Deploy Claude Desktop on Non-Persistent VDI

Deploy Claude Desktop on Non-Persistent VDI

In this post, I will show you step by step how to deploy Claude Desktop on Non-Persistent VDI.

The Process

The entire setup is split into a few stages.

Install Claude Desktop

To deploy Claude Desktop for Non-Persistent VDI, you need to use the Claude Desktop MSIX.

Add-AppxProvisionedPackage -Online -PackagePath "Claude.msix" -SkipLicense -Regions "all"Code language: PowerShell (powershell)

Now, when a user uses the updated non-persistent VDI desktop, Claude Desktop will be installed.

Disable Claude Desktop Updates

Claude Desktop gets updates very frequently, but you do not need to install them right away. Fortunately, Anthropic provides a way to disable updates on Claude Desktop. It’s also recommended to disable application auto-updates when used on non-persistent VDI.

  • Create the following registry key HKLM:\SOFTWARE\Policies\Claude
  • Create a DWORD named disableAutoUpdates with the value of 1
Registry setting to disable Claude Desktop updates.

When you launch Claude Desktop, it will no longer automatically check for updates, and the option to check for updates will be disabled.

Claude Desktop with updates disabled.

Manually Update Claude Desktop

When you want to update Claude Desktop on your non-persistent VDI gold image, you need to remove it first.

  • Run the following PowerShell command to remove the Claude Desktop MSIX deployment.
Get-AppxProvisionedPackage -online | where DisplayName -like *Claude* | Remove-AppxProvisionedPackage -OnlineCode language: PowerShell (powershell)
  • Run the following PowerShell command to remove the Claude Desktop MSIX installation.
Get-AppxPackage *Claude* -allusers | Remove-AppxPackage -allusersCode language: PowerShell (powershell)
  • Now you can download the updated MSIX from Claude and install the new version using the same process as Install Claude Desktop.

Claude Desktop User Settings Capture

When a user launches Claude Desktop for the first time, their settings are stored in the MSIX redirected location %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude and %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude-3p

Claude Desktop saving user settings to LocalAppData LocalCache.

Depending on how you capture the user’s AppData, the default MSIX redirected location can cause issues. Solutions such as FSLogix ignore the %LOCALAPPDATA%\Packages\*\LocalCache folders regardless of your configuration.

Read More Read More

I Went to BSides Calgary 2026

I Went to BSides Calgary 2026

I recently attended BSides in Calgary, Alberta, Canada, which took place from May 25th to May 26th. This was the 10th year of the BSides conference in Calgary, and it was also my second time attending BSides Calgary.

If you’ve never heard of BSides, it is a community-driven cybersecurity conference made by the community, for the community. Each local chapter creates and runs its own BSides conference.

In this post, I will detail my experience at BSides Calgary 2026.

In previous years, BSides Calgary was held at Bow Valley College. This year, the conference was hosted at Contemporary Calgary.

Contemporary Calgary

Contemporary Calgary is a really cool venue because it used to be the Centennial Planetarium, which was also the TELUS World of Science. I remember visiting it when it was the TELUS World of Science. It was really cool to see that space again.

Day 1

The day started with registering and picking up my badge.

My BSides Calgary 2026 Badge

After registering, it was time for the keynote, hosted by Terry Ingoldsby. In the keynote, Terry spoke about the history of the internet in Calgary. It was really cool to learn that the University of Calgary had access to the DARPA (Defense Advanced Research Projects Agency) version of the internet (at the time, the only version of the internet). Around the same time, Unix was growing in popularity, and CUUG (Calgary Unix User Group) was formed. Eventually, they got a connection from the University of Calgary, making CUUG the second place in Calgary to have internet. One of the things I took away from the keynote is that you shouldn’t look at cybersecurity as just good vs. evil, you should treat it as an engineering problem to solve instead, and just because you are secure doesn’t make you compliant, and just because you are compliant doesn’t make you secure.

The next session I attended was LLM-Assisted Malware Development: Case Study and Defensive Strategies, which was hosted by Kai Iyer. In the session, Kai dissected how the LameHug infostealer malware works. LameHug is really interesting because it is the first known malware to directly integrate AI into its workflow. At its core, it uses the LLM model Qwen 2.5-Coder-32B-Instruct, which Hugging Face hosts. The prompt LameHug sends to Qwen is very innocent, as it simply asks to gather basic system information and place it in a text file, which is no different from what a system administrator would do. Because of the innocent request, Qwen complies and doesn’t flag the prompt as malware.

Read More Read More

Install Omnissa DEM Application Profiler

Install Omnissa DEM Application Profiler

The Omnissa DEM (Dynamic Environment Manager) application profiler is a tool you can use to determine what you need to capture to make sure the user’s application settings and data are saved and roam with the user.

In this post, I will show you step by step how to install the Omnissa DEM Application Profiler.

Prerequisites

  • A Windows VM running Windows 10 or 11 Professional or Enterprise edition.

If you plan to capture an application that will run on a terminal server, you should install Windows Server 2016 or newer to capture everything correctly.

The Process

  • Download the Omnissa Dynamic Environment Manager from Omnissa Customer Connect.
  • Extract the Omnissa DEM Application Profiler MSI from the Optional Components folder in the Omnissa DEM zip file.

It’s common for the Omnissa DEM Application Profiler installer version to not match the DEM version you are using. Just make sure you use the one included with the DEM version you are using.

  • Connect to your Windows VM.
  • Run the Omnissa DEM Application Profiler Setup as an Administrator.
  • If you agree to the Omnissa General Terms, select I accept and click Next.
  • On the Custom Setup screen, make any necessary changes and click Next.

Read More Read More

I Went to VMUG Connect Minneapolis 2026

I Went to VMUG Connect Minneapolis 2026

I recently attended VMUG Connect in Minneapolis, Minnesota, USA, from April 7th to 9th. This is the second round of VMUG Connect conferences. After the success of the first VMUG Connect in St. Louis, VMUG ended their UserCons and replaced them with VMUG Connects.

Due to VMUG Connect replacing UserCons, there is more than one VMUG Connect conference. For 2026, VMUG Connect will be in the following cities.

  • Amsterdam, Netherlands (March 17th to 19th)
  • Minneapolis, Minnesota (April 7th to 9th)
  • Toronto, Ontario (May 12th to 14th)
  • Dallas, Texas (June 9th to 11th)
  • Orlando, Florida (October 20th to 22nd)

In this post, I will detail my experience at VMUG Connect 2026 in Minneapolis.

Travel Day

My adventure to VMUG Connect in Minneapolis was a shared one, as I was traveling with my friend Stephen Wagner. Our journey started with a direct flight from Calgary, Alberta, Canada, to Minneapolis, Minnesota, USA.

This was my second time going to Minneapolis, as I had traveled to Minneapolis in August for EUC World Amplify last year. You can read about that experience in my blog post, I Went to EUC World Amplify 2025.

Once we arrived in Minneapolis, we got all checked into the hotel. While we waited for our friends to arrive, we decided to explore downtown a bit. To my surprise, downtown Minneapolis actually has its own version of the Plus 15s that we have in Calgary, in Minneapolis they are called Skywalks. Plus 15s or Skywalks are a way to get around the downtown core without going outside. It’s super useful when the weather is bad. Minneapolis also has a double-decker Skywalk.

Minneapolis Skywalk

We then met up with some of our friends and went out to lunch. We ended up going to a restaurant named Hell’s Kitchen (it has nothing to do with Gordon Ramsey). We asked them who came first, and they said they did, and they had a licensing deal with Gordon Ramsey’s Hell’s Kitchen, which allowed them to use the name.

Hell’s Kitchen in Minneapolis

After lunch, we met up with more friends and went to the Mall of America. I had never been to the Mall of America before. It is currently the largest mall in America.

Mall of America amusement park

In Canada, we have the West Edmonton Mall, which is currently the largest mall in Canada. What’s interesting is that both malls are owned by the Triple Five Group. The West Edmonton Mall is 5.3 million square feet, and the Mall of America is 5.6 million square feet. What’s interesting is that the West Edmonton Mall has over 800 stores, while the Mall of America has only over 500. Both malls have an indoor amusement park, but only the West Edmonton Mall has an indoor waterpark.

After visiting the Mall of America, we all went back to the hotel and hung out at the hotel bar.

Day 1

The first day of VMUG Connect is registration day, and includes a few sessions. VMUG calls this day PreConnect.

I started by registering and collecting my badge.

My VMUG Connect Minneapolis badge

Read More Read More

Microsoft Entra ID External MFA

Microsoft Entra ID External MFA

Microsoft recently announced that External Authentication Methods has been renamed to External MFA and is Generally Available.

Microsoft also announced that Custom Controls is being deprecated, with its deprecation currently planned for September 30th, 2026. Microsoft Entra ID External MFA (formerly External Authentication Methods) replaces Custom Controls.

Here is a brief timeline of Custom Controls and External MFA:

  • September 2018: Custom Controls was released as a Public Preview.
  • March 2020: Microsoft acknowledged some limitations of Custom Control and said that something new was being built to replace it.
  • May 2024: External Authentication Methods was released as a Public Preview to replace Custom Controls.
  • March 2026: External Authentication Methods was renamed External MFA and became Generally Available.
  • September 2026: Custom Controls will be deprecated.

Here’s how to check if you have Custom Controls configured.

Custom Controls Configuration Check

  • Log in to the Microsoft Entra Admin Center.
  • Click on Entra ID > Conditional Access.
  • Click on Custom Controls (Preview).
  • If anything is listed, you are possibly using Custom Controls.

In my example, the Custom Control RequireDuoMfa is currently configured.

If you have Custom Controls configured, you also need to check if the configured Custom Controls are being used by Conditional Access policies.

Conditional Access Policy Check

  • Click on Policies.
  • Click on a Conditional Access policy.

In my example, I will click on the Conditional Access policy named Duo MFA Custom Controls.

Read More Read More

Palo Alto Change Master Key with HA (Active/Passive)

Palo Alto Change Master Key with HA (Active/Passive)

When a Palo Alto Networks firewall is configured with a unique master key, you need to change the master key before it expires, as when the master key expires, the firewall will reboot into maintenance mode, and you’ll need to factory reset it.

In this post, I will show you step by step how to change the Palo Alto Networks firewall master key before it expires.

Prerequisites

  • Palo Alto firewall configured with a unique master key.

If you haven’t configured a master key yet, my post, Palo Alto Configure Master Key with HA (Active/Passive), goes into detail on the process.

The Process

  • Backup your Palo Alto firewall config.

For more information on backing up your firewall config, my post, Palo Alto Config Backup, goes into detail.

Disable HA Config Sync

We need to disable the HA configuration synchronization on both firewalls in the HA setup before changing the master key.

Disable HA Config Sync GUI

  • On the Primary firewall, click on the Device tab.
  • Click on High Availability.
  • Click on the General tab.
  • In the HA Pair Settings, click on the gear icon in the Setup box.
  • Uncheck Enable Config Sync and click OK.
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Disable HA Config Sync CLI

  • SSH into the Primary firewall.
  • Enter configuration mode with the command configure
  • Run the following command to check your current HA config sync settings show deviceconfig high-availability group configuration-synchronization

If enabled is set to yes, we need to disable it.

  • Disable HA config sync with the following command set deviceconfig high-availability group configuration-synchronization enabled no
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Change Master Key

With HA config sync disabled, we can safely change the master key on both firewalls. The new master key must be exactly 16 characters.

Change Master Key GUI

  • On the Primary firewall, click on the Device tab.

Read More Read More

Deploy Sophos Firewall on VMware vCenter

Deploy Sophos Firewall on VMware vCenter

A virtual SFOS (Sophos Firewall Operating System) can run on many hypervisors, including VMware.

In this post, I will show you step by step how to deploy a virtual SFOS on VMware vCenter.

The Process

  • Download the ZIP file for the SFOS version you want to deploy from Sophos.

There are two locations where you can download the Sophos firewall files. The first is the Sophos Firewall Installers page, and the second is the Sophos Knowledge Base Article KBA-000007972.

  • Extract the ZIP file contents.

Inside the ZIP, there are a few files. The files we care about are sf_virtual_vm8_paravirtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk.

The sf_virtual_vm8_paravirtual.ovf is the most important because it supports VMXNET 3.

  • In VMware vCenter, right-click the cluster or host you want to deploy SFOS to, and click Deploy OVF Template.
  • Select Local file and click Upload Files.

The Sophos documentation instructs you to select the manifest file sf_virtual.mf, the OVF file you want to use, and the VMDKs. This process only work if you are using the sf_virtual.ovf OVF file.

If you use the manifest file sf_virtual.mf with any OVF other than sf_virtual.ovf, the vCenter checksum verification will fail, and you can not proceed.

If you open the manifest file sf_virtual.mf with notepad, you see that it only contains the checksums for sf_virtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk.

This explains why the vCenter checksum verification fails when you select any OVF other than sf_virtual.ovf.

We don’t want to use the OVF sf_virtual.ovf because it uses the Vlance network adapter, which is an emulated version of the AMD 79C970 PCnet32 LANCE NIC, a 10 Mbps NIC.

Read More Read More

Sophos Firewall Initial Setup

Sophos Firewall Initial Setup

Before you can start using a Sophos firewall, you must complete the initial setup.

In this post, I will show you step by step, how to complete the initial setup of a virtual SFOS (Sophos Firewall Operating System). The process will be similar on a physical Sophos firewall.

Prerequisites

  • Internet access.
  • Console access.

The Process

  • Connect to the SFOS VM console.
  • Enter the admin password.

The default admin password is admin.

  • Review the End User Terms of Use and accept them if you agree.
  • Enter 1 for Network Configuration Menu.
  • Enter 1 for Interface configuration.

Read More Read More

Sophos Firewall Interface Mapping on vSphere

Sophos Firewall Interface Mapping on vSphere

When you deploy a Sophos firewall on VMware vSphere, you start with 3 network interfaces PortA for LAN, PortB for WAN, and PortC is unassigned.

In VMware vCenter, PortA is Network adapter 1, PortB is Network adapter 2, and PortC is Network adapter 3.

However, when you add more network adapters in VMware vSphere, the mappings between SFOS (Sophos Firewall Operating System) and VMware vSphere no longer align.

In this post, I will show you, step by step, how to add more network interfaces to SFOS (Sophos Firewall Operating System) running on VMware vSphere and how to map the interfaces between SFOS and VMware vCenter.

The Process

Adding Interfaces

  • In vCenter, shut down the SFOS VM.
  • Once the SFOS VM has shut down, click on Edit Settings.
  • To add additional network adapters, click Add New Device, then click Network Adapter.

VMware vCenter VMs can have up to 10 network adapters.

In my example, I will add 7 more network adapters, bringing the total to 10.

When adding network adapters, it defaults to the E1000 adapter type, which you can use, but it’s recommended to use the VMXNET 3 adapter type.

  • On each new network adapter, change the Adapter Type from E1000 to VMXNET 3.
  • Power on the SFOS VM.

Mapping Interfaces

Once the SFOS VM has booted after adding the additional network adapters, the interface mapping between vCenter and SFOS won’t match, except that the SFOS network interface PortA always maps to network adapter 1 in vCenter.

Since PortA in SFOS is always vCenter network adapter 1, we will update its name in SFOS to reflect this mapping in vCenter.

  • Login to the SFOS.
  • Click on Configure > Network.

Read More Read More

Sophos Firewall Remove GuestAP Interface

Sophos Firewall Remove GuestAP Interface

By default, Sophos firewalls have a wireless network interface called GuestAP. Normally, this isn’t much of an issue, but if you don’t plan to use Sophos Wireless, it doesn’t make sense to keep the GuestAP network interface.

In this post, I will show you step by step how to remove the GuestAP network interface on SFOS (Sophos Firewall Operating System).

The Process

  • Login to the Sophos firewall.
  • Click on Protect > Wireless.

Read More Read More