original issue: #27

Cleanmgr.exe is not installed by default on Windows 2008 or 20008 R2, desktop experience installation is required or manual installation of the binary (language specific)

https://www.lisenet.com/2014/disk-cleanup-on-windows-server-2008-without-installing-desktop-experience
https://technet.microsoft.com/en-us/library/ff630161(WS.10).aspx
https://support.appliedi.net/kb/a110/how-to-enable-the-disk-cleanup-tool-on-windows-server-2008-r2.aspx
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/clean-up-the-winsxs-folder

Cleanmgr.exe KB2852386 (not included in Convenience Update rollup) must be installed in order to delete supersded updates on windows 7 and 2008 R2

https://support.microsoft.com/en-us/help/2852386/disk-cleanup-wizard-addon-lets-users-delete-outdated-windows-updates-on-windows-7-sp1-or-windows-server-2008-r2-sp1

Cleanmgr.exe must run before defrag and sdelete
Cleanmgr.exe deletes the superseded updates during the boot process so BISF should reboot after cleanmgr.exe execution and resume after the netx logon

Check this PoSH script out for inspiration
https://gallery.technet.microsoft.com/scriptcenter/CleanMgrexeKB2852386-83d7a1ae

Create dedicated script for CCleaner with advanced options
•Add search folder option in AMDX
•Prepopulate ccleaner.ini file with the appropriate settings for silent execution
•Automatically download/suggest winapp2.ini for deeper cleaning (http://www.winapp2.com/downloads.html)
•Merges your custom entries from custom.ini into winapp2.ini.
•Automatically trims the entries from the full Winapp2.ini to ones relevant to your computer

extend ADMX to select between Quick and FullScan.

Enable custom Arguments: admin can enter own commandline Options to be used for the scan.

Interestingly, after running BIS-F Against 2008 R2, when the machine is rebooted, it goes into a chk disk cycle. This happens every time BIS-F was run

I have resolved it for now with the following
https://blogs.technet.microsoft.com/ganand/2009/03/17/how-to-stop-chkdsk-from-running/
https://discussions.citrix.com/topic/374202-pvs-77-disk-check-runs-on-boot/

I know Server 2008 R2 is old (I haven't touched it in years but the current project requires it), but it might be worth having an option to disable Check Disk via BIS-F?

Enter the path to the logfiles like C:\Windows\Temp in the BIS-F AMX, and BIS-F will copy all files .log,.txt,*.bis recurse to the BIS-F Shared logfile. This will take affect if the BIS-F Logshare is configured and enabled and during preparation only.

---snip---
I'm using PowerShell wrappers to install all my software using MDT. Is there an easy way to also copy C:\Windows\Temp to the BISF log share? This can be very helpful when you have 100% automated deployments and might need to check the Citrix VDA installation MSI log file located in C:\Windows\Temp\Citrix. Yes I can add it to my custom stuff, but wouldn't it be a nice feature?
---snap----