The Sysadmins

Tips and tricks from the Sysadmins

Deploying XenClient Enterprise Engine with SCCM

This post will explain how to automate the deployment of XenClient Enterprise Engine 5.5.5 using SCCM 2012 R2. There is very little information on how to achieve this, so hopefully this will help those looking for a solution. Thanks goes to a post made by Greg Roll early last year on the Citrix discussion forums which pointed me in the right direction. There were a few bits missing and lacking detail, which I will cover.

Preparing the files

Download the XenClient Windows Installer (xce-engine-setup-5.0.exe under additional software) and run it on a disposable Virtual Machine. When prompted, select the latest Engine ISO and continue


Select Resize Windows


Leave these options unticked


Next to start the installation and select no when prompted to reboot


There will be installation files dropped on the C drive – move these to your SCCM file share or the location you use for SCCM applications/packages


You will then need to move a few files around.

  1. Create a new folder called Engine and move the nxtop folder into it. Then move the nxtldr and nxtldr.mbr files from winboot to the root of the Engine folder. Rename them to grldr and grldr.mbr
  2. Download Grubinst and move grubinst.exe into the Engine folder
  3. Download psshutdown.exe and move psshutdown.exe into the Engine folder

You should end up with this:



You can achieve a fair amount of automation using the Client.ini file found in the boot folder. The following focuses on performing an auto installation into the XenClient Engine, ready for registration. The two variables you will want to pay specific attention to are assettag and name. In the example below I have used @baseboard-asset-tag@ which will pull the asset tag from the BIOS (tested with Dell laptops). Be aware that you cannot change the name of the owned computer once deployed and would need to redeploy the Engine to rename.

Example Client.ini
# Minimum parameters to perform an auto install are:
# name
# assettag
# encrypt
# keyboard
create_engine_recovery_partition=no =
Action = wipeinstall

Other available DMI keywords:

@bios-vendor@ @bios-version@ @bios-release-date@ @system-manufacturer@ @system-product-name@ @system-version@ @system-serial-number@ @baseboard-manufacturer@ @baseboard-product-name@ @baseboard-version@ @baseboard-serial-number@ @baseboard-asset-tag@ @chassis-manufacturer@ @chassis-version@ @chassis-serial-number@ @chassis-asset-tag@ @processor-manufacturer@ @processor-version@

More information on editing the Client.ini file can be found here.

Create the Package in SCCM

Next step is to package the folder structure created above, ready to use within the Task Sequence.

Create a new package in SCCM



Next through the remaining screens and distribute the package as necessary.

SCCM Task Sequence

1. Format the disk

cmd /c "(echo select disk 0& echo clean) | diskpart"


2. Create a small 4GB FAT32 partition to copy the XenClient Engine files to



3. Deploy the package, this essentially just copies all of the files from the package to the root of 4GB FAT32 partition

xcopy.exe ".\*.*" "c:\" /D /E /C /I /Q /H /R /Y /S


4. Run GrubInst.exe against HD0


5. Restart

The standard restart option was throwing up an error, so psshutdown can be used as a workaround.


The machine should now boot into the XenClient Enterprise Engine installation and perform an auto installation. Once finished you will then be able to register the Engine with a user.

Good luck!


Unifi Wireless – 1. Installing the Controller

This mini-series will guide you through installing and configuring Ubiquiti’s Unifi Wireless solution using 802.1x, Windows NPS (radius) and Group Policy. This post will cover the installation of the Unifi Controller. The following posts will cover configuring the controller, NPS and deploying Wireless settings via Group Policy to your endpoints. I will add any relevant or helpful links at the bottom of each post.

The setup for this mini-series is as follows:

  • Server 2012 R2 member server hosting the Unifi Controller and Network Policy Server (NPS)
  • Windows 7/8.1/10 Clients
  • Unifi Controller 4.6.6

Unifi Controller Installation

From the Server 2012 R2 member server:

  1. Install the latest Java (8u51). Unifi recommend that if you are using an x64 operating system to install both x86 and x64 version of Java for the Unifi controller service to correctly start
  2. X64 Offline install (8U51):
  3. X86 Offline install (8u51):
  4. Install the latest Unifi Controller (4.6.6):
  5. Accept the defaults, but untick “Start Unifi Controller after installation”


The controller installs into “C:\Users\%username%\Ubiquiti Unifi” by default and there is no way to change this when installing, however moving it isn’t too difficult. Simply Copy the entire folder and move it to the required location e.g. C:\Ubiquiti Unifi.

Now that the installation has been moved, you will want to configure the Unifi Controller to run as a service. If this is not done, the Unifi Controller will need manually starting by a logged in user. When the user logs out, the controller software will close.

From an elevated command prompt run

java –jar "C:\Ubiquiti Unifi\lib\ace.jar” installsvc

Start the service with

net start “Unifi Controller"


To access the controller browse to to start the UniFi setup wizard.


  • Choose you country and timezone
  • No devices discovered, next
  • Skip Wireless configuration for now
  • Set your username and password, next and finish

The controller has now been installed and initially configured.


You can also uninstall the service for troubleshooting if need using

java –jar “C:\Ubiquiti Unifi\lib\ace.jar” uninstallsvc

Access Point Adoption

Last thing to do as part of the initial setup is to configure adoption for the access points. When you plug an access point in, you want them to automatically point at your Unifi Controller to receive their configuration and updates. This can be achieved a few ways, but layer 3 adoption via DNS is reliable and easy to configure.

Create a “unifi” A record that points to the server that you have installed the controller on. The Unifi AP will need to contact the controller via it’s FQDN.



Buy Unifi @
Buy Unifi @
Unifi Community Layer 3 Adoption Methods
Unifi Community Run Controller as Service
Unifi Community Java 8 Support Notes

Remote Desktop iOS 8.1.0 – Error 0x03000008


In a recent update to the iOS Remote Desktop client (8.1.0 and above) you receive the following error when connecting using a Remote Desktop Gateway: Can’t connect to the Remote Desktop Gateway. Contact your network administrator for assistance. (Error code: 0x03000008)

iPhone iPad Error 0x03000008

Confirmed on the Remote Desktop Services blog here.


1. Review the TerminalServices-Gateway operational event log on the Remote Desktop Gateway server and look for EventID 301 which states: The user “DOMAIN\user”, on client computer “”, did not meet resource authorization policy requirements and was therefore not authorized to resource “”. The following error occurred: “23002”.


The resource IP should be one of your RDS servers, note healthy connections to the Gateway should (typically) specify the FQDN of the RDS server it is trying to connect to: The user “Domain\user”, on client computer “”, met resource authorization policy requirements and was therefore authorized to connect to resource ““.

2. Open the RD Gateway Manager MMC on your Gateway server, go to Policies, Resource Authorization Policies (RAP) and review the policy you have configured for your company- note the locally stored computer group used.

iPhone iPad Error 0x03000008

3. Choose Manage locally stored computer groups from the right hand side, select the group used in the policy and select properties.

iPhone iPad Error 0x03000008

4. Add the IP for each of the RDS servers in the farm (keep hostname and FQDN if present).

iPhone iPad Error 0x03000008

Once this is complete it should resolve the issue. Review the TerminalServices-Gateway operational event log and you should now see: The user “DOMAIN\user”, on client computer “”, met resource authorization policy requirements and was therefore authorized to connect to resource “”.

This issue/bug/feature is still present in the Remote Desktop iOS application version 8.1.5 from 29th October.

Group Policy – GPResult Examples

GPResult is a command-line utility for determining the resultant set of policy for a given user and/or computer. In other words, it shows you what Group Policy Objects have been applied and their settings. This is typically one of the first tools I go to when troubleshooting Group Policy from a client once basic connectivity has been confirmed (e.g. Network/DNS). The tool itself is very simple to use and I will run through some common examples below.

List GPOs Applied with Summary Data

Gpresult /r

/r Displays RSOP summary data

This is pretty useful when you simply want to see what GPOs have applied and in what order. It will also display summary data, such as last time group policy was applied, which Domain Controller it was applied from, the site, security groups and if the slow link threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way of checking.

Here we see that 4 GPOs have applied to the Computer settings portion.

GPresult /r

If you don’t want to view both Computer and Users settings in the output you can request one or the other with the /scope flag.

gpresult /r /scope:user
gpresult /r /scope:computer

The output reads fairly well from within the command prompt, but if you need to export the output you could use either of the following.

Gpresult /r > gpresult.txt Export output to a text file
Gpresult /r |clip Export output to Windows clipboard

I can’t see the Computer Settings?

If UAC is enabled, running GPResult without elevating the command prompt will only show you the user settings. If you want to see both user and computer settings, elevate the command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on the command prompt and select run as administrator. If you elevate with an admin account different to the currently logged in user (common if the user does not have administrator rights), then you will receive an error message stating INFO: The user “domain\user” does not have RSOP data. This is because GPResult is using the elevated user’s context. To work around this, specify the standard user that you are troubleshooting.

gpresult /r /user:sa\edward.thomas


Generate HTML Report

Gpresult /h report.html /f
Gpresult /h report.html /user:sa\edward.thomas /f

/h Saves the report in HTML format
/f Forces GPresult to overwrite the file name specified with /h
/user Specifies the user name for which the RSOP data is to be displayed

To get a more graphical view of what’s going on, you can generate a HTML report. This gives a detailed break down of each setting and the GPO from which it came. This view is particularly nice as you can show all and use ctrl+f to find a particular policy or setting.

GPResult /h html report

Run GPResult on Remote Computer

Gpresult /s server1 /r

/s Specifies the remote system to connect to

This allows you to run GPResult on a remote system, all of the above applies.

GPresult Remote Computer

The following GPOs were not applied because they were filtered out

Filtering Denied Security or Not Applied Empty

You may see this for a few reasons. The first that the policy is empty in which case you’ll see Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied (Security), which typically boils down to the “Apply Group Policy” permission on the GPO. You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that the “Read” permissions has been denied.

To review the last two examples, launch the GPMC (Group Policy Management Console). Find the offending GPO, and select Delegation- from there you may see an additional group or a single user or machine that has been added.

GPO Delegation Permissions

Click on advanced and review the permissions against the object. In this case you can see that the Seven computer object has been denied Apply Group Policy resulting in the Filtering: Denied (Security) message.

Deny Apply Group Policy

If in doubt, select Advanced -> Effective Access and enter the required computer or user object. If you scroll down to around halfway you’ll see the Apply Group Policy permission with either a green tick of a red cross against it. If deny read has been granted every permission will have a red cross next to it.

Effective Access for GPO Permissions

I hope this gives you the basics behind GPResult and some good real world example to aid in your Group Policy troubleshooting.

Get Default Gateway from List of Remote Servers


Find the default gateway on a list of remote servers.


Create a textfile with a list of servers you would like to query, use a new line for each server. If you have an OU of servers you would like to query you could use the following to create a text file with all computer accounts within an OU (requires Active Directory Module for Windows PowerShell).

Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=domain,DC=local" | Select -expand name | Out-File -Encoding utf8 "\\server\share\Servers.txt"

This would create a textfile with every computer account in the “Servers” OU on domain.local.

I tend to put a “dummy” line at the top of the text file as PSEXEC has issues with the first entry.

List of servers to obtain default gateway

Now use PSEXEC to execute the following, don’t forget to run the command prompt as administrator (using an account with the required permissions on the remote servers).

psexec @c:\Serverlist.txt ipconfig /all | findstr "Default Gateway Host" >> c:\Servergateways.txt

PSEXEC Command

…and here’s the final result.

Output text showing host name and default gateway

SCCM 2012 – SCEP UNC Definition Updates Automation with Powershell

One of the choices for SCEP (System Center Endpoint Protection) definition update sources in SCCM 2012 is from a UNC file share, however in typical SCCM fashion there is a bit of leg work required to use this method. This post will explain the steps involved to make this happen.

1. Create a Folder Structure and Share

Create a folder structure to share the SCEP definition update files, the top level folder name does not matter, in this example I’m using SCEPUpdates. Within this folder create two folders, one named x86 for x86 machines and one named x64 for x64 machines. Share the SCEPUpdates folder. Ensure the client computers and the domain users connecting to the share have read permissions to the share. During an automatic update, the client computer account is used to authenticate to the share. When a user manually updates their definitions by clicking Update, that user account is used to authenticate to the share. You will want to use DFS or similar if you have multiple locations to distribute the files.


2. Powershell Script to Automate Definition File Downloads

There are 6 files in total to download, 3 for x64 machines and 3 for x86 machines.

  • Mpam-fe.exe – Full Definitions
  • Mpam-d.exe – Delta Definitions
  • Nis_full.exe – Network-based exploit definitions

For more information and direct links to the definition files see here (or refer to the Powershell script below).

I’ve put together a Powershell script to download the 6 definition update files to a UNC path.

$x64S1 = "//"
$x64D1 = "\\server\SCEPUpdates\x64\mpam-fe.exe"
$x64S2 = "//"
$x64D2 = "\\server\SCEPUpdates\x64\mpam-d.exe"
$x64S3 = "//"
$x64D3 = "\\server\SCEPUpdates\x64\nis_full.exe"
$x86S1 = "//"
$x86D1 = "\\server\SCEPUpdates\x86\mpam-fe.exe"
$x86S2 = "//"
$x86D2 = "\\server\SCEPUpdates\x86\mpam-d.exe"
$x86S3 = "//"
$x86D3 = "\\server\SCEPUpdates\x86\nis_full.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($x86S1, $x86D1)
$wc.DownloadFile($x86S2, $x86D2)
$wc.DownloadFile($x86S3, $x86D3)
$wc.DownloadFile($x64S1, $x64D1)
$wc.DownloadFile($x64S2, $x64D2)
$wc.DownloadFile($x64S3, $x64D3)

This is great for one off downloads, but we want to automate the task. The next step is to create a schedule task to the run the script every x hours. The action should point towards the Powershell script above, you can simply use powershell -file “script.ps1” as the action.


This schedule kicks the first download off every day at 12:05am and updates the definition files every 4 hours.


Confirm the scheduled task is running every 4 hours and updating the files correctly before moving onto the next step.

3. Configure Definition Update Sources

Open the System Center 2012 Configuration Manager console and browse to Assets and Compliance -> Endpoint Protection -> Antimalware Policies and select the policy you would like to configure.

SCEP Set Sources

From the left hand menu choose Definition Updates and choose “Set Source”. Tick “Updates from UNC File Shares” and move to the top of the list, un-tick other sources if necessary. Click OK.

SCEP Updates from UNC File Shares

Choose Set paths, add the UNC path and OK.

Configure Definition Update UNC Paths

To confirm the clients are pointing to the right location and using the UNC share configured above, wait (or manually) update the client’s policy and browse to the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates (or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Microsoft Antimalware\Signature Updates) and review DefinitionUpdateFileSharesSources.


The IT Crowd

It’s been around a while, but the IT Crowd is well worth watching if you haven’t seen it before- all 4 seasons are up on Netflix. Here’s one of my favourite clips.

« Older posts