Apr 162013


Why Windows didn’t enable this feature in the built in GPOs is beyond me. Regardless, I needed a way to disable Windows Defender automatic scans to keep my hundreds of XenApp servers from running a scan at 2am and most likely crushing my storage infrastructure. So, what am I talking about here? How to disable this:

As you can see, the default GPOs do nothing for us.

So, how does this actually work? Well, when you configure this automatic scan, it creates a scheduled task, and writes a file in C:\Windows\System32\Tasks\Microsoft\Windows Defender\

Now, you can just delete the MP Scheduled Scan file, but this doesn’t remove the configuration from Windows Defender, so that won’t work. After a small bit of digging I found these registry keys in HKLM\Software\Microsoft\Windows Defender\Scan

The key in question here is “ScheduleDay” 0 = daily, and 1=Sunday, 2=Monday, etc. 8=off. So. Simple GPP configuration here to set the key to 8.

Do a GPUpdate /force and Viola! It has been removed from Scheduled Tasks, the file is gone, and its configuration removed from the Windows Defender GUI.


Apr 032013

Today I got stuck publishing apps that had icons in the %windir%\System32\ folder on the XenApp server.  There are a couple ways around this but my personal favorite is to reference sysnative.

So lets say your trying to publish the TS Licensing Manager, the exe only sits in the 64 bit OS Path on 2008r2


You try and fix up the icon and you get

iconbrowser bad

So to fix this we change the path to


and we get the icon.

iconbrowser good

For more information check out the following links:



Apr 032013

So I like to have a group that can run every and all published application so I can login and at least smoke test them.

Thats far to much clicking for me, so powershell to the rescue.

Add-PSSnapIn citrix.xenapp.commands


Get-XAApplication | foreach {Add-XAApplicationAccount $_.BrowserName $Groups}

Those 3 lines gets Citrix_Admins into EVERY published application, not to shabby.

Lets take it a bit further, you need to add say multiple groups, but only to a folder of published applications..

No problem..

$Groups="Revord\Citrix_Admins","Revord\Domain Users"

Get-XAApplication -FolderPath "Applications\Utils" | foreach {Add-XAApplicationAccount $_.BrowserName $Groups}

So in my environment all my MMC’s etc are published in the Applications\Utils path for readability.

But wait, what was I thinking, giving domain users access to all my published utilities!

No problem we can use the same trick in reverse to rid ourselves of those extra accounts.

$Groups="Revord\Domain Users"

Get-XAApplication -FolderPath "Applications\Util-Servers" | foreach {Remove-XAApplicationAccount $_.BrowserName $Groups}

Now there is a neat glitch, if you run these powershell commands with a actively running AppCenter you’ll need to select applications and hit F5 to refresh and actually see your changes did take effect.