HIPAA Windows 10 Privacy Concerns

Windows 10 has generated privacy concerns for Healthcare IT professinals as much as it has generated interest in the consumer market.

HIPAA Windows 10 Privacy Concerns are in full swing as healthcare organizations begin making preparations to update.

Windows 10 privacy concerns regarding HIPAA regulations has risen from all the new features offered in Windows 10.  Windows 10 has been described by some as residing partially in the cloud.  That is, as consumers are now being lead to cloud based services, so Microsoft has developed  it’s Windows 10 operating system to be evermore so connected to their servers in the back end.


Some of the features that Healthcare IT professionals are concerned about include Input Personalization as noted in this popular article.


According to Microsoft’s privacy statement for Windows 10 (https://www.microsoft.com/en-us/privacystatement/default.aspx), for the “Input Personalization” feature, “…your typed and handwritten words are collected to provide you a personalized user dictionary, help you type and write on your device with better character recognition, and provide you with text suggestions as you type or write. Typing data includes a sample of characters and words you type, which we scrub to remove IDs, IP addresses, and other potential identifiers.”…

…In addition, Windows 10 Input Personalization, “collect[s] your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.”…

  • Is the input scrubbed of personally identifiable information before or after it’s sent to Microsoft (i.e. on the local PC or in Microsoft’s servers)?
  • Is the input data encrypted before it’s transmitted to Microsoft?
  • Is Microsoft storing the collected data?


Mr. Hoffenberg is not alone in his privacy concerns regarding Windows 10.   The question of whether or not Windows 10 is HIPAA and HITECH compliant was posted on Microsoft’s website as detailed in the linked article below.  As of now, I believe the question remains unanswered but was moved over to a discussion forum.



Another cause for Windows 10 privacy concerns is Data Syncing as explained in The Windows 10 Privacy Issues you Should Know About.


…and the list of HIPAA Windows 10 privacy concerns goes on…



The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:

  1. Cortana: Microsoft’s answer to Siri and Google Talk.  Cortana “learns” how each person speaks and writes by taking samples.  In addition, names, nicknames, recent calendar events and contacts are maintained.

  2. Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.

  3. 3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers.  This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications.  Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.

  4. Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element.  Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.

  5. Telemetry:  Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry.  Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc.  This is a well-documented How-To disable Telemetry from our friends at Winaero.


Regarding Telemetry you can read Windows 10 makes diagnostic data collection compulsory.  Of key interest to those concerned with HIPAA compliance is this tidbit of information:

Full switches on other data gleaning, including advanced diagnostics “that collect … such [things] as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred.”


Microsoft’s new license agreement as explained in this article is painfully straightforward in regards to personal data.  The article goes on to describe it (Windows 10) as “a privacy nightmare for everyone”.

Let’s look at the Windows 10’s new license agreement, which contains this nugget in its privacy policy. Microsoft says:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”


Another Windows 10 feature that is troubling, not only for Healthcare IT Professionals, but for network administrators is Wi-Fi Sense.


Wi-Fi Sense is a feature of Windows 10 that allows you to easily share your various Wi-Fi networks with people on your contact list. It’s handy because you don’t have to give them the password to your Wi-Fi. You simply add them to your computer’s Wi-Fi Sense list and it Just Works.

The list of people that you can share your Wi-Fi networks with through Wi-Fi Sense is very extensive. It can go so far as anyone who is your Facebook friend. Experts have determined that there are various ways for bad guys to exploit Wi-Fi Sense and get access to places they really shouldn’t be.


It is quite obvious that the contest for delivering cloud based services has been accelerating and will continue to do so.  Microsoft has made an aggressive push towards that end with Windows 10.

While regular consumers will voice their own privacy concerns they will likely be ignored;  healthcare organizations, on the other hand,  are obligated by law to comply in keeping patient data private…and privacy is what seems to be going out the window in order to enhance functionality and provide feature rich content.

In closing, HIPAA Windows 10 privacy concerns need to be addressed before moving forward with an upgrade to Windows 10.

**Update**  For information on better securing ePHI while using Windows 10 in healthcare read https://maaadit.wordpress.com/2016/03/22/hipaa-hitech-and-windows-10-5-settings-to-better-secure-ephi/.

#hipaa-2, #hipaa-cortana, #hipaa-data-sync, #hipaa-input-personalization, #hipaa-telemetry, #hipaa-wifi-sense, #hipaa-windows-10, #windows-10-privacy-concerns

Cisco Linksys Valet M10 Firmware Upgrade to Tomato Toastman Build

As we add more devices and users to our home WiFi networks, there comes a need for better administrative controls.  There are many reasons why you may want to upgrade the firmware on your Cisco Valet M10 wireless router.  It all boils down to the fact that the manufacturer’s firmware has limited features and your wireless networking needs have changed over the years.


Perhaps you or others in your household are streaming video and/or music from Netflix, ShowBox, HULU, Pandora, SoundCloud, Spotify, etc. on your wireless network; the number of users streaming may be causing video/ audio playback performance issues.  Maybe you have little ones and, as a concerned parent, you need to know what sites they are visiting online or you may want to block access to certain websites.  Or, if you are concerned about the amount of time your children spend online, you may want to impose access restrictions at certain times.  For example, blocking all access to Wifi after 9pm when children and teens should be asleep rather than staring their tired beady eyes at their friend’s Facebook page.

These are all popular features available with third party Tomato firmware.  More advanced features include QOS rules for prioritizing certain traffic, support of VLans to segment your WiFi traffic, and VPN support to encrypt internet traffic for added security.  Tomato can be used as a wireless bandwidth monitor, provides detailed information on wireless bandwidth speed and includes a wireless bandwidth chart depicting throughput.  Tomato allows you to monitor wifi traffic and monitor wifi usage.

Upgrading to a third party firmware like Tomato can breath new life into your old Cisco Valet M10 wireless router.  Tomato firmware not only provides more advanced features such as real time bandwidth and IP monitoring, and all those goodies stated earlier, it might also make your Cisco Linksys Valet M10 WiFi router more stable.

Now, this post is not technically a step-by-step guide on how to upgrade Cisco Linksys Valet M10 Firmware to Tomato Toastman Build.  Here you will find the links to resources that will help you do exactly that.

Warning: Messing with your WiFi router’s firmware can potentially render your wireless router useless and unrecoverable.  Do not attempt this unless you can live with that for the rest of your life and without blaming anyone else but yourself.

During my search to make better use of the Cisco Valet M10 router I came across http://www.howtogeek.com/189073/how-to-use-a-custom-firmware-on-your-router-and-why-you-might-want-to/ that explains why you may want to update your router and has links to relevant sites.  In the post it states that Tomato has not been updated for some time; it is important to know that while the original release has not been updated for years, a developer that goes by the name of Toastman, did in fact continue to build upon the original Tomato firmware and his newest release is as recent as November 2015.

There are some key things to know when updating your Cisco Linksys Valet M10 Firmware to Tomato Toastman Build.

Know your router.  It is important to know what WiFi router model and version you have.  You cannot flash just any firmware onto just any router.  The firmware needs to support your specific router model.  This post is about Cisco Valet M10 version 1.  There are other Tomato firmware versions that may work on your router if you don’t have this specific one.  The hardest part, in my opinion, is knowing exactly which firmware to use.  For the Cisco Linksys Valet M10 version 1, I used tomato-K26-1.28.7507.2MIPSR2Toastman-RT-Tiny.trx that is available for download at http://www.4shared.com/dir/v1BuINP3/Toastman_Builds.html#dir=dvM3seGQ.

One of the main reasons why I chose to upgrade with tomato-K26-1.28.7507.2MIPSR2Toastman-RT-Tiny.trx is because I found that others had used Toastman’s firmware builds on Cisco Valet M10 in the past.



Also, the version I picked is very recent.  There are other Toastman firmware even more recent than that and that offer additional functionality but the file size is too big for the Cisco Valet M10 router.  I opted for the most recent release I could find (modified March 2015) that was the right size (3.4mb) for my router.

It took me a while to know which Tomato firmware to use for the Cisco Valet M10 router as I did not immediately know which version of router I had.  Some refer to it as Linksys M10; others refer to it as a Linksys “E” series router.  There is also a version 2.  The following site was useful in determining what router I had.


Specifications and versions

Valet M10

The Valet M10 along with the Valet Plus M20 were Cisco’s first routers in the Valet series. The M10 is a 2.4 GHz single-band 802.11n wireless router featuring 10/100 LAN connectivity. The v1 of this model is equivalent to the Linksys E1000 v1 and WRT160N v3, sharing the same hardware and specifications. It is white in color and features a light blue trim.

Valet Plus M20

The M20 is a 2.4 GHz single-band 802.11n wireless router featuring gigabit LAN connectivity. This model is equivalent to the Linksys WRT310N v2, also sharing the same hardware and specifications. It is white in color and features a silver trim.

Toastman wrote the following firmware guide to help us figure out which firmware build we need.  In it he mentions the Linksys “E” series router and being that I had already determined the Linksys “E” series router to include the Cisco Valet M10 v1, this was helpful to identify which Tomato Toastman build would work for me.


From previous people that flashed their routers I learned that it is a good idea to do a 30/30/30 reset before and after the firmware upgrade.  This link explains how to do a 30/30/30 reset:


Disconnect the router from UTP cables (not the power cable).
Push reset button for 30 secs.
Without releasing reset button, disconnect power cord.
Hold the reset button for another 30 secs.
Replug the power cord.
Still hold the reset button for another 30 secs.
Release the reset button and give the router about 10 secs to resettle.
Disconnect power cord for another 10 secs and then reconnect.

If you are looking into upgrading your router’s firmware then you probably already have a clue on how to do it.  You may have already tinkered with your router’s settings in the past.  If so, the process will not be hard at all.

First you download tomato-K26-1.28.7507.2MIPSR2Toastman-RT-Tiny.trx from the link provided earlier and change the file extension to .bin (tomato-K26-1.28.7507.2MIPSR2Toastman-RT-Tiny.bin).

Next, you do a 30/30/30 reset on your router.  Note: My Cisco Valet M10 router does a weird thing.  When you unplug the power and plug it back in it doesn’t always come on.  It will blink the LAN port leds but won’t fully turn on.  So when I did the 30/30/30 reset on the Cisco Valet M10 router and was holding the reset button, I had to plug the power cord in and out multiple times until it powered on without ever letting go of the reset button.  Just thought I would mention that in case it is a bug with this particular router.

After the 30/30/30 reset you log in to the router using the default username and password which I believe is Username: admin Password: admin and go to the firmware update page to load your .bin file.  After the firmware uploads and the router reboots you do another 30/30/30 reset and that’s it.

Keep in mind that this process will reset all settings so you will have to configure your router again.  Also note that DHCP will be off by default after the upgrade and will have to be re-enabled for the router to hand out IP addresses.  Devices that are set to acquire IP addresses by DHCP will be unable to connect otherwise.

If you have never logged into your router before, do not know how to setup wireless settings and/ or do not know what DHCP is I recommend that you do a lot of reading before attempting anything as you will likely end up with a “bricked” or nonworking device.

If you end up using Toastman’s Build and find it useful don’t forget to give the man credit and perhaps donate him some cash; I think he has done a great job.







#cisco-valet, #firmware, #home-wifi-network, #home-wifi-usage, #linksys-e-series, #linksys-valet, #monitor-wifi-traffic, #monitor-wifi-usage, #networking-2, #toastman, #tomato, #valet-m10, #wifi, #wifi-bandwidth-usage, #wireless, #wireless-bandwidth-chart, #wireless-bandwidth-monitor-wireless-bandwidth-speed-wireless-bandwidth-chart, #wireless-bandwidth-speed

Symantec Endpoint Protection Windows 10 Compatability

Is Symantec Endpoint Protection compatible with Windows 10?

Only if it is the latest Symantec Endpoint Protection version 12.1.6.  Symantec Endpoint Protection 12.1.5 and previous versions are not compatible with Windows 10.

With Microsoft upgrading Windows 7 and Windows 8 to their newest OS platform, Windows 10, businesses are evermore challenged in keeping their security solutions up to date.


We recently upgraded to SEP 12.1.5 and rolled out mostly unmanaged client and a few managed ones. Our organization is now ordering PCs with Winows 10 preinstalled and we need to update Symantec yet again for compatibility. Problem is, our organization does not have proper bandwidth resources to push out the SEP 12.1.6 client to all PCs. On top of that, most of our users are on thin clients. Our newest thin client images for HP t620 already include the SEP 12.1.5 client.

The question is this: Can I update SEPM to 12.1.6 to create the new package for Windows 10 PCs but leave all existing PCs/ thin clients on 12.1.5?  Will the 12.1.5 managed clients still talk to SEPM 12.1.6 and continue to download definitions without the need to update?   As long as the base version is the same (i.e 12.1.x) then SEPM and SEP client can be on different versions



Additionally, posts on the official Symantec forum state that an unmanaged SEP 12.1.6 client can be installed on Windows 10 machines by downloading Symantec_Endpoint_Protection_12.1.6_MP3_All_Clients_EN.zip instead of updating SEPM to 12.1.6 .


Symantec Endpoint Protection (SEP) adds support for Windows 10 with 12.1.6 MP1.

For Symantec Endpoint Protection 12.1, a maintenance patch has been released on July 29, 2015. Customers will need to be current on maintenance to receive the maintenance patch update. For more information, visit our SEP 12.1 Windows 10 Knowledge Base.

You can upgrade to Windows 10 with Symantec Endpoint Protection 12.1.6 MP1 installed. You must uninstall earlier versions of Symantec Endpoint Protection. The operating system upgrade stops if it detects an earlier version of Symantec Endpoint Protection.

The following operating system upgrade paths are supported with 12.1.6 MP1 installed:

  • Windows 8.1 to Windows 10

  • Windows 8 to Windows 10

  • Windows 7 to Windows 10


Symantec_Endpoint_Protection_12.1.6_MP3_All_Clients_EN.zip can be downloaded from the link below by entering your Symantec product serial number.


#antivirus-2, #security-2, #sep-12-1-5, #sep-12-1-5-to-12-1-6, #sep-12-1-6, #sep-manager, #sep-windows-10-compatability, #sepm, #sepm-12-1-6, #symantec-endpoint-protection, #symantec-endpoint-protection-windows-10-compatability

Adtran Netvanta 7100 Failed Calls Incoming / Outgoing to External Numbers

There are a plethora (a large or excessive amount) of reasons why VOIP calls may fail.  Having overall knowledge of the VOIP networked components is important in troubleshooting Adtran Netvanta 7100 Failed Calls.

Having a good understanding of the infrastructure and components that make up the Voice Over IP network of an organization is important because it can help you narrow down the point of failure quicker, especially if you don’t have as much experience and training in VOIP telephony or the Adtran Netvanta 7100 PBX.

Additionally, the ability to communicate with the end user in order to get detailed information regarding failed calls can make a huge difference in the steps taken to correct the problem.

For example, at a site with a Netvanta 7100 PBX system, an end user contacts the helpdesk to report that he/ she is unable to receive incoming calls.  Upon further questioning, the user states that about two out of every five calls fail.

As a technician, it is rule #1 to get as much detailed information from the user/s experiencing the problem as this information often times can narrow down the problem to a certain component or device.

Going back to our example, the user also explains that she is unable to call out and that she gets a fast busy signal when doing so.  You corroborate what has been said by making a few test calls and do in fact receive a busy signal when attempting to call the site’s number.  The user has previously rebooted the Adtran IP 712 phone but we know that would not make a difference because the reported issue is affecting the whole site and not just that one user.

On a previously working Adtran Netvanta PBX phone system that is now experiencing failed incoming/ outgoing calls, and if no recent changes have been made, rebooting the device resolves the problem 8 times out of 10; that is from my own experience.  I consider the Netvanta 7100 PBX to be “buggy” when compared to other VOIP solutions out there; it offers great functionality and features at a low monetary cost.  The downside is that it does tend to be less stable than some of its more popular competitors.

If you want to avoid downtime and sporadic failed incoming/ outgoing calls here are two tips for the Netvanta 7100 PBX:

  1. Develop a reboot process and schedule to prevent these sort of problems from happening.
  2. Update Netvanta 7100 firmware to the Extended Maintenance Release to stay up to date with the latest bug fixes.

Using the previous example, prior to disrupting production by rebooting the device during operating hours, it is a good idea to contact the service provider to rule out problems on their network.  Once the provider has reported back and confirmed that calls are in fact being delivered to the customer equipment we can look forward to performing a reboot of the Netvanta 7100.  Since we will be rebooting the device, we go ahead and update the firmware to the latest extended maintenance release (currently R11.4.5)  Prior to updating the firmware, it is important to read the NetVanta 7000 Series Products AOS Release Notes for the firmware you will be updating to.  It includes important information such as hardware and software requirements for networked devices and IP phones.  It also includes information on bug fixes and bugs still present in the release.

Another important clue in this scenario is the fact that failed outgoing calls are all to external numbers and not internal extension numbers.  As internal calls go through various SIP trunks we can suspect a problem with the PRI trunk that handles external incoming/ outgoing calls to the Netvanta 7100.  In our scenario, the PRI trunk interfaces with an Adtran 908e Access Router.  Incoming calls to the site are delivered by the service provider to the 908e Access Router that routes the calls over to the Netvanta 7100 PBX.

Surprisingly, after rebooting the Netvanta 7100 PBX, incoming/ outgoing calls to external numbers are still failing.  We suspect the PRI trunk.  As the service provider has confirmed delivery of calls to customer equipment and being that rebooting the 7100 did not resolved the problem, we now look to the other end of the PRI, the 908e Access Router.  From my experience, it is rare that the 908e acts up; it is usually the 7100.  This time however, rebooting the 908e Access Router resolved the issue and everyone is happy once again.

As a last note, the end user that called reporting the problem with failed incoming / outgoing calls comments that faxes are now working as well and that they had not been prior.  That minor piece of information that was missed would have proved significant as fax communications for that site are handled exclusively by the 908e Access Router; we could have pinpointed the trouble device right from the start avoiding an out of town trip, hours of going over settings and debug logs, an unwarranted firmware upgrade, etc. 🙂


#908e-access-router-pri, #adtran-netvanta-7100, #failed-calls-to-external-numbers, #failed-incoming-calls, #failed-outgoing-calls, #netvanta-7100, #netvanta-7100-pri, #pri-trunk, #voip

XenApp 7.6 – ThinPrint .Print Engine – Printer Issues – Windows can not connect to the printer 0x00000057

thinprint print enginePrinting has always brought some challenges to a virtual environment.  In my experience, printing issues have accounted for a substantial portion of the problems we have faced over the years with Citrix XenApp 5.0.

A stable printing environment in XenApp 5.0 was achieved by implementing a third party printing solution, Cortado’s ThinPrint .Print Engine 8.0.  Prior to that, the print spooler on Windows Server 2008 would crash unexpectedly several times a day on several servers in the XenApp farm.

Cortado’s ThinPrint .Print Engine 8.0 VLayer allowed us to virtualize all printers on our Windows Server 2008 Print Server.  Basically, .Print Engine 8.0 VLayer creates a (virtual) printer that carries over the settings from the original shared printer but utilizing the ThinPrint Output Gateway driver.  Thus, you end up with two printers on the Print Server.  One is the virtual ThinPrint printer with the TPOG driver and the other is the original printer that uses the native printer driver.  The VLayer printer becomes the shared printer and sends print jobs over to the original printer which then sends them over to the physical networked printer.  It solved many of our problems because, as many have noted, the majority of printer issues in Citrix XenApp are caused by printer drivers.  Our XenApp 5.0 servers no longer used the native drivers; instead, the TPOG driver is installed once on each of the XenApp servers.  Then, in XenApp Advanced Configuration Tool, you add the Print Server that hosts all VLayer shared printers.  Lastly, you create a Citrix Policy that assigns shared printers to Active Directory users as session printers.  The printers are created when a user logs in using the TPOG driver.

Upgrading to XenApp 7.6 from a XenApp 5.0 farm did not bring about as many headaches because of all the leg work done previously in planning and testing prior to deploying the product.  Once the XenApp 7.6 site was operational we encountered our first obstacle and unsurprisingly, the problem involved printing.

On our newly created XenApp 7.6 site we assign session printers to users via a Citrix Policy.  As done previously on the XenApp 5.0 farm, we installed the TPOG driver on the Virtual Delivery Agent servers.  Initially, session printers were auto creating without issue and users were able to print.  However, some of the printouts had partially garbled text.  It was assumed that it might be a corrupt font as this had happened previously in XenApp 5.0.  Replacing the suspected bad fonts ruled out that assumption.  Oddly, the problem was affecting applications that used previously created forms; typing up something new in Word, for example, did not reproduce the problem.

Reasoning that we were now on Server 2012 R2 and XenApp 7.6 as opposed to Server 2008 and XenApp 5.0, we asserted that perhaps we needed to update the ThinPrint .Print Engine to a newer version.  And we did.  And it worked.  The garbled text issue was gone and our users were able to print normally, at least for the remainder of the day.  It so happened that after updating ThinPrint .Print Engine from 8.0 to 9.0 we had to also update the TPOG driver on each of the XenApp servers.  Our XenApp 5.0 servers updated without problems but session printers on the XenApp 7.6 VDA servers stopped working the next day.  And despair set in.

man-674726_640The issue was possibly due to attempting to install the updated TPOG driver on the VDA servers.  We did so by connecting to the shared printer on the print server.  When that failed we tried installing it from the ThinPrint installation media. We stopped and restarted the print spooler a gazillion time over.

As I recall, the error in Server 2012 R2  running Citrix XenApp 7.6  was “Windows can not connect to the printer 0x00000057”.

Luckily, after some googleing around I found the following article that proved to be the right solution to the problem.


It’s actually the print driver failing to install, not the connection to the print server.  An initial attempt to install the driver failed, so the driver directory is present on the workstation, but missing the files.

1)  On a machine with the same driver installed (and working properly), open Regedit, and browse to:
HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\
2)  Locate the subkey for the printer driver you are dealing with and click the key for the printer driver.
3)  Look for the “InfPath” on the right.  Note the path.
5)  Now browse to C:\Windows\System32\DriverStore\FileRepository and locate the folder indicated in the InfPath reg value.
6)  Go to the users computer exhibiting this behavior, and browse to C:\Windows\System32\DriverStore\FileRepository and see if the folder is present.  In my case, the folder was present, but empty.  If it is here and it is empty, you will have to modify security on the folder, first taking over ownership, then granting yourself full control.
7)  Once security is granted, copy the contents of this folder from a good machine to the machine presenting the 0x00000057.

Now try connecting to the print queue on the print server.  The driver should now download and install properly.

Good luck.  This isn’t the first time I’ve seen this happen, but this is the first time I decided a reimage was more than I wanted to take on, and I wanted to solve this so that I can correct it the next time it happens.  And I have yet to find a real solution to the 0x00000057 error code.

If memory serves me correctly, we were missing a file in that one folder, I think….perhaps the whole folder was missing…Okay!  To be honest, I just don’t remember as it happened a couple of months ago.  But I do know were were missing something from that folder as I wrote myself a note and it specifically reads “TPOG driver folder files missing” “ThinPrint Engine upgrade to 9.0”.  Give me a break, it was a very busy week and I keep getting old. 🙂



#print-engine, #citrix, #citrix-printing-issues, #cortado-thinprint, #publisheddesktop, #shared-desktop, #thinprint, #tpog-driver, #vda-7-6-0, #virtualization-2, #windows-can-not-connect-to-the-printer-0x00000057, #windows-server, #xenapp-7-6-2, #xenapp-7-6-printing-issues, #windowssystem32driverstorefilerepository

XenApp 5.0 to Xenapp 7.6 Upgrade / Migration Part 3


This is a follow-up to the previous two posts for migrating to XenApp 7.6 from a XenApp 5.0 farm.



Installation and configuration of a new XenApp 7.6 site can go smoothly if we prepare for it.  The following XenApp 7.6 free training courses and videos are a good place to start; for those with prior Citrix experience, it may be enough for a successful deployment.

CXA-105 XenApp and XenDesktop 7.6 Foundations


CXD-300eCW Deploying App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6


XenDesktop Master Class: Live Install of XenDesktop/XenApp 7.6

wpid-wp-1441300745604.jpeg As with any other deployment, I find it useful to first make a diagram of the existing network/ server infrastructure to visualize what the current farm looks like.  I then conceptualize the server infrastructure for the new XenApp 7.6 Site by listing the various servers and how they will interact with other XenApp 7.6 servers/ components.  It is not something that you will be presenting at the next board meeting so don’t cringe your teeth just yet.  It’s merely an exercise to identify the various components and plan which servers will be allocated for which services in the new 7.6 site.

Using the same scenario from the previous two posts, our migration is well underway after the License Server component installation as discussed in Part 2.  Assuming the Domain Controller/s, File Server/s, and Print Server/s are already in production, we start by understanding what other infrastructure must be in place for a simple Xenapp 7.6 deployment.

The 7.6 Site will be composed of the following:

  • Delivery Controller

For those coming from XenApp 5.0, the Delivery Controller in XenApp 7.6 is sort of like the Data Store in a XenApp 5.0 Farm.  Citrix Director and Citrix Studio are installed along with the Delivery Controller.  Citrix Studio is where you can create, configure and manage your new site.  Citrix Director is a great tool for viewing all sorts of information and statistics regarding your XenApp 7.6 site and includes administrative tools such as shadowing users, logging off sessions, and placing VDA servers in Maintenance Mode to disable user logons.  It is recommended that the Delivery Controller be installed on a separate server; for high availability, it is also recommended to have more than one Delivery Controller.

  • SQL Express

SQL Express is the database that contains all the site’s data; it is created during the Delivery Controller installation.  If you already have an existing SQL database, you can point to that instead for backup and maintenance purposes.  In our scenario, the SQL Express database is created during the DC installation and resides on the same server.

  • License Server

The License Server component handles product licensing for XenApp 7.6.  Note that XenApp 7.6 no longer uses Terminal Server licensing; instead it uses Remote Desktop Services.  An important thing to keep in mind is that every VDA machine in the XenApp 7.6 site needs to point to the License Server.  You can achieve this through the VDA server’s Local Group Policy as explained here.

To set the correct license server and the mode it is operating in, we need to use a (local) group policy or change it directly in the registry.

The group policy setting the Remote Desktop licensing mode is located in:

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

  • StoreFront

The Citrix StoreFront, for those coming from XenApp 5.0, is sort of like the Secure Access Gateway.  It is what the user connects to in order to access site resources such as applications and shared desktops.  It is recommended that you install two or more StoreFront servers for high availability.

  • XenApp Worker/s (Virtual Deliver Agent)

The Virtual Delivery Agent (VDA) is the XenApp 7.6 component installed on all servers that will be hosting applications and/or shared desktops.

Note that in order to run the XenApp 7.6 installer all servers on which the above listed components will be installed must already be added to the domain.  Prerequisite Windows Server Roles are installed automatically during the XenApp 7.6 installation with the exception of the License Server.  Prior to installing the License Server component, you must add the Remote Desktop Services Role – Remote Desktop Licensing.

The first XenApp component to be installed in our scenario is the License Server.  A not so robust server has been allocated for this purpose.  That same server will also house Citrix StoreFront as these are not generally resource intensive services for a small 300+ user organization.

Next up is installation of the Delivery Controller for which we allocate another server.  While a separate SQL server is recommended for larger deployments and to support mirrored backups, our small XYZ company wants to keep it simple.  Thus, SQL Express will be installed along with the Delivery Controller.

Lastly, XenApp 7.6 Virtual Delivery Agent is installed on each of the servers that will host shared desktops.  I find it helpful to have an application list I can use to make sure that all servers have the same applications installed.

XenApp 7.6 overall step by step installation instructions are included in the video above.  I found the video in Part 2 more useful when installing the License Server Component.

Once all required XenApp 7.6 services are installed we can move on to creating a new site.  As mentioned prior, we do this through Citrix Studio.  I like using the Full Operational Site option.  Since our deployment is quite simple and we are using physical servers, we select the No Machine Management option.

Next, we create our StoreFront. The following video details installation instructions for Citrix StoreFront.

In order to deliver applications and Server OS shared desktops to our users we will need to create a Machine Catalog and Delivery Group.  The Machine Catalog includes the VDA servers that will be hosting apps and desktops.  The Delivery Group is sort of like a group object where you add Active Directory users.  VDA servers are allocated to a Delivery Group from a Machine Catalog.

Lastly, we create Citrix policies for things such as Twain Redirection for scanner support and to add session printers.  Citrix User Profile Management is included in the VDA installation.  In our scenario, that was already in place through Group Policy.  Our XYZ company users are able to launch their shared desktops by using Citrix Receiver 4.3, 4.1 and also using the legacy PN Agent.

As always, it is useful to note the steps and options selected while creating and configuring your XenApp 7.6 site to easily back track or to use as a checklist for future installations and/or modifications.

#citrix, #citrix-receiver, #publisheddesktop, #storefront, #vda-7-6-0, #virtualization-2, #windows-server, #xenapp-7-6-2

HP P3015 Laserjet Replace Fuser – Fix Processing Job – Fix Ink Marks

There are two symptoms that may result from a bad fuser on an HP P3015 Laserjet printer.  Consider replacing the fuser on an HP P3015 Laserjet printer if it gets hung up on a message that reads “Processing Job” or if there are black ink marks on the paper.


HP P3015 Fuser/ Maintenance Kit

The paper prints out with black ink marks. 

There are no visible signs of residual ink or it has been cleaned.  These black ink marks get worse over time and don’t go away.  The black ink marks are due to a bad fuser sleeve that has been worn or is damaged.  If you want to save some money it is possible to replace just the fuser sleeve rather than the whole fuser but this will require more work on your part.

The following video explains how to replace a bad fuser sleeve step by step.  It is for a different model printer but the process is almost the same.


“Processing job…” message appears on display panel and printer hangs.

Another symptom that may result from a bad fuser on an HP P3015 Laserjet printer is if the printer hangs while printing and the message “Processing job…” can be seen on the display panel.  Power cycling the printer will usually allow it to print again for a little while until it does it again.  The issue is due to the fuser not heating up properly. Powering the printer off for a few minutes might make it work for a while but it will get worse over time.   The following video shows step by step how  to remove and install a fuser on an HP P3015 Lasterjet printer.


#black-ink-marks, #fix, #fuser-kit, #hp, #hp-p3015, #laserjet-printer, #printer-hangs, #processing-job