VDI Gold Image Maintenance – Adding Microsoft Office Add-Ins And Managing Load Behavior

I’ve spent a couple of years learning from scratch (with no prior knowledge of VDI environments) how to package applications, common stumbling blocks, best practices and picked up some very handy tricks along the way, which I’ll share below.

This post gives a newbies understanding of what non-persistent VDI is, what application layer is/does, and how to add Microsoft Office Add-Ins into your gold image.

What  are non-persistent VDI desktops?

Non-persistent desktops mean when you log off, the desktop is destroyed and rebuilt from a template. A persistent desktop means you can log back into the same machine (be it virtual or physical).

A primer on persistent vs non-persistent desktops

What is a master image or ‘Gold image’?

The master image or ‘Gold Image’ is a template that will be cloned to produce your virtual desktop. It contains the chosen OS (typically Windows or Linux), core applications  that are required by everyone in the business (typically MS office, plug-ins, anti-virus and any bespoke business apps that cannot be controlled or added at a later stage). To create a gold image there’s a number of best practices to follow. Read about How To Optimize A Gold Image

What is application layering?

Layering is the technical name for adding another application to a desktop without manually installing it. Common technologies in the marketplace that perform layering (in one way or another) are Microsoft App-V, VMWare Appvolumes, ProfileUnity FlexApp , Citrix XenApp – these tools can visualise an application for streaming/mounting/layering into a desktop that is cloned from your master image. This allows you to provide staff the software they need, when they need and retain control of the licencing, patching, updating and versioning of the software your company uses.

Liquidware’s Application Layering (FlexApp)

Microsoft App-V Overview

VMWare App Volumes

Why use layering? I like installing it!

Over time it’s easy for a typical desktop computer to become a graveyard of applications. A typical small company might have an IT estate of 20-50+ physical computers, each with different software installed on them based on ad-hoc requests from staff. This represents all kinds of challenges (licencing, maintenance, patching levels, vulnerabilities) and, what if someone decides to hot desk without taking their PC with them? Moving your IT to a non-persistent, virtual desktop model lets you work from anywhere,  from (just about) any device.

A bit about virtualizing your apps…

Citrix Application Layering Explained

Given what we’ve learned  so far, app layering sounds like the golden bullet for desktop delivery but it’s not quite the case. Lots of applications designed for Windows call upon files and frameworks that sit within the operating system (C++ libraries, .NET frameworks, Windows patching/OS files and .dll’s…you name it) – although a layered application can still read these files in the OS, you’ll often find apps that require Windows features like .NET Framework or a specific Microsoft KB update patch, and typically these cannot be virtualized using layer and must be installed into your image.

It’s important to try to discover what is installed in your current desktop estate per-use case. Each business will have dozens of use-cases, before you can move to a virtual platform you need to understand what your base image should contain.

 I recently discovered we could not package Microsoft Dynamics CRM Outlook 2011 plugin using FlexApp because it relies on Windows Foundation Identity service amongst other bizarre Microsoft prerequisites. 

We were forced to add the plug-in into the company’s master image, and find a method for toggling it on/off for those who required it…

Installing a Microsoft Office add-in on your Master Image and controlling load behaviour

  1. Find out how to control the load behavior – the best way to do this is to use the registry. All applications write to the machine registry when they’re installed.
  2. Open run > regedit
  3. In this example we’ll look at a Microsoft Office Add-in. Browse to HKEY_Local_Machine\Software\Microsoft\Office\Excel\AddIns (the other suite apps will have their own keys within the \Office\ Root. This location is also valid under HKEY_Current_User. Some vendors use locations like HKLM\Software\VendorName
  4. Search the registry for ‘LoadBehaviour’ or ‘Behavior’ or the plug-in name – we want to first find the key that controls it, then test if it works.
    1. Typically the registry data value of 0 is ‘Disabled’ – the plugin will not load when MS Office is opened. If LoadBehavior=1 this is enabled.  Other values such as 3 are common – vendor documentation can inform you on what the values are and how that affects the plugin. Here’s an example
    2. Now you understand load behaviour, you can configure group policy to set the value in the registry (as a machine or user policy) based on which users you want the plugin to be enabled for.
      1. Example: Create a new GPO that uses User > Preferences > Registry that includes Enable and Disable load behaviours based on a user group membership.  If the user is a member of PowerPivotExcel then set the registry value under HKEY_Local_Machine\Software\Microsoft\Office\Excel\AddIns\LoadBahavior to 1 (enable). Create another policy preference to default  the load behaviour for all users to 0 – remmeber, we always want this plugin to be disabled unless somebody needs  it, so you must configure a default rule.
        1. Alternatively, you can set the load behaviour to 0 in HKLM settings when you first install the plugin. In a linked clone environment, your master image will be cloned with this default behaviour in place.

Application troubleshooting tools

if you have trouble finding which registry keys are changed during an installation these tools can help –

  1. RegShot allows you to take a before-and-after snapshot of your registry and see a historical view of file system changes.
  2. ProcMon provides a real-time log of all system internal processes.
    1. Ctrl+x to clear the log
    2. Ctrl+E to enable logging
    3. Then use the Filter option to sort the output by Operation >  ‘RegKeyAddValue’ or similar events. This can be used extensively for any other kind of troubleshooting, not just registry related.
  3. WhatChanged is similar to RegShot.

Removing Start Menu Short Cuts in Windows 10

You don’t want all of your users  to see you’ve installed an app that they don’t use.

Removing Start Menu Shortcuts

Another location to check is %appdata%\Roaming\Microsoft\Windows\Start Menu

Best Practice Before You Deploy!

  • Check the vendors administrative guide for any command line switches that can be used during the installation to minimise this. Remember, most software developers like to receive as much data about how their product is being used which causes bloat and unwanted features to be included in a ‘default’ installation i.e. diagnostics being sent over your network. Always check the vendor’s installation guide for command line switches or tricks for disabling unwanted features. Be weary!
  • Is the default load behaviour set?
  • Does your method for enabling the plugin work?
  • Is the plugin the desired version, or can it be updated? Microsoft plugins can be patched and updated by running windows update.

Markit Wall Street Office – Packaging, Deployment And Tricks You Should Know!

If you use WSO you’ll know it’s a strange creature depending on how you have  your environment configured.

Administrator won’t maximise!


Occasionally WSO Admin might refuse to maximise on a desktop and sit in the task bar waiting to be killed off. This is often caused by the users profile data in SQL becoming smelly. To cleanse this, run the following script in SQL Management Studio against your WSO FCSCommon database:





Wipe my profile in Wall Street  Office

A more comprehensive script for cleansing a user profile involves running the following. Note – log the user out of WSO before running this.



Packaging Bloomberg Professional for VDI using AppVolumes or Liquidware FlexApp


The following post runs through how to install and package Bloomberg Professional for a VDI environment. The below example uses Liquidware’s FlexApp to do this, but the ideas below are applicable to AppVolumes with VMware DEM to manage the post-deployment script.

Version: This is intended for users of Bloomberg Anywhere and covers how to package and deploy Bloomberg Professional (Full Terminal).

Bloomberg Professional contains Office Tools (MS Office Add-In) and a full standalone desktop client.

Install on your capture VM

  1. Download the Bloomberg Full Terminal Installation  

2. Run the installer on your provisioning VM selecting Private IP Network as the environment type.

3. Launch the software and click past the connection wizard until you reach the login screen – you don’t want your users to see/do this!

4. Bloomberg has minimum requirements of Read/Write to the following HKLM registry key and subkeys. If you have UAC enabled, you need to set permissions against these keys to allow users R/W access to:


These permissions can’t be captured using AppVolumes or FlexApp because they’re machine-level settings, so we need to use a post-deployment script to add the permissions to the registry after the app has mounted to the desktop at logon time.

There’s a few methods for doing this and at the time we

Configure a post-deployment script using subinacl

The following script should be saved as a .bat file.

1. Download SubinACL

2. Extract the subinacl.exe to a network folder that your users can access.

3. Create the post-deployment script and deploy it, there’s a few ways to do this:

For Liquidware FlexApp – add this script as a post-deployment script – see this guide: ‘App Package Scripts’ section

For AppVolumes –  ideally you should use DEM (formerly UEM) to run the script elevated, at logon or you may need to use Group Policy to run a logon script and scope it against the Bloomberg users.

Another (untested!) option, you could try editing the snapvol.cfg file within AppVolumes – if this works for you, please let me know!

The below can be copied into a .bat file to be executed after the application has been deployed to your VDI desktop(s).

\\youdomain.com\netlogon\AFolderShare\Scripts\subinacl.exe /subkeyreg “HKEY_LOCAL_MACHINE\Software\wow6432node\Bloomberg L.P.” /grant=Everyone=F


1. Ensure subinacl and the .bat script sit in the same folder, ideally your netlogon share. If storing elsewhere, ensure the logged on user has rights to read/execute from that location.

2. Typically Bloomberg allows you to perform an APOD creation – this installs a generic license key which then lets a Bloomberg Anywhere user log in. If you need to configure this follow these steps: once you’ve installed the app on your capture VM, type CONN in the Bloomberg window to see the connection wizard. Under the Connections tab, click Submit. This will create a generic key code and allow the user to login using their Anywhere login creds

Bloomberg Minimum Requirements and File Rights.

3. Your Bloomberg users might not want the Office Add-Ins – to disable these, for ideas on how to disable office add-ins and manage load behavior

3. If your placing a shortcut to Bloomberg on the desktop, create this in: C:\Users\Public\Public Desktop 

4. Bloomberg requires updating every 3 months, add this to your maintenance schedule!





Welcome to Desktop Surgery – The End User Computing Blog For Aspiring Techies

This blog is largely a dumping ground where I can validate the hours spent pouring over IT virtualization and EUC challenges, hopefully saving you time and effort whilst learning some new tricks.

It will also contain anything else that’s useful for EUC and desktop support technicians.