Latest posts

VMware vCenter Native Key Provider

VMware vCenter can be a key provider, which is perfect for using a vTPM (Virtual Trusted Platform Module). With VMware vSphere, you can configure a native key provider that VMware vCenter fully manages. No external key provider is needed. The native key can even be used to encrypt your VMs.

In this post, I will show you step-by-step how to add a Native Key Provider (NKP) to VMware vCenter.

The Process

  • Login to VMware vCenter.
  • Click on your vCenter.
  • Click on the Configure tab.
  • Under the Security section, click on Key Providers.

Disable Windows Server 2025 Diagnostic Data Screen

With Windows Server 2025, Microsoft is more in your face about sending your diagnostic data to them. I am okay with sending them the data if it helps make their products better.

What I have a problem with is that the send diagnostic data to Microsoft screen is displayed on every first logon on each Windows Server 2025 system even if you have settings defining what diagnostic data to send to Microsoft.

This is the send diagnostic data to Microsoft screen you see on Windows Server 2025 desktop experience on first logon.

This is the send diagnostic data to Microsoft screen you see on Windows Server 2025 core on first logon.

In this post, I will show you step-by-step how to turn off the prompt to send diagnostic data to Microsoft.

The Process

  • Make a new GPO.

I will call mine Disable Send Diagnostics Data Prompt.

  • Go to Computer Configuration > Policies > Administrative Templates > Windows Components > OOBE.

Omnissa Horizon Connection Server Backup

At the very core of Omnissa Horizon is an ADAM (Active Directory Application Mode) LDAP (Lightweight Directory Access Protocol) database. Even though Horizon servers are typically domain-joined, they still maintain their own ADAM LDAP database for all the configurations in Horizon. It’s a good idea to back up the ADAM LDAP database as it can help you get out of some sticky situations.

In this post, I will show you step-by-step how to backup an Omnissa Horizon Connection Server (Formerly VMware Horizon Connection Server), including how to schedule the backup, how to run the backup on demand with the GUI or CLI, how to change the data recovery password, and how to test the data recovery password.

Scheduled Backup

  • Log in to the Horizon Admin Console.
  • Click on Setting > Servers.
  • Click on Connection Servers.
  • Select the Connection Server and click on Edit.
  • Click on Backup.
  • Change the backup setting as needed.

The default setting is that the backups run every day at midnight, 10 backups are kept, and the backups are saved in C:\ProgramData\Omnissa\Horizon\backups.

Change Data Recovery Password

When you install the Horizon connection server, you define the data recovery password, which is used to encrypt the backups of the Horizon ADAM LDAP database. Fortunately, if the password is unknown, it’s possible to change it.

Omnissa Horizon Client Default Server

There are a few ways to preload the Omnissa Horizon client (formerly the VMware Horizon client) with a default Horizon Connection Server.

One method is to deploy the Horizon prefs.txt file with the Horizon connection server. For more information about the prefs.txt file method, my blog post, Omnissa Horizon Client prefs.txt, goes into detail.

Another method is the VDM_SERVER property. When you install the Horizon client, you can define the VDM_SERVER property. Omnissa does have some documentation about the VDM_Server property. However, it only says that you can use it to set a default horizon connection server for the users. It doesn’t go into detail on how it works. If you run the help command on the Horizon client installer, it doesn’t go into much more detail either.

Horizon client installer help dialog

Given that there isn’t a lot of info about the VDM_Server property, I needed to know more, and down the rabbit hole I went.

How does the VDM_Server property work, and is it better than using the prefs.txt file to preload the Horizon connection server? If the VDM_Server property works better, it could simplify how I’ve been deploying the Horizon client. I also needed to know if it works only for the user that installed the Horizon client or all users. I wanted to see if it did the same thing I did manually with the prefs.txt file.

If you install the Horizon client using the logging command /l or /log, everything the Horizon client install does is logged to a log file.

With logging enabled, I ran the Horizon client install with a value for the VDM_SERVER property. The command I ran was

.\Omnissa-Horizon-Client.exe VDM_SERVER="Horizon.1company.com;Horizon.2company.com" /l C:\temp\HorizonInstall.logCode language: PowerShell (powershell)

Omnissa Horizon Client prefs.txt

There’s not a lot of official information about the prefs.txt file that the Omnissa Horizon client (formerly the VMware Horizon client) creates and uses.

I’ve figured out that the prefs.txt text file is in XML format and is generated by the Horizon client, usually once the user changes a setting in the Horizon client. It seems that prefs.txt is used to store all the user settings that the user has configured within the Horizon client.

Here’s an example of the contents of a prefs.txt file.

<?xml version="1.0" encoding="utf-8"?>
<Root>
  <RecentServer serverName="horizon.company.com" isSyncShortcutsEnabled="false">
    <SecondaryServerList />
    <ShortCuts />
    <FileRedirection>
      <AppExtensionInfo AppId="cn=microsoft_edge,ou=applications,dc=vdi,dc=vmware,dc=int" AppName="Microsoft Edge">
        <Extension Name="htm" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="html" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="mht" Display-name="Microsoft Edge MHT Document" />
        <Extension Name="mhtml" Display-name="Microsoft Edge MHT Document" />
        <Extension Name="pdf" Display-name="Microsoft Edge PDF Document" />
        <Extension Name="shtml" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="svg" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="webp" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="xht" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="xhtml" Display-name="Microsoft Edge HTML Document" />
        <Extension Name="xml" Display-name="Microsoft Edge HTML Document" />
      </AppExtensionInfo>
    </FileRedirection>
    <RecentDesktop desktopID="cn=vdis,ou=applications,dc=vdi,dc=vmware,dc=int" autoSyncToggleKeysMode="7">
      <LastDisplaySize displaySize="Fullscreen" height="0" width="0">
        <SelectedMonitors />
      </LastDisplaySize>
    </RecentDesktop>
  </RecentServer>
  <DataSharingSettings Allowed="1" />
  <BlastSettings allowClientH264YUV444="true" allowClientHEVCYUV444="true" allowClientHDR="true" DisableDisplayNetworkState="false" DisableDisplayNetworkStateManually="true" />
  <BrokerJumpList>
    <BrokerJump BrokerName="horizon.company.com" BrokerArguments="horizon-client://horizon.company.com/" />
  </BrokerJumpList>
  <AutoCheckForUpdate autoCheckForUpdate="false" />
  <sharingList allowAccessRemovable="true" shareHomeDirectory="true">
    <sharingItem from="C:\Users\daniel" />
    <sharingItem from="T:\" />
  </sharingList>
  <GeolocationSharingSettings GeoSharingAllowed="true" />
  <WebrtcSettings WebrtcScreenSharePerm="1" enableWebRTCRedirection="true" WebrtcSuppressScreenSharePrompt="true" />
</Root>Code language: HTML, XML (xml)

The prefs.txt file is stored in the user’s AppData Roaming folder.

The file will be in the following locations depending on which version of the Horizon client you use.

  • For Horizon clients version 2412 or newer, it is stored in %AppData%\Omnissa\Omnissa Horizon Client
  • For Horizon clients older than version 2412, it is stored in %AppData%\VMware\VMware Horizon View Client

Horizon-Prefs Script

Because the contents of the prefs.txt file are predictable, I created a script called Horizon-Prefs. You can find the script on my GitHub https://github.com/thedxt/Omnissa#horizon-prefsps1. The Horizon-Prefs script can place the prefs.txt file in the correct location for all users, just a single user, or both.

I’ve used my script to deploy the prefs.txt file to systems to configure some Horizon client settings that don’t have GPO options. I’ve also used it to configure Horizon client settings on systems that aren’t joined to a domain.

Windows Default User Profile

With Microsoft Windows installations, there’s a hidden user profile called Default. Anything in that user profile is copied directly to any new user account that logs into the computer. It is a template for each user who logs onto that system.

The default user profile is located C:\Users\Default

List of users in C:\Users showing the Default user profile.

When a user logs into a Windows system for the first time, a user profile is created for that user on that system. As part of the first logon process, Windows uses the Default user profile to build the user’s profile on the system. This process only happens the first time a user logs into that system.

Files and folders located in the Default user profile.

The fact that the default user profile exists gives us the power to tweak it. Any files we place in that Default user profile will be copied to each user who logs into that system for the first time.

For example, I will create a text file called I am text.txt and place it in C:\Users\Default\Desktop

Text file placed in the Default user profile.

Nginx Proxy Manager Setup

Nginx Proxy Manager (NPM) is an open-source Docker image that lets you run a reverse proxy and can even handle SSL certificates for you using Let’s Encrypt. It’s great when you can’t use a Cloudflare Tunnel or an Entra App Proxy. I’ve been using Nginx Proxy Manager for a while now, and it’s been perfect for what I need.

In this post, I will show you step-by-step how to setup Nginx Proxy Manager with Docker and configure a Proxy Host, Redirection Host, 404 Host, add a custom SSL certificate, and enable SSL.

Prerequisites

  • Access to the DNS for the domains you want to use.
  • Access to create port forwards for port 80 and 443.
  • Docker host.

Initial Setup

  • Make a folder to store your configurations for Nginx Proxy Manager.
  • Make a new docker-compose.yml file.

Your docker-compose.yml file should look something like this.

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencryptCode language: YAML (yaml)

The docker compose file will create a folder named data in the location where the docker-compose.yml file is. The data folder holds the SQLite database for NPM, log files and other configuration files. A folder named letsencrypt will also be created, where your Let’s Encrypt data is stored.

  • Run the following command to start the Nginx Proxy Manager docker container docker compose up -d
  • Go to the address of your Docker host on port 81 to access the NPM admin interface.
  • Login with the default admin user.
Email: [email protected]
Password: changemeCode language: plaintext (plaintext)

You will be forced to change it on the first login.

  • Change the user details as needed.
  • Change the password.

Install Debian 12 Bookworm

Debian is a solid Linux distribution I’ve been using for a while. It is my default Linux OS of choice. Many popular Linux distros are actually based on Debian, such as Ubuntu, Proxmox, Kali Linux, TrueNAS SCALE, SONiC, Raspberry Pi OS, SteamOS and many more.

In this post, I will show you step-by-step how to install Debian 12, aka Bookworm.

The Process

  • Download the Debian ISO from Debian.org (I tend to use the small installation image, aka netinst, as it has everything I need out of the box, and anything else I can download as needed)

When you boot up the Debian installation media, you are presented with the option of a graphical version of the installation or a text-only version. It doesn’t matter which option you select. The end result is the same.

  • Select if you want to use the graphical (aka GTK) or text-based install (aka newt).

I tend to use the text-based installation more as I can complete it slightly faster.

  • Select your language.

The language you select will be used for the installation process and will be the default language for the Debian install.

I will select English.

  • Select your location.

I will select Canada.

  • Select the keyboard layout you use.

I will select American English.

  • Enter the hostname for the Debian system.

I will use the hostnames DXT-DEB01 and DXT-DEB02

  • Enter the domain name if the Debian system is on a domain network. If not, just leave it blank.

Palo Alto Certificate Chain Fix

An issue I’ve run into on Palo Alto Networks firewalls is that everything seems to work when importing a certificate (usually a PFX). Until you start using the certificate, then after a validation or a commit, there’s a warning that the certificate chain is not correctly formed.

Warning: certificate chain not correctly formed in certificate wild_thedxt_ca
(Module: device)

Certificate chain issues are commonly caused when the certificate chain is out of order. You can read more about certificate chains in my blog post, Certificate Chain. If you want to read more about what can cause broken certificate chains, my blog post, Broken Certificate Chain, goes into more detail.

An incorrect certificate chain can cause issues with a few items on a Palo Alto firewall. One of them can be GlobalProtect when the option FULLCHAINCERTVERIFY="yes" is used during the GlobalProtect install or when the registry value named full-chain-cert-verify is set to yes in the registry path HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

GlobalProtect malformed certificate error

In this post, I will show you step-by-step how to fix a certificate chain on a Palo Alto Networks firewall.

The Process

  • Click on the Device tab.
  • Click on Certificate Management > Certificates.
  • Select the certificate that is not correctly formed and click on Export Certificate.

In my example, the certificate named wild_thedxt_ca is the one I need to fix.

Convert PEM to PFX Certificate

Sometimes, you have a certificate in PEM format as a CRT file (also called a CER file) with a key file (also called a PEM file), and you need to combine and convert them into a PFX certificate.

In this post, I will show you step-by-step how to convert a PEM certificate into a PFX file.

Prerequisites

  • OpenSSL binary installed. You can find the OpenSSL binaries on the OpenSSL wiki.
  • Private key file
  • SSL Certificate

The Process

  • Place everything in a working directory.

I will be using C:\SSL as my working directory.

  • Open the command line. You can use Linux or Windows. The commands are all the same regardless of which OS you are using.

I will be using Microsoft Windows with Windows Terminal and PowerShell.

To convert the certificate using OpenSSL, we will need to use a few options to create our command.

  • The options we will use are
    • pkcs12 to tell OpenSSL that we will be working with a PKCS#12 file. PKCS#12 is another name for a PFX file.
    • inkey to tell OpenSSL which private key to use.
    • in to tell OpenSSL which certificate file to use.
    • export to tell OpenSSL we want to export a PKCS#12 file.
    • out to tell OpenSSL where to save the converted certificate.