Escolar Documentos
Profissional Documentos
Cultura Documentos
1 and Licensing
Navigation
= Recently Updated
Frequent upgrades XenApp and XenDesktop 7.14.1 is a Current Release (CR). It is only supported for 6
months from the date it was released by Citrix. You are expected to in-place upgrade to the next Current
Release the next time it becomes available. If youre not willing to perform frequent upgrades, then the
Long Term Service Release (LTSR) might be more appropriate for you.
Automation If you want to automate the install of Delivery Controllers, see Dennis Span Citrix Delivery
Controller unattended installation with PowerShell and SCCM.
Citrix Licensing If you are going to use an existing Citrix Licensing Server, upgrade it to 11.14.1.1 build
20104.
Note: 7.14 and newer supports multiple license types in a single farm. See CTX223926 How to Configure
Multiple License Types within a Single XenApp and XenDesktop Site.
SQL Databases
Installing Group Policy Management on the Delivery Controller lets you edit GPOs and have access
to the Citrix Policies node in the GPO Editor. Or you can install Citrix Studio on a different machine
that has GPMC installed.
vSphere
Create a role in vSphere Client. Assign a service account to the role at the Datacenter or higher
level.
1. A typical size for the Controller VMs is 2-4 vCPU and 8+ GB of RAM. If all components (Delivery
Controller, StoreFront, Licensing, Director, SQL Express) are installed on one server, then you might
want to bump up memory to 10 GB or 12 GB.
2. From Local Host Cache sizing and scaling at Citrix Docs:
1. For LHC LocalDB, assign the Controller VMs a single socket with multiple cores.
2. Add two cores for LHC.
3. Add at least three more Gigs of RAM and watch the memory consumption.
4. Since theres no control over LHC election, ensure all Controllers have the same specs.
3. Make sure the User Right Log on as a service includes NT SERVICE\ALL SERVICES or add NT
SERVICE\CitrixTelemetryService to the User Right.
5. On two Delivery Controllers, install the Delivery Controller software. Run AutoSelect.exe from the
7.14.1 ISO. Make sure its 7.14.1, and not 7.14.0.
6. Click Start next to either XenApp or XenDesktop. The only difference is the product name displayed
in the installation wizard.
7. On the left, click Delivery Controller.
8. In the Licensing Agreement page, select I have read, understand, and accept the terms, and
click Next.
9. In the Core Components page, you can install all components on one server, or on separate servers.
Splitting them out is only necessary in large environments, or if you have multiple farms and want
to share the Licensing, StoreFront, and Director components across those farms.
10. In the Features page, uncheck the box next to Install Microsoft SQL Server 2014 SP2 Express, and
click Next.
13. In the Call Home page, make a selection, click Connect, enter your Citrix Cloud or MyCitrix.com
credentials, and then click Next.
14. In the Finish page, click Finish. Studio will automatically launch.
15. Programs and Features should show Citrix XenDesktop 7.14.1 as version 7.14.1.14098.
16. Ensure the two Controller VMs do not run on the same hypervisor host. Create an anti-affinity rule.
Create Site
If you have sysadmin permissions to SQL, let Citrix Studio create the databases automatically.
If you dont have sysadmin permissions to SQL, then use Citrix Studio to generate SQL scripts, and
send them to a DBA.
2. In the Introduction page, select An empty, unconfigured site. This reduces the number of pages in
this Setup wizard. The other pages will be configured later.
3. Enter a Site Name (aka farm name), and click Next. Only administrators see the farm name.
4. In the Databases page, if you are building two Controllers, click Select near the bottom of the same
page.
5. Click Add.
6. Enter the FQDN of the second Controller, and click OK. Note: the Delivery Controller software must
already be installed on that second machine.
7. Then click Save.
8. If you dont have sysadmin permissions, change the selection to Generate scripts to manually set
up databases on the database server. Change the database names if desired, and click Next.
11. Near the top of each script are two lines to create the database. Uncomment both lines (including
the go line). Then save and close the file.
12. Once all of the scripts are edited, you can send them to your DBA.
13. On the Principal SQL Server, open the file Site_Principal.sql.
17. If you have a mirrored database, run the second script on the mirror SQL instance. Make sure
SQLCMD mode is enabled.
23. Back in Citrix Studio, click the Continue database configuration and Site setup button.
24. In the Databases page, enter the SQL server name, and instance name, and click Next.
25. On the Licensing page, enter the name of the Citrix License Server, and click Connect. If you
installed Licensing with your Delivery Controller, then simply enter localhost. See CTX223926 How
to Configure Multiple License Types within a Single XenApp and XenDesktop Site.
26. XenApp/XenDesktop 7.14 requires the newest Licensing Server. If your server isnt compatible,
leave it set to localhost and fix it later.
27. If the Certificate Authentication appears, select Connect me, and click Confirm.
29. In the Summary page, if your databases are mirrored, each database will show high availability
servers, and the name of the Mirror server. Click Finish.
30. It will take some time for the site to be created.
Verify Database Mirroring
If your database is mirrored, when you run asnp citrix.* and then run get-brokerdbconnection, youll see
the Failover Partner in the database connection string.
Second Controller
When building the first Delivery Controller, the scripts might have already included the second Delivery
Controller. Thus no special SQL permissions are needed. If the second Delivery Controller has not already
been added to the SQL databases, then there are several methods of adding a second Controller to the
databases for XenApp/XenDesktop:
If you have sysadmin permissions to SQL, let Citrix Studio modify the databases automatically.
If you dont have sysadmin permissions to SQL then use Citrix Studio to generate SQL scripts and
send them to a DBA.
1. On the first Delivery Controller, if StoreFront is installed, delete the default StoreFront store
(/Citrix/Store) and recreate it with your desired Store name (e.g. /Citrix/CompanyStore).
4. Enter the name of the first Delivery Controller, and click OK.
5. If you dont have full SQL permissions (sysadmin), click No when asked if you want to update the
database automatically.
6. Click Generate scripts.
7. A folder will open with six scripts. If not mirroring, then the top three scripts need to be sent to a
DBA. If mirroring, send all six.
11. If SQLCMD mode was enabled properly, then the output should look something like this:
14. In Citrix Studio, under Configuration > Controllers, you should see both controllers.
From B.J.M. Groenhout at Citrix Discussions: The following adjustments can be made if Desktop Studio
(and other Citrix management Consoles) will start slowly:
Within Internet Explorer, go to Tools Internet Options Tab Advanced Section Security, and
uncheck the option Check for publishers certificate revocation
After adjustment Desktop Studio (MMC) will be started immediately. Without adjustment it may take
some time before Desktop Studio (MMC) is started.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing
o State=dword:00023e00
From Samuel Legrand XenApp 7.14 (Really) Manage a DR! Citrix Policies has a setting called Concurrent
Logon Tolerance. However, it is not a hard limit, meaning once the limits are reached, it continues to let
users connect. You can configure the Controllers to make it a hard limit by setting the following registry
value:
HKLM\Software\Policies\Citrix\DesktopServer
o LogonToleranceIsHardLimit (DWORD) = 1
If you have 10,000 or fewer VDAs per zone (up to 40,000 VDAs per multi-zone site/farm), you can enable
Local Host Cache (LHC) instead of Connection Leasing. LHC allows new sessions to be started even if SQL
database is unavailable. VDA limits for LHC are higher in 7.14 than previous versions of
XenApp/XenDesktop.
1. For LHC LocalDB, assign the Controller VMs a single socket with multiple cores.
2. Add two cores for LHC.
3. Add at least three more Gigs of RAM and watch the memory consumption.
4. Since theres no control over LHC election, ensure all Controllers have the same specs.
5. The Docs article has scripts for monitoring LHC performance.
If the rebooted DDC is the elected one, a different DDC will take over (causing registration storm)
and when the DDC gets back, it will take over brokering causing second registration storm. Site will
sort itself out and all will work.
If the rebooted DDC is not the elected one, it will not impact any functionality.
If you turn the DDC down when site is working, and start it during outage, LHC will not trigger on
that machine. This DDC will not impact the LHC unless it would become the elected one. In that
scenario it will take control, however not start LHC and resources would not be available.
For Windows Server 2008 R2 Controllers, PowerShell 3, or newer, is required. See LHC XD 7.12 and
W2K8SR2 SP1 at Citrix Discussions.
asnp citrix.*
Set-BrokerSite -ConnectionLeasingEnabled $false
Set-BrokerSite -LocalHostCacheEnabled $true
George Spiers Local Host Cache XenApp & XenDesktop 7.12 shows the Event Log entries when LHC is
enabled.
Database Maintenance
The XenDesktop Database can become heavily utilized under load in a large environment. Therefore Citrix
recommends enabling the Read_Committed_Snapshot option on the XenDesktop databases to remove
contention on the database from read queries. This can improve the interactivity of Studio and Director. It
should be noted that this option may increase the load on the tempdb files. See Citrix article
CTX137161 How to Enable Read-Committed Snapshot in XenDesktop for configuration instructions.
CTX140319 How to Migrate XenDesktop Database to New SQL Server has the correctly ordered list of
PowerShell commands to change the database connection strings. Make sure PowerShell is running as
administrator before running these commands.
Here are the DB Connections that must be changed. This list might be longer than the article. When using
the article, make sure you include all of the DB Connections shown below. You can get the full list of
database commands by running Get-Command Set-*DBConnection. When changing the DB connections,
AdminDBConnection must be the last to be set to NULL, and the first to be configured with the new
connection string.
Citrix CTX221389 Scripts For Updating Connection Strings in XenApp/XenDesktop 7.x was recently updated
for 7.13.
Director Grooming
If XenDesktop is not Platinum Edition, then all historical Director data is groomed at 30 days.
For XenDesktop/XenApp Platinum Edition, by default, most of the historical Director data is groomed at 90
days. This can be adjusted up to 367 days by running a PowerShell cmdlet.
1. On a Delivery Controller, run PowerShell elevated (as administrator), and run asnp Citrix.*
2. Run Get-MonitorConfiguration to see the current grooming settings.
3. Run Set-MonitorConfiguration to change the grooming settings.
To view the contents of the Logging Database, in Studio, click the Logging node. On the right is Create
Custom Report. See Citrix article CTX138132 Viewing Configuration Logging Data Not Shown for more info.
The Logging Database can be queried using Get-LogLowLevelOperation. See Stefan Beckmann Get user
who set maintenance mode for a server or client for an example script that uses this PowerShell cmdlet.
Citrix CTX215069 Troubleshooting and managing Oversized Configuration Logging database: The
articles queries can be used to determine the number of configuration operation types performed by
XenDesktop Administrator, and to analyze the content of the Configuration Logging database when it is
considered oversized. A grooming query is also provided to delete data older than a specified date.
Export/Import Configuration
Ryan Butler has a PowerShell script that can export configuration from one XenDesktop farm and import it
to another.
Studio Administrators
Full Administrators
1. In the Studio, under Configuration, click the Administrators node. The first time you access the
node youll see a Welcome page. Feel free to check the box to Dont show this again, and then click
Close.
2. On the Administrators tab, right-click, and click Create Administrator.
3. In the Administrator and Scope page, Browse to a group (e.g. Citrix Admins) that will have
permissions to Studio and Director. These groups typically have access to all objects, so select the
All scope. Alternatively, you can create a Scope to limit the objects. Click Next.
4. On the Role page, select a role, and then click Next. For example:
o Full Administrator for the Citrix Admins group
o Help Desk Administrator for the Help Desk group
o Machine Catalog Administrator for the desktop team
Help Desk
1. In the Studio, under Configuration, click the Administrators node. On the Administrators tab, right-
click, and click Create Administrator.
2. In the Administrator and Scope page, Browse to a Help Desk group that will have permissions to
Studio and Director. Select the All scope. And click Next.
3. On the Role page, select the Help Desk Administrator role, and then click Next.
To jazz it up a little, add the Help Desk group to the read-only role.
6. Right-click the Help Desk Administrator, and click Edit Administrator.
7. Click Add.
8. In the Scope page, select a scope, and click Next.
9. In the Role page, select Read Only Administrator, and click Next.
From Considerations: Provisioning Services at Configure and manage Personal vDisk at Citrix Docs: The
Provisioning Services Soap Service account must be added to the Administrator node of Studio and must
have the Machine Administrator or higher role. This ensures that the PvD desktops are put into the
Preparing state when the Provisioning Services (PVS) vDisk is promoted to production.
XenApp/XenDesktop 7.14 enables CEIP by default. If desired, you can disable it in Citrix Studio:
3. Click End.
4. Click Yes.
Each XenApp/XenDesktop component has a separate configuration for disabling Customer Experience
Improvement Program:
vCenter Connection
XenDesktop uses an Active Directory service account to log into vCenter. This account needs specific
permissions in vCenter. To facilitate assigning these permissions, create a new vCenter role and assign it to
the XenDesktop service account. The permissions should be applied at the datacenter or higher level.
Hosting Resources
A Hosting Resource = vCenter + Cluster (Resource Pool) + Storage + Network. When you create a machine
catalog, you select a previously defined Hosting Resource, and the Cluster, Storage, and Network defined
in the Hosting Resource object are automatically selected. If you need some desktops on a different
Cluster+Storage+Network then youll need to define more Hosting Resources in Studio.
1. In Studio, expand Configuration and click Hosting. Right-click it, and click Add Connection and
Resources.
9. If you see a message about the vCenter certificate, check the box next to Trust certificate, and click
OK.
10. Note: this vCenter certificate thumbprint is stored in the XenDesktop database, and is not updated
when the vCenter certificate changes. See CTX217415 Cannot connect to the VCenter server due to
a certificate error for instructions on manually updating the database with the new certificate
thumbprint.
o Also see CTX224551 Xendesktop 7.x Steps to perform after certificate change on
vCenter.
11. In the Storage Management page, click Browse, and select a vSphere cluster. Note: as detailed at
CTX223662, make sure theres no comma in the datacenter name.
12. Select Use storage shared by hypervisors.
13. If you have sufficient disk space on each ESXi host, also select Optimize temporary data on
available local storage. From Mark Syms at XA 7.9 MCS with RAM Caching at Citrix Discussions: If
you use just MCS caching to local storage then the VM is not agile at all and cannot be moved even
when powered off as it has a virtual disk permanently associated with a single host.
14. From Martin Rowan at XA 7.9 MCS with RAM Caching at Citrix Discussions: for the temporary cache
disk, Dont format it, the raw disk is what MCS caching uses.
15. Click Next.
16. In the Storage Selection page, OS and Personal vDisk must be selected on at least one datastore.
For maximum flexibility, only select one datastore. To select additional datastores, run this wizard
again to create a separate Hosting Resource.
17. If you selected the temporary data on local storage option, on the bottom, click Select, and choose
the datastores you want to use for disk caching. By default, all local datastores are selected. Click
Next when done.
18. In the Network page, enter a name for the hosting resource. Since each hosting resource is a
combination of vCenter, Cluster, Network, and Datastores, include those names in this field (e.g.
vCenter01-Cluster01-Network01-Datastore01).
19. Select a network and click Next.
25. When you create a Catalog, select the Hosting Resource for the datastore where you want the
VDAs to be placed. Create additional Catalogs for each datastore. You can then combine the
Catalogs into a single Delivery Group.
26. Later in the Catalog wizard, youre given an option to enable caching and select a cache size. This is
similar to Provisioning Services option Cache in RAM with overflow to disk.
Citrix Licensing Server
Upgrade
If you have a standalone Licensing Server, upgrade it to Citrix Licensing 11.14.1.1 build 20104 if it isnt
already.
1. Go to the downloaded Citrix Licensing 11.14.1.1 build 20104, and run CitrixLicensing.exe.
2. If you see the Subscription Advantage Renewal page, make a selection, and click Next.
Scroll down to Share usage statistics with Citrix and make a selection.
Version 11.14.0.1 and newer include the Citrix License Management Service. This service helps you avoid
prohibited practices:
1. Build two License Servers in each datacenter with identical server names. Since server names are
identical, they cant be domain-joined.
2. Install identical licenses on all License Servers.
3. Set the DisableStrictNameChecking registry key on all Citrix Licensing servers.
4. Synchronize the certificate files located at C:\Program Files
(x86)\Citrix\Licensing\WebServicesForLicensing\Apache\conf. They must be identical on all
Licensing Servers.
5. Download CtxLicChk.exe from http://support.citrix.com/article/CTX123935 and place on all
Licensing Servers.
6. Schedule the PowerShell script CtxLicChk.ps1 on all Licensing Servers. Get this script from the blog
post linked above.
7. Configure NetScaler:
1. Configure GSLB ADNS services.
2. Add wildcard Load Balancing service for each Citrix Licensing Server.
3. Configure service TCP monitoring for ports 27000, 7279, 8082, and 8083.
4. Create Load Balancing Virtual Server for each Licensing Server.
5. Set one Load Balancing Virtual Server as backup for the other.
6. Repeat in second datacenter.
7. Configure GSLB Services and GSLB Monitoring.
8. Configure GSLB Virtual Servers. Set one GSLB Virtual Server as backup for the other.
8. Delegate the Citrix Licensing DNS name to the ADNS services on the NetScaler appliances.
9. Configure Citrix Studio to point to the GSLB-enabled DNS name for Citrix Licensing.
1. Run Citrix Licensing Manager from the Start Menu. Or use a browser to connect to
https://MyLicenseServer:8083
2. Use the drop-down menus to select a license type, select dates, and export to a .csv file.
3. The Update Licenses tab lets you check for renewals and download them.
4. On the top right is a gear icon where you can set the historical retention period and configure SA
license auto-renewal.
Jonathan Medd Monitor Citrix License Usage With PowerShell.
Jaroslaw Sobel Monitoring Citrix Licenses usage Graphs using WMI, Powershell and RRDtool. This script
generates a graph similar to the following:
1. In Server Manager, open the Manage menu, and click Add Roles and Features.
4. Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing,
and click Next.
5. Click Add Features if prompted.
2. The tool should find the local server. If it does not, right-click All servers, click Connect, and type in
the name of the local server.
3. Once the local server can be seen in the list, right-click the server and click Activate Server.
6. In the Company Information page, enter the required information, and click Next.
7. All of the fields on the Company Information page are optional, so you do not have to enter
anything. Click Next.
8. In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses
Wizard now, and click Finish. Since the session hosts will be configured to pull Per User licenses,
there is no need to install licenses on the RD Licensing Server.
9. In RD Licensing Manager, right-click the server, and click Review Configuration.
10. Ensure you have green check marks. If the person installing Remote Desktop Licensing does not
have permissions to add the server to the Terminal Server License Servers group in Active Directory,
ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.
11. Click Continue when prompted that you must have Domain Admins privileges.
12. Click OK when prompted that the computer account has been added.
Smart Check
Citrix Cloud offers a Smart Check service that can scan your XenApp/XenDesktop infrastructure for known
issues. Soon Smart Check will require Citrix Customer Success Services (Select).
5. If you didnt enable Smart Check during XenDesktop installation, then on the top right, click Add
Site.
4. Check the box next to I accept the terms in the License Agreement, and click Install.
5. In the Completed the Citrix Smart Tools Agent Setup Wizard page, click Finish.
6. Step 2 now shows that the Agent was installed successfully. Click Next.
6. Enter credentials for your XenDesktop farm, and click Add Site.
9. At the top right, if you click Perform Check, you can run one of the checks.
12. To view the alerts, click one of the alert badges in the component category. Also see Smart Check
alerts reference at Citrix Docs.
13. Expand a component, and click an alert.
14. On the right, theres an option to Hide Alert.
15. To view the hidden alerts, at the top right, click the menu icon, and click Show Hidden Alerts.
16. The hidden alert is grayed out. If you click the alert, you can restore it.
Citrix Scout
XenDesktop 7.14 includes a new Citrix Scout that can be launched from the Start Menu.
The tool can run a manual collection, run a trace, or schedule periodic collection. The results are uploaded
to Citrix Smart Tools.
Links with more information:
Bas van Kaam With XenDesktop & XenApp 7.14 comes Scout 3.0 some big changes, read whats
new compares old Scout with new Scout
Citrix Docs Citrix Scout
Andrew Morgan New Free Tool: Citrix Director Notification Service: The Citrix Director Notification
service sits on an edge server as a service (or local to the delivery controller) and periodically checks the
health of:
Citrix Licensing.
Database Connections.
Broker Service.
Core Services.
Hypervisor Connections.
And if any of these items fall out of bounds, an SMTP alert is sent to the mailbox of your choice for action.
The tool will also send All Clear emails when these items are resolved, ensuring you are aware when the
service has resumed a healthy state.
Director 7.14
Last Modified: Jun 20, 2017 @ 7:41 pm
Leave a comment
Navigation
= Recently Updated
See the XenApp and XenDesktop Feature Matrix. Scroll down to Director Platinum Edition for the list of
Director features that require Platinum Edition licensing.
Up to a years worth of performance data that provides a comprehensive view of capacity trends
Proactive notification and alerting including SNMP integration
SCOM alerts
Desktop and server OS usage reporting
Create customized reports
Reboot warnings
Octoblu integration
NetScaler MAS integration
Override control over roaming sessions
See CTX224793 Director Version Matrix Install or Upgrade compatibility of Director with Delivery
Controller, VDA for a list of which Director feature came with each version, and the licensing Edition
needed for each
feature.
If you are installing Director 7.14 on a standalone server, see Citrix CTX142260 Installing or Upgrading to
Citrix Director 7.6.200
1. If you intend to install Director on a standalone server, start with running AutoSelect.exe from the
XenApp/XenDesktop 7.14 media.
2. In the Extend Deployment section, on the bottom left, click Citrix Director.
3. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click
Next.
5. In the Delivery Controller page, it will ask you for the location of one Controller in the farm. Only
enter one Controller per farm. If you have multiple Director servers, each Director server can point
to a different Controller in the farm. From Citrix Docs: Director automatically discovers all other
Controllers in the same Site and falls back to those other Controllers if the Controller you specified
fails. Click Test Connection, and then click Add.
6. In the Features page, click Next.
7. In the Firewall page, click Next.
8. In the Summary page, click Install.
9. In the Finish page, click Finish.
10. In IIS Manager, go to Default Web Site > Director > Application Settings,
find Service.AutoDiscoveryAddresses, and make sure it points to one Controller in the farm, and
not to localhost. From Citrix Docs: Director automatically discovers all other Controllers in the same
Site and falls back to those other Controllers if the Controller you specified fails.
11. If you built multiple Director servers, use NetScaler to load balance them.
12. If you are upgrading Director, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe
/upgrade to complete the upgrade process.
13. For info on the new monitoring features in Director 7.14 and older, see Use Director below.
1. Open Notepad elevated (as administrator) and paste the following text:
2. <script type="text/javascript">
3. <!--
4. window.location="https://director.corp.com/Director";
5. // -->
</script>
13. Enter the file name of the .html file provided in Step 5.
14. Ensure the .html file is located at the top of the list, as shown in the following screen shot:
multipleSiteBindingsEnabled="true"
Also see CTX202564 Citrix Director Becomes Unresponsive after Submitting the Credentials when IIS X-
Frame-Options is enabled
Director Tweaks
From http://www.xenblog.dk/?p=33: On the Controllers having the Director role installed, locate and edit
the LogOn.aspx file. By default you can find it at C:\inetpub\wwwroot\Director\Logon.aspx
In line 450 you will have the following. To find the line, search for ID=Domain. Note: onblur
and onfocus attributes were added in newer versions of Director.
In the ID=Domain element, insert a Text attribute and set it to your domain name. Dont change or add
any other attributes. Save the file.
This will prepopulate the domain field text box with your domain name and still allow the user to change it,
if that should be required. Note: this only seems to work if Single Sign-on is disabled.
Session timeout
By default the idle time session limit of the Director is 245 min. If you wish to change the timeout, here is
how to do it.
To stop this:
From Disable the visibility of running applications in the Activity Manager in Advanced Configuration at
Citrix Docs: By default, the Activity Manager in Director displays a list of all the running applications and
the Windows description in the title bars of any open applications for the users session. This information
can be viewed by all administrators that have access to the Activity Manager feature in Director. For
Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help
Desk Administrator.
To protect the privacy of users and the applications they are running, you can disable the Applications tab
from listing running applications.
UI.TaskManager.EnableApplications = false
If multiple forests, see Citrix Blog Post Using Citrix Director in a MultiForest Environment.
1. In Information Server (IIS) Management, under the Desktop Director site, select Application
Settings and add a new value called ActiveDirectory.ForestSearch. Set it to False. This disables
searching any domain except the users domain and the servers domain.
2. To search more domains, add the searchable domain or domains in the ActiveDirectory.Domains
field.
Site Groups
From Citrix Blog Post Citrix Director 7.6 Deep-Dive Part 4: Troubleshooting Machines:
If there are a large number of machines, the Director administrator can now configure site groups to
perform machine search so that they can narrow down searching for the machine inside a site group. The
site groups can be created on the Director server by running the configuration tool via command line by
running the command:
C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /createsitegroups
Then provide a site group name and IP address of the delivery controller of the site to create the site
group.
Johan Greefkes at Script for configuring Director at Citrix Discussions was kind enough to provide a script
that does the following:
From Scott Osborne and Jarian Gibson at Citrix Discussions: In Director, you can create a filter and save it.
The saved filter is then accessible from the Filters menu structure.
The saved filters are stored on each Director server at C:\Inetpub\wwwroot\Director\UserData. Each user
has their own saved filters. The saved filters are not replicated across Director servers.
You can instead configure multiple Director servers to store the filters on a shared UNC path: (h/t CTP
Jarian Gibson)
2. The Director server computer accounts need Modify permission to the share.
5. Change the Service.UserSettingsPath setting to the UNC path of the new share.
You can connect Director to NetScaler Management & Analytics System (NetScaler MAS) or Citrix Insight
Center to add Network tabs to Directors Trends and Machine Details views. Citrix Blog Post Configure
Director with NetScaler Management & Analytics System (MAS).
Director and Self-Service Password Reset (SSPR)
If you have XenApp/XenDesktop Platinum Edition, its possible to install SSPR on the Director server.
See George Spiers Citrix Self-Service Password Reset for a detailed implementation guide.
However this might break Director, and all you will see is a spinning circle.
To fix it, in IIS Manager (inetmgr), edit the bindings of the Default Web Site, and Remove the HTTP 8080
binding. Or implement the multisitebinding fix.
More info at Citrix Discussions Installing SSPR 1.0 appears to have broken Director 7.11 on same server.
Director Grooming
If XenDesktop is not Platinum Edition, then all historical Director data is groomed at 30 days.
For XenDesktop/XenApp Platinum Edition, by default, most of the historical Director data is groomed at 90
days. This can be adjusted up to 367 days by running a PowerShell cmdlet.
You can configure Director to support Integrated Windows Authentication (Single Sign-on). Note: there
seem to be issues when not connecting from the local machine or when connecting through a load
balancer.
1. Run IIS Manager. You can launch it from Server Manager (Tools menu), or from the Start Menu, or
by running inetmgr.
2. On the left, expand Sites, expand Default Web Site, and click Director.
6. Pass-through auth wont work from another computer until you set the http SPN for the Director
server. See Director 7.7 Windows Authentication not working with NS LB at Citrix Discussions.
7. If Director is not installed on a Controller then youll need to configure Kerberos delegation.
8. If you are load balancing Director then additional config is required. See Director 7.7 Windows
Authentication not working with NS LB at Citrix Discussions for more info.
1. Create an AD service account that will be used as the Directors ApplicationPoolIdentity.
2. Create SPN and link it to the service account.
3. Trust the user account for delegation to any service (Kerberos only) (trust the Director
servers for delegation is not necessary in this case). You have to create the SPN before you
can do this step.
4. In IIS manager, on the Application Pools (Director), specify the Identity as user we have
created in step 1.
5. In IIS manager, select Default Web Site and open the Configuration Editor.
system.webServer/security/authentication/windowsAuthentication
7. Set useAppPoolCredentials = True and useKernelMode = False. Click Apply on the top right.
9. When you connect to Director you will be automatically logged in. You can change the login
account by first logging off.
1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu, or
by running inetmgr.
2. On the left, expand Sites, expand Default Web Site, and click Director.
Director 7.11 and newer have Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU,
Memory Usage and Process Information.
Process Monitoring is disabled by default. To enable it, configure the Enable process monitoring setting in
a Citrix Policy. For Citrix Policies in a GPO, find this setting in the computer half of the GPO. Note: this
setting could significantly increase the size of the Monitoring database.
Director supports alert conditions and email notifications. This feature requires XenApp/XenDesktop to be
licensed with Platinum Edition. See Citrix Blog Post Configuring & Managing Alerts and Notifications Using
Director for more information.
Director 7.11 and newer have CPU, Memory, and ICT RTT alerts. Citrix Blog Post 7 New Categories in
Director for Proactive Notifications & Alerts
To configure alerts:
1. While logged into Director, at the top of the page, click the Alerts button.
11. Click Save when done. Feel free to create more alerts and notifications.
12. For Server OS and User Policy, there are new ICA RTT alerts. See Citrix Blog Post 7 New Categories
in Director for Proactive Notifications & Alerts for details on the new alerts in 7.11 and newer.
13. In Director 7.12 and newer, you can configure alerts to generate an SNMP trap. This is configured in
PowerShell as described at Configure alerts policies with SNMP traps at Citrix Docs.
14. Set-MonitorNotificationSnmpServerConfiguration #see Docs for parameter details
Set-MonitorNotificationPolicy -IsSnmpEnabled $true -Uid <Policy ID>
15. Citrix has an experimental Desktop Notification Tool. See Citrix Blog Post Desktop Notification Tool
For Citrix XenDesktop.
Director Alerts can be configured with a WebHook that allows Octoblu to perform actions when a Director
Alert occurs. See Configure alerts policies with Octoblu webhooks at Citrix Docs for details.
Director 7.8 and newer can display alerts from System Center Operations Manager 2012 R2. This feature
requires XenApp/XenDesktop Platinum Edition.
1. See Configure SCOM integration at Citrix Docs for detailed configuration instructions. Also see
Marius Sandbu Integrating Citrix XenDesktop 7.7 and System Center Operations Manager.
2. If Director server or System Center Operations Manager server is 2008 R2, then login to the 2008
R2 server, open PowerShell and run Enable-PSRemoting. Yes to everything. This is not needed on
Windows Server 2012 R2 servers.
3. On Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configscom
4. FYI, the DirectorConfig.exe /configscom command enables the following features on the Director
server: /FeatureName:IIS-NetFxExtensibility45 /FeatureName:IIS-ASPNET45 /FeatureName:WCF-
HTTP-Activation45
5. FYI, the System Center Operations Manager server is listed in IIS Manager at Default Web Site >
Director > Application Settings (middle pane) > Connector.SCOM.ManagementServer.
6. On the System Center Operations Manager server, edit Remote Management Users local group,
and add Citrix Admins, and other Director users.
7. In System Center Operations Manager Console, go to Administration > User Roles, and edit
Operations Manager Operators. Add the Citrix Admins, and other Director users.
8. See Citrix Blog Post SCOM Alerts in Citrix Director for information on how to view System Center
Operations Manager alerts in Director.
Director Custom Reports
In Director 7.12 and newer, in the Trends view, theres a Custom Reports tab that guides you through
creating a custom OData Query. This tab only appears if you have XenApp/XenDesktop Platinum Edition.
The Monitoring database contains more data than is exposed in Director. To view this data, the Monitoring
service has an OData Data Feed that can be queried.
You can use Excel to pull data from the OData Data feed. See Citrix Blog Post Citrix Director
Analyzing the Monitoring Data by Means of Custom Reports. This particular blog post shows how to
use an Excel PivotChart to display the connected Receiver versions.
o Also see Alexander Ollischer Citrix XenDesktop 7.x Query Citrix Receiver Versions
connecting to your environment XLS Report
Citrix CTX211428 Using Excel to Report on Desktop Director Data uses Power Pivot.
Or for Linqpad, see Citrix Blog Post Creating Director Custom reports for Monitoring XenDesktop
using Linqpad
CTA David Ott XenDesktop Usage Report shows that querying OData can be slow and its
sometimes faster to query the actual Monitoring database. Updated Report.
Use Director
The newer Director features usually require Delivery Controllers and VDAs to be at the same version or
newer than Director. Director depends on the Monitoring Service that is built into the Delivery Controller.
The Monitoring Service gathers data from the VDAs.
See Monitor deployments at Citrix Docs.
Citrix Blog Post Citrix Director Now Provides Disk Usage Information!:
In Director 7.14 and newer, see CTX223927 How to use Director to troubleshoot application launch errors.
This feature is configured in Citrix Policy Settings located in the Computer half at Virtual Delivery Agent
Settings > Monitoring.
Citrix Director 7.13 and newer have an Application Instances tab on the Filters page that lets you filter
published application sessions based on Session Idle Time (RDS sessions only), Application Name, and all
other existing fields, like machine name, and so on. Requires Director 7.13, Controller 7.13, VDA 7.13, and
Platinum Edition licensing. See Citrix Blog Post Monitoring Idle Applications and Sessions in Citrix Director.
See Troubleshoot applications at Citrix Docs.
If idle time column shows n/a, then you need to wait 10-15 minutes.
In Director 7.13 and newer, the Session Details panel can show if Enlightened Data Transport (EDT, aka
HDX on UDP) is enabled in the users session. See Citrix Blog Post HDX Adaptive Transport Protocol
Monitoring via Director.
George Spiers has a comprehensive guide of all Director 7.12 features at http://www.jgspiers.com/citrix-
director/.
Director 7.12 and newer have Connection Failure Details, which is detailed in Citrix Blog Post Director 7.12:
Easier Troubleshooting of Machine & Connection Failures. Also see CTX223812 Citrix Director Failure
Codes.
Director 7.11 and newer have Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU,
Memory Usage and Process Information.
Director 7.9 and newer have Logon Duration improvements.
Citrix Blog Post Interactive Session of Logon Duration in Citrix Director Explained: Interactive Session
Duration = Desktop Ready Event Timestamp (EventId 1000 on VDA) User Profile Loaded Event Timestamp
(EventId 2 on VDA). More details in the Blog Post.
Citrix Blog Post Director 7.6 Failure Reasons Demystified lists possible failure reasons behind an
Unregistered alert, and the true meaning of failure reasons such as Connection Refused
and Communication Error. It details each failure reason, defines the meanings of these failures, and lists
action items that serve as a starting point for troubleshooting the specific scenario. The list is based on
Director 7.6.300.
Virtual Delivery Agent (VDA) 7.14.1
Last Modified: Jun 17, 2017 @ 12:10 pm
2 Comments
Navigation
= Recently Updated
Hardware
Citrix Blog Post Citrix Scalability The Rule of 5 and 10: Simply take the number of physical cores in
a hypervisor host, multiply it by 5 or 10, and the result will be your Single Server Scalability. Use 5 if
youre looking for the number of XenDesktop VMs you can host on a box, and use 10 if youre
looking for the number of XenApp user sessions you can host on a box.
Virtual Machine Hardware
1. For virtual desktops, give the virtual machine: 2+ vCPU and 2+ GB of RAM
2. For Windows 2008 R2 RDSH, give the virtual machine 4 vCPU and 12-24 GB of RAM
3. For Windows 2012 R2 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM
4. If using RAM caching (MCSIO or PvS), add more RAM for the cache
5. Remove the floppy drive
6. Remove any serial or LPT ports
7. If vSphere:
1. To reduce disk space, reserve memory. Memory reservations reduce or eliminate the virtual
machine .vswp file.
2. The NIC should be VMXNET3.
8. If this VDA will boot from Provisioning Services:
1. For vSphere, the NIC must be VMXNET3.
2. For vSphere, configure the CD-ROM to boot from IDE instead of SATA. SATA comes with VM
hardware version 10. SATA wont work with PvS.
1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
2. To disable this functionality, power off the virtual machine.
3. Once powered off, right-click the virtual machine, and click Edit Settings.
4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
Windows Preparation
1. If RDSH (Server OS), disable IE Enhanced Security Configuration in Server Manager > Local Server.
2. Optionally, go to Action Center (Windows 8.1 or 2012 R2) or Control Panel > Security and
Maintenance (Windows 10/2016) to disable User Account Control, and enable SmartScreen.
1. In Windows 10 1703 and newer, search the Settings app for Change User Account Control
settings.
2. SmartScreen is configured in Windows Defender Security Center > App & browser control.
3. Run Windows Update.
4. Add your Citrix Administrators group to the local Administrators group on the VDA. Computer
Management.
5. The Remote Desktop Services Prompt for Password policy prevents Single Sign-on to the Virtual
Delivery Agent. Check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services. If fPromptForPassword = 1 then you need to fix group policy. The following GPO
setting will prevent Single Sign-on from working.
Computer Configuration | Policies | Administrative Templates | Windows Components | Remote
Desktop Services | Remote Desktop Session Host | Security | Always prompt for password upon
connection
6. For Windows 7/2008 R2 VDAs that will use Personal vDisk, or AppDisk, or any other layering
technology, install Microsoft hotfix 2614892 A computer stops responding because of a deadlock
situation in the Mountmgr.sys driver. This hotfix solved a Personal vDisk Image update issue
detailed at Citrix Discussions.
8. To remove the built-in apps in Windows 10, see Robin Hobo How to remove built-in apps in
Windows 10 Enterprise.
9. For Remote Assistance in Citrix Director, configure the GPO setting Computer Configuration |
Policies | Administrative Templates | System | Remote Assistance | Offer Remote Assistance. See
Jason Samuel How to setup Citrix Director Shadowing with Remote Assistance using Group
Policy for more details.
10. If you intend to use Citrixs SCOM Management Packs for XenApp/XenDesktop, make sure WinRM
is enabled on the VDA by running winrm quickconfig. Or you can enable WinRM using Group Policy.
1. For virtual desktops, make sure you are logged into the console. The VDA wont install if you are
connected using RDP.
2. Make sure .NET Framework 4.5.2 or newer is installed.
CLI Install:
Command Line Install Options are detailed at Install using the command line at Citrix Docs.
The Citrix Telemetry Service seems to cause problems. You can use the Command Line Installer to exclude
Telemetry Service as detailed at VDA upgrade cmdlet at Citrix Discussions.
GUI Install:
1. Go to the downloaded XenDesktop 7.14.1 iso file and extract it. If Windows 8 or newer, you can
instead mount it, but be aware that with mounting, the install wont resume correctly after a
reboot.
2. Run AutoSelect.exe.
3. Alternatively, you can download the standalone VDA package and run that instead. Go the main
XenDesktop 7.14.1 download page. Expand the section labelled Components that are on the
product ISO but also packaged separately to download the Standalone VDA installers. 7.14.1 has a
VDA installer called Desktop OS Core Services that is designed for Remote PC deployments.
4. Click Start next to either XenApp or XenDesktop. The only difference is the product name displayed
in the installation wizard.
5. Click Virtual Delivery Agent for Windows Desktop OS, or Windows Server OS, depending on which
type of VDA you are building.
6. In the Environment page, select Create a Master Image, and click Next.
8. In the Core Components page, if you dont need Citrix Receiver installed on your VDA, then uncheck
the box. Receiver is usually only needed for double-hop connections (connect to first VDA, and then
from there, connect to second VDA). Click Next.
9. In the Additional Components page, uncheck Citrix AppDisk/Personal vDisk. This feature has been
deprecated and is being replaced by Citrix App Layering (Unidesk). Click Next.
10. In the Delivery Controller page, select Do it manually. Enter the FQDN of each Controller. Click Test
connection. And then make sure you click Add. Click Next when done.
11. In the Features page, check boxes. In 7.12 and newer, only the top box is checked by default. If you
want to use the other features, check the boxes. If this is a virtual desktop, you can leave Personal
vDisk unchecked now and enable it later. Then click Next.
15. After the machine reboots twice, login and installation should continue.
16. If you see a Locate XenApp installation media window, click Cancel.
21. Programs and Features shows Citrix Virtual Delivery Agent 7.14.1 as version 7.14.1.14098.
Customer Experience Improvement Program (CEIP)
VDA 7.12 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable it,
create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0
(zero). Also see CEIP at Citrix Insight Services at Citrix Docs.
The Connection Quality Indicator tells the user the quality of the connection. For example:
Position of the indicator is configurable by the user. Thresholds are configurable through group policy.
Download it from CTX220774 Connection Quality Indicator and install it. The article is very detailed.
Notification display settings lets you customize the user notifications, or disable them.
Connection Threshold Settings lets you set the notification thresholds.
Adaptive Transport
XenApp/XenDesktop 7.13 and newer include Adaptive Transport, which uses EDT protocol, which uses
UDP Ports 1494/2598 for HDX connections to the VDA. The UDP ports should already be open in the
Windows Firewall.
Adaptive Transport is disabled by default, but can be enabled in the Citrix Policy setting HDX Adaptive
Transport.
Slow Logons
Citrix Discussions Xenapp 7.9: Wait for local session manager: I have a Xenapp 7.9 environment on
Windows 2012 R2. When logging in through Citrix I got message Wait for local session manager for 20-30
seconds. When logging in to the server with RDS, I do not have to wait for this.
Add the following 2 registry keys to your 7.9 VDA server then try connecting to it using ICA to see if the
issue still occurs:
Restart the machine after adding these registry keys and attempt an ICA connection (at least twice) to see
if that helps the Login delay.
Mark DePalma at XenApp slow logon times, user get black screen for 20 seconds at Citrix Discussions says
that pushing Tile Refresh to a background task speeds up logons.
1. Regedit:
2. Windows Registry Editor Version 5.00
3.
4. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DisableUPMResetCache]
5. @="DisableUPMResetCache"
6. "Version"="1,1,1,1"
7. "StubPath"="REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\StateStore /v
ResetCache /t REG_DWORD /d 0 /f"
"Locale"="*"
8. UPM Exclusions:
9. Directory - '!ctx_localappdata!\Microsoft\Windows\Caches'
Registry - 'SOFTWARE\Microsoft\Active Setup\Installed Components\DisableUPMResetCache'
Marvin Neys at XenApp slow logon times, user get black screen for 20 seconds at Citrix Discussions says
that deleting HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC at logoff reduces logon
times from 40 seconds to 6 seconds.
Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
For additional logon delay troubleshooting, see Alexander Ollischer XenApp/XenDesktop Please Wait
For Local Session Manager message when logging into RDS. He found some Windows Updates that caused
a logon delay.
XenApp recalculates WMI filters on every reconnect. CTX212610 Session Reconnect 30 sec Delay
DisableGPCalculation WMI Filters indicates that recalculation can be disabled by
setting HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Reconnect\DisableGPCalculation (DWORD) to 1.
CTX212439 Desktop Session Stuck in Pre-Logon State with Message Please wait for the Local Session
Manager:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenS
ize (DWORD) = 48000
Delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\RCM\GracePeriod\L$RTMTIMEBOMB
Some environments will not accept the default port 80 for Virtual Delivery Agent registration, even though
registration is authenticated and encrypted on port 80. To change the port, do the following on the Virtual
Delivery Agent:
1. Open Programs and Features. If Windows 10 1703 or newer, open Apps and Features.
2. Find Citrix Virtual Delivery Agent, and click Change or Modify (Windows 10 1703 and newer).
3. Click Customize Virtual Delivery Agent Settings.
5. On the Protocol and Port page, change the port number, and click Next.
6. In the Summary page, click Reconfigure.
1. If you restart the Virtual Delivery Agent machine, or restart the Citrix Desktop Service
2. In Windows Logs Application log, you should see an event 1012 from Citrix Desktop Service saying
that it successfully registered with a controller. If you dont see this then youll need to fix the
ListOfDDCs registry key. See VDA registration with Controllers at Citrix Docs.
3. You can also run Citrixs Health Assistant on the VDA.
4. See CTX220772 Technical Primer: VDA Registration for a very detailed explanation of the VDA
Registration process.
3. In the Please read the Citrix PDF printer License Agreement page, check the box next to I accept the
terms, and click Install.
4. In the Completed the Citrix PDF Universal Driver Setup Wizard page, click Finish.
6. Configure a Citrix Policy to enable the PDF printer. The setting is called Auto-create PDF Universal
Printer in the user half of a Citrix Policy GPO.
1. If you support Receiver for Chrome (Chromebook) and want to open files on Google Drive using
published applications, install Citrix File Access on the VDAs. Get it from the Receiver for Chrome
download page, in the Additional Components section.
4. In the Completed the File Access Setup Wizard page, click Finish.
7. To open a file from Google Drive, right-click and and open the file using Citrix Receiver.
Framehawk Configuration
On 2012 R2 and newer RDSH, the only way to configure Remote Desktop Licensing is using group policy
(local or domain). This procedure also works for 2008 R2 RDSH. This procedure is not needed on virtual
desktops.
1. For local group policy, run gpedit.msc. Alternatively, you can configure this in a domain GPO.
2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Licensing.
3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter
the names of the RDS Licensing Servers (typically installed on XenDesktop Controllers). Click OK.
4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User.
Click OK.
5. Optionally, you can install the Remote Desktop Licensing Diagnoser Tool. In the Server Manager >
Add Roles and Features Wizard, on the Features page, expand Remote Server Administration
Tools, expand Role Administration Tools, expand Remote Desktop Services Tools, and select
Remote Desktop Licensing Diagnoser Tool. Then Finish the wizard.
6. If it wont install from Server Manager, you can install it from PowerShell by running Install-
WindowsFeature rsat-rds-licensing-diagnosis-ui.
7. In Server Manager, open the Tools menu, expand Remote Desktop Services (or Terminal Services),
and click Remote Desktop Licensing Diagnoser.
8. The Diagnoser should find the license server, and indicate the licensing mode. If youre configured
for Per User licenses, then its OK if there are no licenses installed on the Remote Desktop License
Server.
Several people in Citrix Discussions reported the following issue: If you see a message about RD Licensing
Grace Period has expired even though RD Licensing is properly configured, see Eric Verdumen No remote
Desktop Licence Server availible on RD Session Host server 2012. The solution was to delete the
REG_BINARY in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\RCM\GracePeriod only leaving the default. You must take ownership and give admin users full
control to be able to delete this value.
C: Drive Permissions
This section is more important for shared VDAs like RDSH (Windows Server 2008 R2, Windows Server 2012
R2, and Windows Server 2016).
The default permissions allow users to store files on the C: drive in places other than their profile.
1. Open the Properties dialog box for C:.
2. On the Security tab, click Advanced.
5. Highlight the line containing Users and Create files (or Special), and click Remove. Click OK.
6. Click Yes to confirm the permissions change.
7. If you see any of these Error Applying Security windows, click Continue. This window should appear
multiple times.
Pagefile
If this image will be converted to a Provisioning Services vDisk, then you must ensure the pagefile is smaller
than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and
if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB, and Provisioning
Services will be unable to move it to the cache disk. This causes Provisioning Services to cache to server
instead of caching to your local cache disk (or RAM).
1. Open System. In 2012 R2 and newer, you can right-click the Start button, and click System. Note: in
Windows 10 1703 and newer, this method no longer opens the correct tool.
2. Another option is to open File Explorer, right-click This PC, and click Properties. This works in
Windows 10 1703.
6. Uncheck the box next to Automatically manage paging file size for all drives. Then either turn off
the pagefile, or set the pagefile to be smaller than the cache disk. Dont leave it set to System
managed size. Click OK several times.
Direct Access Users
When Citrix Virtual Delivery Agent is installed on a machine, non-administrators can no longer RDP to the
machine. A new local group called Direct Access Users is created on each Virtual Delivery Agent. Add your
non-administrator RDP users to this local group so they can RDP directly to the machine.
For Windows 2012 R2, install Microsoft hotfix 2890783, and set the UseProfilePathExtensionVersion
registry value to 1.
Registry
Published Explorer
From Citrix CTX128009 Explorer.exe Fails to Launch: When publishing the seamless explorer.exe
application, the session initially begins to connect as expected. After the loading, the dialog box
disappears, and the Explorer application fails to appear. On the VDA, use the following registry change to
set the length of time a client session waits before disconnecting the session:
Key = HKLM\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
o Value = LogoffCheckerStartupDelayInSeconds (DWORD) = 10 (Hexadecimal)
Screen Saver
From Citrix CTX205214 Screensaver Not Working in XenDesktop: By default, Screen Saver doesnt work on
Desktop OS. To enable it, on the VDA, configure the following registry value:
Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Graphics
o Value = SetDisplayRequiredMode (DWORD) = 0
From XenApp 7.8 Session Launch Security/Warning Login Banner at Citrix Discussions: If your logon
disclaimer window has scroll bars, set the following registry values:
Login Timeout
From Citrix CTX203760 VDI Session Launches Then Disappears: XenDesktop, by default, only allows 180
seconds to complete a logon operation. The timeout can be increased by setting the following:
Key = HKLM\SOFTWARE\Citrix\PortICA
o Value = AutoLogonTimeout ( DWORD) = decimal 240 or higher (up to 3600).
Also see Citrix Discussions Machines in Registered State, but VM closes after Welcome screen.
HDX Flash
From Citrix Knowledgebase article CTX139939 Microsoft Internet Explorer 11 Citrix Known Issues: The
registry key value IEBrowserMaximumMajorVersion is queried by the HDX Flash service to check for
maximum Internet Explorer version that HDX Flash supports. For Flash Redirection to work with Internet
Explorer 11 set the registry key value IEBrowserMaximumMajorVersion to 11 on the machine where HDX
flash service is running. In case of XenDesktop it would be the machine where VDA is installed.
Key = HKLM\SOFTWARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer
o Value = IEBrowserMaximumMajorVersion (DWORD) = 11 (Decimal)
From Citrix Discussions: Add the DWORD FlashPlayerVersionComparisonMask=0 on the VDA under
HKLM\Software\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer. This disables the Flash major
version checking between the VDA and Client Device.
From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, create a
REG_SZ registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual
Clipboard\Additional Formats\HTML Format\Name=HTML Format. Create any missing registry keys. This
applies to both virtual desktops and Remote Desktop Session Hosts.
Citrix CTX217351 How to Customize File Upload and Download Using Receiver for HTML5 and Receiver for
Chrome. You can specify a default uploads location by
editing HKLM\Software\Citrix\FileTransfer\UploadFolderLocation on the VDA. Environment variables are
supported. When this value is configured, users are no longer prompted to select an upload location. The
change takes effect at next logon.
Note: HTML5/Chrome Receiver also adds a Save to My Device location to facilitate downloads.
4K Monitors
From Citrix Knowledgebase article CTX218217 Unable to span across multiple monitors after upgrade to
7.11 VDA, Black/Blank screen appears on the monitors while connecting to ICA session: .
1. For VDA 7.11 and newer, calculate the video memory that is required for monitors using the
following formula:
SumOfAllMons (Width * Height) * 4 / 0.3, where width and height are resolution of the
monitor. Note: There is no hard and fast rule that will work for all cases.
Example: Consider the resolution of monitor 1 is 1920*1200 and monitor 2 is 1366*768. Then
SumOfAllMons will be (1920*1200 + 1366*768)
2. CTX115637 Citrix Session Graphics Memory Reference describes how multi-monitor resolution is
determined.
3. Open the registry (regedit) and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vbdenum
4. Increase the value of MaxVideoMemoryBytes REG_DWORD value to the above calculated
memory.
5. Reboot the VDA.
Citrix CTX127968 How to Enable Legacy Client Drive Mapping Format on XenApp: Citrix Client Drive
Mapping no longer uses drive letters and instead they appear as local disks. This is similar to RDP drive
mapping.
The old drive letter method can be enabled by setting the registry value:
When you reconnect, the client drives will be mapped as drive letters (starts with V: and goes backwards).
From CTX139020 Configuring Virtual Machines for Mac Client Printer Mapping with Windows 8.x. By
default, Non-Windows clients cannot map printers due to a missing print driver on the VDA machine.
1. Requirements:
o Internet Access
o Windows Update service enabled
2. Click Start, and run Devices and Printers.
3. In Windows 10 1703, open Printers & scanners, then scroll down, and click Devices and printers.
4. In the Printers section, highlight a local printer (e.g. Microsoft XPS Document Writer). Then in the
toolbar, click Print server properties.
5. Switch to the Drivers tab. Click Change Driver Settings.
9. In the Printer Driver Selection page, click Windows Update. The driver we need wont be in the list
until you click this button. Internet access is required.
10. Once Windows Update is complete, highlight HP on the left, and then select HP Color LaserJet 2800
Series PS (Microsoft) on the right. Click Next.
11. In the Completing the Add Printer Driver Wizard page, click Finish.
If you intend to use HTML5 Receiver internally, install certificates on the VDAs so the WebSockets (and ICA)
connection will be encrypted. Internal HTML5 Receivers will not accept clear text WebSockets. External
users dont have this problem since they are SSL-proxied through NetScaler Gateway. Notes:
Each Virtual Delivery Agent needs a machine certificate that matches the machine name. This is
feasible for a small number of persistent VDAs. For non-persistent VDAs, youll need some
automatic means for creating machine certificates every time they reboot.
As detailed in the following procedure, use PowerShell on the Controller to enable SSL for the
Delivery Group. This forces SSL for every VDA in the Delivery Group, which means every VDA in the
Delivery Group must have SSL certificates installed.
The following instructions for manually enabling SSL on VDA can be found at Configure SSL on a VDA using
the PowerShell script at Citrix Docs.
1. On the VDA machine, run mmc.exe.
2. Add the Certificates snap-in.
3. Point it to Local Computer.
4. Request a certificate from your internal Certificate Authority. You can use either the Computer
template or the Web Server template.
1. You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers.
5. Browse to the XenApp/XenDesktop 7.14.1 ISO. In the Support\Tools\SslSupport folder, shift+right-
click the Enable-VdaSSL.ps1 script and click Copy as path.
12. If there are multiple certificates, youll need to specify the thumbprint of the certificate you want to
use. Open the Certificates snap-in, open the properties of the machine certificate you want to use,
and copy the Thumbprint from the Details tab.
In the PowerShell prompt, at the end of the command, enter -CertificateThumbPrint, add a space, and
type quotes (").
Type quotes (") at the end of the thumbprint. Then remove all spaces from the thumbprint. The
thumbprint needs to be wrapped in quotes.
13. If this VDA machine has a different service already listening on 443 (e.g. IIS), then the VDA needs to
use a different port for SSL connections. At the end of the command in the PowerShell prompt,
enter -SSLPort 444 or any other unused port.
where <delivery-group-name> is the name of the Delivery Group containing the VDAs.
20. You can run Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' to verify that HDX SSL is
enabled.
You should now be able to connect to the VDA using the HTML5 Receiver from internal machines.
The Citrix blog post How To Secure ICA Connections in XenApp and XenDesktop 7.6 using SSL has a method
for automatically provisioning certificates for pooled virtual desktops by enabling certificate auto-
enrollment and setting up a task that runs after the certificate has been enrolled.
For certificate auto-enrollment on non-persistent Remote Desktop Session Hosts (aka Server OS
VDAs), see Non-Persistent Server SSL to VDA by Alfredo Magallon Arbizu at CUGC.
Anonymous Accounts
1. Anonymous accounts are created locally on the VDAs. When XenDesktop creates Anon accounts it
gives them an idle time as specified at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\AnonymousUserIdleTime.
The default is 10 minutes. Adjust as desired.
2. You can pre-create the Anon accounts on the VDA by running C:\Program
Files\Citrix\ICAConfigTool\CreateAnonymousUsersApp.exe. If you dont run this tool then Virtual
Delivery Agent will create them automatically when users log in.
3. You can see the local Anon accounts by opening Computer Management, expanding System Tools,
expanding Local Users and Groups and clicking Users.
4. If you open one of the accounts, on the Sessions tab, notice that idle timeout defaults to 10
minutes. Feel free to change it.
Since Anonymous users are local accounts on each Virtual Delivery Agent, domain-based GPOs will not
apply. To work around this limitation, youll need to edit the local group policy on each Virtual Delivery
Agent.
3. Highlight Group Policy Object Editor, and click Add to move it to the right.
4. In the Welcome to the Group Policy Wizard page, click Browse.
7. Now you can configure group policy to lockdown sessions for anonymous users. Since this is a local
group policy, youll need to repeat the group policy configuration on every Virtual Delivery Agent
image. Also, Group Policy Preferences is not available in local group policy.
Antivirus
Install antivirus using your normal procedure. Instructions vary for each Antivirus product.
Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a
consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on
the key processes, folders, and files that we have seen cause issues in the field:
Set real-time scanning to scan local drives only and not network drives
Disable scan on boot
Remove any unnecessary antivirus related entries from the Run key
Exclude the pagefile(s) from being scanned
Exclude Windows event logs from being scanned
Exclude IIS log files from being scanned
See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller,
and Provisioning Services. The Blog Post also has links to additional KB articles on antivirus.
Symantec
Symantec links:
Symantec TECH91070 Citrix and terminal server best practices for Endpoint Protection.
Symantec TECH197344 Best practices for virtualization with Symantec Endpoint Protection 12.1.2
and later
Symantec TECH180229 Symantec Endpoint Protection 12.1 Non-persistent Virtualization Best
Practices
Symantec TECH123419 How to prepare Symantec Endpoint Protection clients on virtual disks for
use with Citrix Provisioning Server has a script that automates changing the MAC address registered
with Symantec.
Citrix Blog Post How to prepare a Citrix Provisioning Services Target Device for Symantec Endpoint
Protection
If profiles are deleted on logoff, set Symantec registry value CloseUserLogFile to 1. Symantec
TECH210170 Citrix user sessions are held open by ccSvcHst.exe during log off
Trend Micro
Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries
can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE
until the system has launched successfully. This avoids deadlock situations during login.
Citrix CTX136680 Slow Server Performance After Trend Micro Installation. Citrix session hosts experience
slow response and performance more noticeable while users try to log in to the servers. At some point the
performance of the servers is affected, resulting in issues with users logging on and requiring the server to
be restarted. This issue is more noticeable on mid to large session host infrastructures.
Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the
affected servers. Add new DWORD Value as:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters]
DisableCtProcCheck=dword:00000001
Sophos
Best Practice for running Sophos on virtual systems: weve amassed the following practical information
about how you can optimize our software to work with this technology.
Sophos Anti-Virus for Windows XP+: Installation and configuration considerations for Sophos Anti-Virus on
a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon
Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use
with cloned virtual machines: This procedure will make sure that the produced target/cloned computers:
Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
Have the desired version of Sophos Anti-Virus already installed and configured on the created
image.
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Optimize Performance
VDA Optimizer
Installation of the VDA might have already done this but theres no harm in doing it again. This tool is only
available if you installed VDA in Master Image mode.
VMware OS Optimization Tool. See VMware Windows Operating System Optimization Tool Guide
Technical Paper for details on this tool. This tool has templates for Windows 10/2016, plus
templates for older versions of Windows.
o LoginVSI has an OSOT template for Windows Server 2016. See How to improve your
Windows Server 2016 performance. This template was recently added to default
download of OSOT.
o Citrix XenApp and Windows Server 2016 Optimisation Script Optimise Windows Server
2016 in XenApp/RDS based environment as per citrix optimisation Guide in 2008 R2/Various
blogs and my own experience in running citrix environments.
Citrix Links:
o Citrixs Windows 10 Optimization Guide remove built-in apps, delete Scheduled Tasks,
disable services, etc.
o Citrixs Windows 8 and 8.1 Virtual Desktop Optimization Guide contains the following:
A list of services to disable
A list of computer settings
A list of scheduled tasks to disable
A script to do all of the above
Microsoft links:
o Microsoft TechNet Blog Guidance on Disabling System Services on Windows Server 2016
with Desktop Experience contains a spreadsheet with a list of services categorized as
follows:
Optimization Notes:
If this machine is provisioned using Provisioning Services, do not disable the Shadow Copy services.
Windows 8 detects VDI and automatically disables SuperFetch. No need to disable it yourself.
Windows 8 automatically disables RSS and TaskOffload if not supported by the NIC.
Citrix CTX213540 Unable To View Printers In Devices And Printers Win 2012 R2 dont disable the
Device Setup Manager Service
Citrix CTX131995 User Cannot Launch Application in Seamless Mode in a Provisioning Services
Server when XenApp Optimization Best Practices are Applied. Do not enable
NtfsDisable8dot3NameCreation.
RDSH 2008 R2
Citrix CTX131577 XenApp 6.x (Windows 2008 R2) Optimization Guide is a document with several registry
modifications that are supposed to improve server performance. Ignore the XenApp 6 content and instead
focus on the Windows content.
Norskale has Windows 2008 R2 Remote Desktop and XenApp 6 Tuning Tips Update.
Windows 7
Microsoft has compiled a list of links to various optimization guides. Its a common practice to optimize a
Windows 7 virtual machine (VM) template (or image) specifically for VDI use. Usually such customizations
include the following.
Minimize the footprint, e.g. disable some features and services that are not required when the OS is
used in stateless or non-persistent fashion. This is especially true for disk-intensive workloads
since disk I/O is a common bottleneck for VDI deployment. (Especially if there are multiple VMs
with the same I/O patterns that are timely aligned).
Lock down user interface (e.g. optimize for specific task workers).
With that said the certain practices are quite debatable and vary between actual real-world deployments.
Exact choices whether to disable this or that particular component depend on customer requirements and
VDI usage patterns. E.g. in personalized virtual desktop scenario theres much less things to disable since
the machine is not completely stateless. Some customers rely heavily on particular UI functions and
other can relatively easily trade them off for the sake of performance or standardization (thus enhance
supportability and potentially security). This is one of the primary reasons why Microsoft doesnt publish
any VDI Tuning guide officially.
Though there are a number of such papers and even tools published either by the community or third
parties. This Wiki page is aimed to serve as a consolidated and comprehensive list of such resources.
If this VDA will be a master image in a Machine Creation Services or Provisioning Services catalog, after the
master is fully prepared (including applications), do the following:
1. Go to the properties of the C: drive, and run Disk Cleanup.
3. Windows 10 1703 and newer has a new method for cleaning up temporary files.
1. Right-click the Start button, and click System.
2. Click Storage on the left, and click This PC (C:) on the right.
3. Click Temporary Files.
4. Check boxes, and click Remove files.
`
5. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining. It is
not necessary to manually rearm licensing. XenDesktop will do it automatically.
9. Login Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable
Troubleshooting Graphics
If Windows 7 on vSphere, dont install the VMware SVGA driver. For more details,
see CTX201804 Intermittent Connection Failures/Black Screen Issues When Connecting from Multi-Monitor
Client Machines to Windows 7 VDA with VDA 7.x on vSphere/ESXi.
For Citrix Policies that control graphics codecs, see http://www.carlstalhood.com/citrix-policy-
settings/#graphics
Citrix Blog post Optimising the performance of HDX 3D Pro Lessons from the field
From Citrix Knowledgebase article CTX218217 Unable to span across multiple monitors after upgrade to
7.11 VDA, Black/Blank screen appears on the monitors while connecting to ICA session:
1. For VDA 7.11 and newer, calculate the video memory that is required for monitors using the
following formula :
SumOfAllMons (Width * Height) * 4 / 0.3, where width and height are resolution of the
monitor. Note: There is no hard and fast rule that will work for all cases.
Example: Consider the resolution of monitor 1 is 1920*1200 and monitor 2 is 1366*768. Then
SumOfAllMons will be (1920*1200 + 1366*768)
2. CTX115637 Citrix Session Graphics Memory Reference describes how multi-monitor resolution is
determined.
3. Open the registry (regedit) and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vbdenum
4. Increase the value of MaxVideoMemoryBytes REG_DWORD value to the above calculated
memory.
5. Reboot the VDA
From Citrix Discussions: To exclude applications from Citrix 3D rendering, create a REG_DWORD registry
value app.exe with value 0 or a registry value * with value 0.
Wildcards are not supported. The asterisk * here has a special meaning all apps but is not a traditional
wildcard. To blacklist multiple apps e.g. both appa.exe and appb.exe must be done by creating a registry
value for each app individually.
This is most problematic in Remote PC since most physical PCs have GPUs. I recently had to blacklist
Internet Explorer to prevent lockup issues when switching back to physical.
Uninstall VDA
Matt Bodholdt XenDesktop 7.x Controller Service Status Script at CUGC PowerShell script that checks the
following:
109 Comments
Navigation
Persistent vs Non-persistent
Zones (XenApp/XenDesktop 7.7 and newer)
Zone Preference (XenApp/XenDesktop 7.11 and newer)
Machine Creation Services
o MCS Full Clones (XenApp/XenDesktop 7.11 and newer)
o MCS Machine Naming
o MCS Memory Caching (XenApp/XenDesktop 7.9 and newer)
o MCS Image Prep Licensing Rearm
o MCS Base Disk Deletion
Controller Name Cache
= Recently Updated
Persistent vs Non-persistent
VDA design One of the tasks of a Citrix Architect is VDA design. There are many considerations, including
the following:
Machine type single user (virtual desktop), or multi-user (Remote Desktop Session Host). RDSH is
more hardware efficient.
Machine operating system Windows 7, Windows 10, Windows Server 2008 R2, Windows Server
2012 R2, Windows Server 2016
Machine persistence persistent, non-persistent
Number of new machines concurrent vs named-users
Machine provisioning full clones, Machine Creation Services (MCS), Provisioning Services (PvS)
Hardware for the new machines hypervisor clusters, storage
How the machines are updated SCCM, MCS, PvS, etc.
Application integration locally installed, App-V, Layering, XenApp published, leave on local
endpoint machine, cloud apps, etc.
User Profiles roaming, mandatory, home directories
Group Policies session lockdown, automation
Disaster Recovery replication. VDAs running in a warm site. DR for profiles and home directories
too.
Desktop Management in a Citrix environment Some environments try to use Citrix to improve desktop
management. Here are some desktop management aspects of Citrix that arent possible with distributed
physical desktops:
Datacenter network speeds The VDAs have high speed connectivity to the desktop management
tools, which eliminates WAN bandwidth as a desktop management consideration. For example, you
can use Microsoft App-V to stream apps to VDAs.
Non-persistence Non-persistent VDAs revert at every reboot. To update non-persistent VDAs,
simply update your master image.
Layering The VDA VMs can be composed of multiple layers that are combined during machine
boot, or when the user logs in. Citrix AppDisk and Unidesk are examples of this technology. A single
layer can be shared by multiple VDAs. The layers are updated once, and all machines using the layer
receive the updated layer at next boot/login.
Master Images must be designed Which apps go on which master image? Do you install the same
app on multiple master images?
o How do you know which apps a user needs? Most Citrix admins, and even desktop teams,
dont know every app that a user needs. You can use tools like Liquidware Labs or Lakeside
Software to discover app usage, but its a very complicated process to find commonality
across multiple users.
o How are One-off apps handled? If you have an app used by only a small number of users,
do you add it to one of your master images? Do you create a new master image? Do you
publish it from XenApp (double hop)? Do you stream it using App-V? Layering is another
option.
o Application Licensing for licensed apps, do you install the licensed app into the master
image and try to hide it from non-licensed users? Or do you create a new master image for
the licensed users?
o Patching multiple images when a new OS patch needs to be deployed, you have to update
every master image running that OS version. Thus Citrix admins usually try to limit the
number of master images, which makes image design more complicated.
o How do you manage an app that is installed on multiple master images? Layering might
help with this.
Who manages the master images? Citrix admins? Desktop team? Its unlikely that traditional
desktop management tools (e.g. SCCM) will ever be completely removed from an enterprise
environment, which means that master image management is an additional task that was not
performed before. Does the Citrix admin team have the staff to take on this responsibility? Would
the desktop management team be willing to perform this new process?
o Politically feasible? Large enterprises usually have mature desktop management
practices. Would this new process interfere with existing desktop management
requirements?
o Responsibility if the Citrix admins are not maintaining the master images, and if a Catalog
update causes user problems, who is responsible?
o RDSH Apps are complicated who is responsible for integrating apps into Remote Desktop
Session Host (XenApp)? Does the desktop team have the skills to perform the additional
RDSH testing?
Change Control Longer Deployment Times Any change to a master image would affect every
machine/user using that image, thus dev/QA testing is recommended for every change, which
slows down app update deployment. And once a change is made to the master, it doesnt take
effect until the users VDA is rebooted.
Roaming Profiles some apps (e.g. Office) save user settings in user profiles. Since the machines
are non-persistent, the profiles would be lost on every reboot unless roaming profiles are
implemented. This adds a dependency on roaming profile configuration, and the roaming profile
file share.
o How is the Outlook OST file handled? With Cloud Hosted Exchange, for best performance,
Outlook needs to run in Cached Exchange mode. How is the large OST file roamed? One
option is to use group policy to minimize the size of the OST file. Another is to purchase a
3rd party OST handling product like FSLogix.
IT Applications (e.g. antivirus) on non-persistent machines Many IT apps (antivirus. asset mgmt,
security, etc.) have special instructions to work on non-persistent machines. Search the vendors
knowledgebase for VDI, non-persistent, Citrix, etc. Antivirus in particular has a huge impact on VDA
performance. And the special instructions for non-persistent VDAs are in addition to normal
antivirus configuration.
Connection Leasing does not support non-persistent virtual desktops if the XenDesktop SQL
database is down, Connection Leasing wont help you. Its not possible to connect to non-persistent
virtual desktops until the XenDesktop SQL database connection is recovered. This affects multi-
datacenter designs.
Application Integration Technologies Additional technologies can be used to overcome some of the
drawbacks of non-persistent machines:
Microsoft App-V this technology can dynamically stream apps to a non-persistent image.
Different users get different apps. And the apps run in isolated bubbles. However:
o App-V is an additional infrastructure that must be built and maintained.
o App-V requires additional skills for the people packaging the apps, and the people
troubleshooting the apps.
o Since the apps are isolated, app interaction is configured manually.
o Because of application isolation, not every app can run in App-V. Maybe 60-80% of apps
might work. How do you handle apps that dont work?
Layering each application is a different layer (VHD file). The layering tool combines multiple layers
into a single unified image. Layers are updated in one place, and all images using the layer are
updated, which solves the issue of a single app in multiple images. Layering does not use
application isolation, so almost 100% of apps should work with layering. Layers can be mounted
dynamically based on whos logging in. Theres also a persistent layer that lets users install apps, or
admins can install one-off apps. Unidesk is probably the most feature rich of the layering products.
However:
o Unidesk is not free. Citrix AppDisk is free, but its features are very limited.
o Unidesk is a separate infrastructure that must be built and maintained. Citrix AppDisk is built
into XenDesktop.
o Somebody has to create the layers. This is extremely easy in Unidesk since you simply install
the applications normally (no new skills to learn). However, its an additional task on top of
normal desktop management packaging duties.
Persistent virtual desktops Another method of building VDAs is by creating full clone virtual desktops
that are persistent. Each virtual desktop is managed separately using traditional desktop management
tools. If your storage is an All Flash Array with inline deduplication and compression, then full clone
persistent virtual desktops probably take no more disk space than non-persistent linked clones. (Note:
persistent RDSH VDAs are not included in this section since RDSH user sessions are essentially non-
persistent) Here are some advantages of full clone persistent virtual desktops as opposed to non-persistent
VDAs:
Skills and Processes No new skills to learn. No new desktop management processes. Use existing
desktop management tools (e.g. SCCM). The existing desktop management team can manage the
persistent virtual desktops, which reduces the workload of the Citrix admins.
One-off applications If a user needs a one-off applications, simply install it on the users
persistent desktop. The application can be user-installed, SCCM self-service installed, or
administrator installed.
User Profile Outlooks OST file is no longer a concern since the users profile persists on the users
virtual desktop. Its not necessary to implement roaming profiles when using persistent virtual
desktops. If you want a process to move a user profile from one persistent virtual desktop to
another, how do you do it on physical desktops today?
API integration a self-service portal can use VMware PowerCLI and Citrixs PowerShell SDK to
automatically create a new persistent virtual desktop for a user. Chargeback can also be
implemented.
Offline XenDesktop SQL Database if the Citrix XenDesktop SQL database is not reachable, then
Citrix Connection Leasing can still broker sessions to persistent virtual desktops that have already
been assigned to users. This is not possible with non-persistent virtual desktops.
Concurrent vs Named User one advantage of non-persistent virtual desktops is that you only need
enough virtual desktops to handle the concurrent user load. With persistent virtual desktops, you need a
separate machine for each named user, whether that user is using it or not.
Disaster Recovery for non-persistent VDAs, one option is to replicate the master images to the DR site,
and then create a Catalog of machines either before the disaster, or after. If before the disaster, the VDAs
will already be running and ready for connections; however, the master images are maintained separately
in each datacenter.
Immediately after the disaster, instruct the persistent users to connect to a pool of non-persistent
machines.
In the DR site, create new persistent virtual desktops for the users. Users would then need to use
SCCM or similar to reinstall their apps. Scripts can be used to backup the users profile and restore
it on the DR desktop. This method is probably closest to how recovery is performed on physical
desktops.
The persistent virtual desktops can be replicated and recovered in the DR site. When the machines
are added to Citrix Studio in DR, each machine is assigned to specific users. This process is usually
scripted.
Zones
Caveats Zones let you stretch a single XenApp/XenDesktop site/farm across multiple datacenters.
However, note these caveats:
Studio If all Delivery Controllers in the Primary Zone are down, then you cant manage the
farm/site. This is true even if SQL is up, and Delivery Controllers are available in Satellite Zones. Its
possible to designate an existing zone as the Primary Zone by running Set-ConfigSite -PrimaryZone
<Zone>, where <Zone> can be name, UID, or a Zone object.
Version/Upgrade All Delivery Controllers in the site/farm must be the same version. During an
upgrade, you must upgrade every Delivery Controller in every zone.
Offline database In XenApp/XenDesktop 7.11 and older, there is no offline database option
similar to XenApp 6.5s Local Host Cache. If the database is down, then Connection Leasing is used.
In XenApp/XenDesktop 7.12 and newer, theres Local Host Cache. However, the LHC in 7.12 and
newer has limitations: no non-persistent desktops (dirty desktops are an option in 7.14 and newer),
maximum of 5,000 VDAs per zone (10,000 per zone, 40K per site, in 7.14 and newer), has issues if
Controller is rebooted, etc. Review the Docs article for details.
Complexity Zones do not reduce the number of servers that need to be built. And they increase
complexity when configuring items in Citrix Studio.
Zone Preference to choose a VDA in a particular zone, your load balancer needs to include a
special HTTP header (X-Citrix-ZonePreference) that indicates the zone name. This requires
StoreFront 3.7, and XenApp/XenDesktop 7.11.
The alternative to zones is to build a separate site/farm in each datacenter, and use StoreFront to
aggregate the published icons. Here are benefits of multiple sites/farms as compared to zones:
Isolation Each datacenter is isolated. If one datacenter is down, it does not affect any other
datacenter.
Versioning Isolation lets you upgrade one datacenter before upgrading other datacenters. For
example, you can test upgrades in a DR site before upgrading production.
SQL High Availability since each datacenter is a separate farm/site with separate databases, there
is no need to stretch SQL across datacenters.
Home Sites StoreFront can prioritize different farms/sites for different user groups. No special
HTTP header required.
Here are some general design suggestions for XenApp/XenDesktop in multiple datacenters:
For multiple central datacenters, build a separate XenApp/XenDesktop farm in each datacenter.
Use StoreFront to aggregate the icons from all farms. Use NetScaler GSLB to distribute users to
StoreFront. This provides maximum flexibility with minimal dependencies across datacenters.
For branch office datacenters, zones with Local Host Cache (7.12 and newer) is an option. Or each
branch office can be a separate farm.
Create Zones This section details how to create zones and put resources in those zones. In 7.9 and older,
theres no way to select a zone when connecting. In 7.11 and newer, NetScaler and StoreFront can now
specify a zone and VDAs from that zone will be chosen. See Zone Preference for details.
Citrix Links:
Zones at docs.citrix.com.
Citrix Blog Post Deep Dive: XenApp and XenDesktop 7.7 Zones
Citrix Blog Post Zones, Latency and Brokering Performance
There is no SQL in Satellite zones. Instead, Controllers in Satellite zones connect to SQL in Primary zone.
Here are tested requirements for remote SQL connectivity. You can also set
HKLM\Software\Citrix\DesktopServer\ThrottledRequestAddressMaxConcurrentTransactions to throttle
launches at the Satellite zone.
From Mayunk Jain: I guess we can summarize the guidance from this post as follows: the best practice
guidance has been to recommend a datacenter for each continental area. A typical intra-continental
latency is about 45ms. As these numbers show, in those conditions the system can handle 10,000 session
launch requests in just under 20 minutes, at a concurrency rate of 36 requests.
If Satellite zone loses connectivity to SQL, then the Connection Leasing feature kicks in. See docs.citrix.com
Connection leasing and CTX205169 FAQ: Connection Leasing in XenApp/XenDesktop 7.6 for information on
Connection Leasing limitations (e.g. no pooled virtual desktops, 2 week-old leases, etc.).
Controllers always leave two Controllers in the Primary zone. Add one or two Controllers to the
Satellite zone.
Hosting Connections e.g. for vCenter in the satellite zone.
Catalogs any VDAs in satellite catalogs automatically register with Controllers in the same zone.
NetScaler Gateway requires StoreFront that understands zones (not available yet). StoreFront
should be in satellite zone.
Do the following to create a zone and move items into the zone:
1. In Citrix Studio 7.7 or newer, expand the Configuration node, and click Zones.
2. If you upgraded from an older XenApp/XenDesktop and dont see zones, then run the following
commands:
3. cd 'C:\Program
Files\Citrix\XenDesktopPoshSdk\Module\Citrix.XenDesktop.Admin.V1\Citrix.XenDesktop.Admin\StudioRoleConfig'
4.
5. Import-AdminRoleConfiguration Path .\RoleConfigSigned.xml
6. Right-click Zones, and click Create Zone.
11. To assign users to the new zone, create a Delivery Group that contains machines from a Catalog
thats in the new zone. Zone Preference requires StoreFront 3.7 and XenApp/XenDesktop 7.11.
12. If your farm has multiple zones, when creating a hosting connection, youll be prompted to select a
zone.
13. If your farm has multiple zones, when creating a Manual catalog, youll be prompted to select a
zone.
14. MCS catalogs are put in a zone based on the zone assigned to the Hosting Connection.
15. The Provisioning Services XenDesktop Setup Wizard ignores zones so youll have to move the PvS
Machine Catalog manually.
16. New Controllers are always added to the Primary zone. Move it manually.
Zone Preference
XenApp/XenDesktop 7.11 adds Zone Preference, which means NetScaler (11.0 build 65 and newer) and
StoreFront (3.7 and newer) can request XenDesktop Controller to provide a VDA in a specific zone.
Citrix Blog Post Zone Preference Internals details three methods of zone preference: Application Zone,
User Zone, and NetScaler Zone.
To configure zone preference:
1. Create separate Catalogs in separate zones, and add the machines to a single Delivery Group.
2. You can add users to one zone by right-clicking the zone, and clicking Add Users to Zone. If there
are no available VDAs in that preferred zone, then VDAs are chosen from any other zone.
5. If you edit the Delivery Group, on the Users page, you can specify that Sessions must launch in a
users home zone. If there are no VDAs in the users home zone, then the launch fails.
6. For published apps, on the Zone page, you can configure it to ignore the users home zone.
7. You can also configure a published app with a preferred zone, and force it to only use VDAs in that
zone. If you dont check the box, and if no VDAs are available in the preferred zone, then VDAs can
be selected from any other zone.
8. Or you can Add Applications to Zone, which allows you to add multiple Applications at once.
9. NetScaler can specify the desired zone by inserting the X-Citrix-ZonePreference header into the
HTTP request to the StoreFront 3.7 server. This header can contain up to 3 zones. The first Zone in
the header is the preferred Zone, and the next 2 are randomised such as EMEA,US,APAC or
EMEA,APAC,US. StoreFront 3.7 will then forward the zone names to Delivery Controller 7.11, which
will select a VDA in the desired zone. This functionality can be combined with GSLB as detailed in
the 29 page document Global Server Load Balancing (GSLB) Powered Zone Preference. Note: only
StoreFront 3.7 and newer will send the zone name to the Delivery Controller.
10. Delivery Controller entries in StoreFront can be split into different entries for different zones.
Create a separate Delivery Controller entry for each zone, and associate a zone name with each.
StoreFront uses the X-Citrix-ZonePreference header to select the Delivery Controller entry so the
XML request is sent to the Controllers in the same zone. HDX Optimal Gateways can also be
associated to zoned Delivery Controller entries. See The difference between a farm and a zone
when defining optimal gateway mappings for a store at Citrix Docs.
11. Citrix Blog Post Zone Preference Internals indicates that theres a preference order to zone
selection. The preference order can be changed.
1. Applications Zone
2. Users Home Zone
3. The Zone specified by NetScaler in the X-Citrix-ZonePreference HTTP header sent to
StoreFront.
CTP Aaron Parker Machine Creation Services Capacity Sizing on Hyper-V details storage sizing for the
following:
Delta Clones (aka linked clones) Master Image, AppDisks, Personal vDisks, and other Hyper-V files
Delta Clones with Storage Optimization (aka MCS Memory Caching)
Full Clones
In XenApp/XenDesktop 7.9 and earlier, Persistent Linked Clones are created by selecting Yes, create a
dedicated virtual machine in the Create Catalog wizard. Please, never do this in 7.9 or earlier, since you
cant move the machines once theyre created. A much better option is to use vCenter to do Full Clones of
a template Virtual Machine. Then when creating a Catalog, select Another service or technology to add
the VMs that have already been built.
In XenApp/XenDesktop 7.11 and newer, you can create MCS Full Clones. Full Clones are a full copy of a
template virtual machine. The Full Clone can then be moved to a different datastore (including Storage
vMotion), different cluster, or even different vCenter. You cant do that with Linked Clones.
For Full Clones, simply prepare a Master Image like normal. There are no special requirements. Theres no
need to create Customization Specifications in vCenter since Sysprep is not used. Instead, MCS uses its
identity technology to change the identity of the full clone. That means every full clone has two disks: one
for the actual VM, and one for identity (machine name, machine password, etc).
During creation of a Full Clones Catalog, MCS still creates the master snapshot replica and ImagePrep
machine, just like any other linked clone Catalog. The snapshot replica is then copied to create the Full
Clones.
In 7.11 and newer, during the Create Catalog wizard, if you select Yes, create a dedicated virtual machine:
After you select the master image, theres a new option for Use full copy for better data recovery and
migration support. This is the option you want. The Use fast clone option is the older, not recommended,
option.
Since these are Full Clones, once they are created, you can do things like Storage vMotion.
During Disaster Recovery, restore the VM (both disks). You might have to remove any Custom Attributes
on the machine, especially the XdConfig attribute.
Inside the virtual machines, you might have to change the ListOfDDCs registry value to point to your DR
Delivery Controllers. One method is to use Group Policy Preferences Registry.
Once a Catalog is created, you can run the following commands to specify the starting count:
Get-AcctIdentityPool
Set-AcctIdentityPool -IdentityPoolName "NAME" -StartCount VALUE
Memory caching in MCS is very similar to Memory caching in PvS. All writes are cached to memory instead
of written to disk. With memory caching, some benchmarks show 95% reduction in IOPS. Here are some
notes:
You configure a size for the memory cache. If the memory cache is full, it overflows to a cache disk.
Whatever memory is allocated to the MCS memory cache is no longer available for normal
Windows operations, so make sure you increase the amount of memory assigned to each virtual
machine.
The overflow disk (temporary data disk) can be stored on shared storage, or on storage local to
each hypervisor host. Since memory caching dramatically reduces IOPS, there shouldnt be any
problem placing these overflow disks on shared storage. If you put the overflow disks on hypervisor
local disks then you wont be able to vMotion the machines.
The overflow disk is uninitialized and unformatted. Dont touch it. Dont format it.
For a good overview of the feature, see Citrix Blog Post Introducing MCS Storage Optimization
Andrew Morgan Everything you need to know about the new Citrix MCS IO acceleration details the
performance counters that show memory cache and disk cache usage.
Studio needs to be configured to place the temporary overflow disks on a datastore. You can configure this
datastore when creating a new Hosting Resource, or you can edit an existing Hosting Resource.
1. In Studio, go to Configuration > Hosting, and click the link to Add Connection and Resources.
1. In Studio, go to Configuration > Hosting, right-click an existing resource, and click Edit Storage.
2. On the Temporary Storage page, select a shared datastore for the temporary overflow disks.
Memory caching is enabled when creating a new Catalog. You cant enable it on existing Catalogs. Also, no
AppDisks.
3. In the Virtual Machines page, allocate some memory to the cache. For virtual desktops, 256 MB is
typical. For RDSH, 4096 MB is typical. More memory = less IOPS.
4. Whatever you enter for cache memory, also add it to the Total memory on each machine.
5. Once the machines are created, add them to a Delivery Group like normal.
6. The temporary overflow disk is not initialized or formatted. From Martin Rowan at
discussions.citrix.com: Dont format it, the raw disk is what MCS caching uses.
From Citrix Discussions: When a Machine Creation Services catalog is created or updated, a snapshot of the
master image is copied to each LUN. This Replica is then powered on and a few tasks are performed like
KMS rearm and Personal vDisk enabling.
From Citrix Blog Post Machine Creation Service: Image Preparation Overview and Fault-Finding and
CTX217456 Updating a Catalog Fails During Image Preparation: if you are creating a new Catalog, here are
some PowerShell commands to control what Image Prep does: (run asnp citrix.* first)
If you are troubleshooting an existing Catalog, here are some PowerShell commands to control what Image
Prep does: (run asnp citrix.* first)
A common issue with Image Prep is Rearm. Instead of the commands shown above, you can set the
following registry key on the master VDA to disable rearm. See Unable to create new catalog at Citrix
Discussions.
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/SoftwareProtectionPlatform
o SkipRearm (DWORD) = 1
Mark DePalma at XA 7.6 Deployment Failure Error : Image Preparation Office Rearm Count Exceeded at
Citrix Discussions had to increase the services timeout to fix the rearm issue:
HKLM\SYSTEM\CurrentControlSet\Control
o ServicesPipeTimeout (DWORD) = 180000
From Mark Syms at Citrix Discussions: You can add one (or both) of the following MultiSZ registry values
HKLM\Software\Citrix\MachineIdentityServiceAgent\ImagePreparation\Before
HKLM\Software\Citrix\MachineIdentityServiceAgent\ImagePreparation\After
The values are expected to be an executable or script (PoSh or bat), returning 0 on success
Citrix CTX140734 Error: Preparation of the Master VM Image failed when Creating MCS Catalog in
XenApp or XenDesktop: To troubleshoot image prep failures, do the following:
Citrix CTX223133 How to change the disk deletion interval to delete unused base disks on the VM storage.
Every 6 hours, XenDesktop runs a task to delete unused base disks.
The Disk Reaper interval is configured using PowerShell. The default values are shown below:
If the unused base disks are not deleting, then see MCS Deleting basedisk from VM Storage at Citrix
Discussions for troubleshooting steps.
George Spiers in Active Directory user computer name caching in XenDesktop explains how the Broker
Service in XenDesktop Controller caches Active Directory user and computer names. The cache can be
updated by running Update-BrokerNameCache -Machines or Update-BrokerNameCache -Users. Also see Update-
BrokerNameCache at Citrix Docs.
XenApp/XenDesktop 7.14 and newer supports multiple license types (e.g. XenApp Concurrent and
XenDesktop User/Device) within a Single farm/site. However, a farm/site only supports a single Edition
(i.e. Enterprise or Platinum, but not both). The license model and product are configured at the Delivery
Group. See CTX223926, and Multi-type licensing at Citrix Docs.
To configure license model and product, run the following PowerShell commands (run asnp citrix.* first):
LicenseModel can be UserDevice, or Concurrent. ProductCode can be XDT (XenDesktop) or MPS (XenApp).
Delivery Groups in 7.8 and newer
In XenApp/XenDesktop 7.8, when creating a Delivery Group, there are new options for publishing
applications and publishing desktops.
On the Applications page of the Create Delivery Group wizard, From start menu reads icons from a
machine in the Delivery Group and lets you select them. Manually lets you enter file path and other details
manually. These are the same as in prior releases.
Existing is the new option. This lets you easily publish applications across multiple Delivery Groups.
You can also go to the Applications node, edit an existing application, change to the Groups tab, and
publish the existing app across additional Delivery Groups.
Once multiple Delivery Groups are selected, you can prioritize them by clicking the Edit Priority button.
On the Desktops page of the Create Delivery Group wizard, you can now publish multiple desktops from a
single Delivery Group. Each desktop can be named differently. And you can restrict access to the published
desktop.
There doesnt seem to be any way to publish a Desktop across multiple Delivery Groups.
Its still not possible to publish apps and desktops across a subset of machines in a Delivery Group. But the
new method of publishing apps across multiple Delivery Groups should make it easier to split your
machines into multiple Delivery Groups.
In 7.12 and newer, you can assign tags to machines. Then you can publish apps and/or desktops to only
those machines that have the tag. This means you can publish icons from a subset of the machines in the
Delivery Group, just like you could in XenApp 6.5.
1. In Citrix Studio, find the machines you want to tag (e.g. double-click a Delivery Group). You can
right-click one machine, or select multiple machines and right-click them. Then click Manage Tags.
2. Click Create.
3. Give the tag a name, and click OK. This tag could be assigned to multiple machines.
4. After the tag is created, check the box next to the tag to assign it to these machines. Then click
Save.
5. Edit a Delivery Group that has published desktops. On the Desktops page, edit one of the desktops.
6. You can use the Restrict launches to machines with tag checkbox and drop-down to filter the
machines the desktop launches from. This allows you to create a new published desktop for every
machine in the Delivery Group. In that case, each machine would have a different tag. Create a
separate published desktop for each machine, and select one of the tags.
7. A common request is to create a published desktop for each XenApp server. See Citrix Blog
Post How to Assign Desktops to Specific Servers in XenApp 7 for a script that can automate this
configuration.
8. When you create an Application Group, on the Delivery Groups page, theres an optional checkbox
to Restrict launches to machines with tag. Any apps in this app group only launch on machines that
have the selected tag assigned. This lets you have common apps across all machines in the Delivery
Group, plus one-off apps that might be on only a small number of machines in the Delivery Group.
In that case, youll have one app group with no tag restrictions for the common apps. And a
different app group with tag restriction for the one-off apps.
1. Once an RDSH Delivery Group is created, you can right-click it and click Edit Delivery Group.
2. The Restart Schedule page lets you schedule a restart of the session hosts.
3. XenApp 7.7 and newer lets you send multiple notifications.
Script
Multiple Sessions
From Configure session roaming at Citrix Docs: By default, users can only have one session. On XenApp 7.6
(experimental support) and XenApp 7.7+ (full support), you can configure SessionReconnection setting
available via PowerShell. On any Server OS delivery group, run:
Always This is the default and matches the behavior of a VDI session. Sessions always roam,
regardless of client device.
DisconnectedOnly This reverts back to the XenApp 6.x and earlier behavior. Sessions may be
roamed between client devices by first disconnecting them (or using Workspace Control) to
explicitly roam them. However, active sessions are not stolen from another client device, and a
new session is launched instead.
SameEndpointOnly This matches the behavior of the ReconnectSame registry setting in XenApp
6.x. Each user will get a unique session for each client device they use, and roaming between
clients is completely disabled.
This will change the roaming behavior for desktop sessions. For app sessions, use:
It is sometimes useful (e.g. DR) to export machine assignments from one Catalog/Delivery Group and
import to another.
From Adil Dean at Exporting Dededicated VDI machine names and user names from catalog in Xendesktop
7.x at Citrix Discussions: Hopefully this is what you are after, it turns out you dont actually need
PowerShell as the functionality is built into the tool.
Shane ONeill produced an export utility that can be scheduled to run periodically. See XenDesktop Farm
Migration Utility Update Version 1.2.
Sacha Thomet wrote a script at victim of a good reputation Low free pooled XenDesktops that polls
Director to determine the number of free desktops in a Delivery Group. If lower than the threshold, an
email is sent.
Published Applications
Last Modified: Jun 20, 2017 @ 7:22 pm
145 Comments
Navigation
= Recently Updated
Installing apps on Remote Desktop Session Host (XenApp) is more complicated than installing apps on a
single-user operating system (virtual desktop). Here are some RDSH-specific considerations that must be
tested before integrating a new application into RDSH. These considerations usually dont apply to virtual
desktops.
Multi-user Capable can the application run multiple times on the same machine by different
users? Most applications dont have a problem, but a few do, especially applications that put
temporary files or other writable files in global locations. For example, the first user of an app could
write temporary files to C:\Temp. The second user writes to the same location, overwriting the
temp files needed by the first user. Test the app with multiple users running the app on the same
RDSH machine.
Lockdown to prevent one user from affecting another What restrictions are needed to prevent
one user from affecting another? For example, if an apps configuration files are stored in a global
location, you dont want one user to edit the configuration file, and thus affect a different user. Test
the app with multiple users running the app on the same RDSH machine.
Permission Relaxations what relaxations (e.g. NTFS) are needed to allow non-administrators and
GPO locked-down users to run the application? Test the application as a non-administrator with
GPO lock down policies applied.
First Time Use when a user launches an application the first time, the application should be
automatically fully configured with default settings (e.g. back-end server connections). Use group
policy to apply application settings. Automated FTU also helps with a user whose profile is reset.
Test the RDSH app with a user that has a new (clean) profile.
Roaming users could connect to a different RDSH machine every day, and thus user settings need
to roam across machines. Test running the app on one RDSH, make changes, then login to a
different RDSH machine to ensure the changes are still there.
Application Licensing if an application requires licensing, can licensed and non-licensed users
connect to the same machine? Can it be guaranteed that non-licensed users cant run the
application that requires licensing? Adobe Acrobat is an example of a challenging application
because of the global .pdf file-type association, and the global PDF printer.
Client Devices (USB, printers, COM ports) the client device mapping capabilities on RDSH are not
as extensive as virtual desktops. For example, generic USB wasnt added until Windows Server 2012
R2. When the application prints, does it show printers from every user, instead of just the user
running the app? Does the app need COM port mapping?
Shared IP does the app have any problems with multiple users sharing the same IP address? If so,
you might have to configure RDS IP Virtualization.
Fair Sharing of Hardware Resources does the app sometimes consume a disproportionate amount
of hardware resources? For example, can the app be used to launch a task that consumes 100%
CPU for some time? One option is to put this app on its own Delivery Group. Or you can use Citrix
Workspace Environment Manager to ensure fair sharing of hardware resources.
Published Application can the app run as a published application that doesnt have Explorer
running in the background? Does the app (e.g. Internet Explorer web apps) need RunOnce.exe
/AlternateShellStartup to fully initialize before it will run correctly as a published application? Some
apps work without issue in a published desktop, but dont work properly as published applications.
When testing a published app, test it with a user that has a new (clean) profile. Connecting to the
published desktop once will cause Active Setup to run, changing the users profile, thus distorting
the published app testing results.
Integration Testing when installing a new app on a RDSH server, dont forget to test the other
apps already on the RDSH server, because the new app might have broken the other apps. The
more apps you put on an RDSH server, the longer it takes to perform integration testing.
Some of the issues in this list can be overcome by using an application virtualization tool (e.g. Microsoft
App-V) that runs apps in isolated bubbles.
Application Groups
Citrix Blog Post Introducing Application Groups in XenApp and XenDesktop 7.9
XenApp 7.9 and newer has an Application Group feature. This feature lets you group published apps
together so you can more easily apply properties to every app in the group. Today, you can do the
following:
3. In the Delivery Groups page, select the delivery groups you want these apps published from.
4. In the Users page, select the users that can see the apps in this app group.
5. Note: there are three levels of authorization. An app is only visible to a user if the user is assigned
to all of the following:
o Delivery Group
o Application Group
o Individual Published Apps in the Application Group
6. Click Next.
7. In the Applications page, publish applications like normal, and then click Next.
8. In the Summary page, give the Application Group a name, and click Finish.
12. However, this more of a copy than a move. To actually move the app exclusively into the
Application Group, edit the individual app, and on the Groups page, remove all Delivery Groups (or
other Application Groups). The app will instead inherit the Delivery Groups from the app group.
13. If you edit the Application Group:
14. The Settings page has an option for session sharing between Application Groups. Clearing this
checkbox allows you to force applications in different Application Groups to run in different
sessions.
15. The Delivery Groups tab lets you set Delivery Group priority. If priority is identical, then sessions
are load balanced. If priorities are different, then sessions are launched on Delivery Groups in
priority order.
16. In XenApp/XenDesktop 7.13 and newer, you can use PowerShell to cause an Application Group to
launch multiple app instances in separate sessions. Citrix Blog Post XenApp and XenDesktop 7.13:
For Published Applications, there are three levels of application authorization: Delivery Group, Application
Groups, and Published App Limit Visibility. A published app icon is only visible if the user is added to all
three levels.
1. Delivery Group (Users page). If the user is not assigned to the Delivery Group, then the user wont
see any application or desktop icon published from that Delivery Group.
2. Limit Visibility You can use the published apps Limit Visibility page to restrict an icon to a subset
of Delivery Group users.
3. In XenApp/XenDesktop 7.9 and newer, you can use Application Groups to restrict access to
published icons.
4. App Icons wont appear unless users are added to all three of the above locations.
2. In XenApp/XenDesktop prior to version 7.8, if a desktop is published from the Delivery Group, by
default, every user assigned to the Delivery Group can see the icon. You can use the PowerShell
command Set-BrokerEntitlementPolicyRule to limit the desktop icon to a subset of the users assigned to
the Delivery Group.
1. Run asnp citrix.*
2. Run Get-BrokerEntitlementPolicyRule to see the published desktops.
3. Then run Set-BrokerEntitlementPolicyRule to set the IncludedUsers or ExcludedUsers filters.
Published Content
XenApp 7.11 adds Published Content where you can publish URLs that are opened in the users local
browser. You can also publish UNC paths, which are opened with local Explorer or local application.
The New-BrokerApplication cmdlet requires you to specify a Delivery Group. This Delivery Group must have at
least one registered machine in it. However, the published content does not actually launch from the
Delivery Group since the URLs and/or UNCs open locally.
Instead of publishing to a Delivery Group, you can publish to an Application Group by using the -
ApplicationGroup switch. The Application Group must have Delivery Group(s) assigned to it.
Once the Published Content is created, you can see it in Studio. You can also edit it from Studio, including
Limit Visibility and Groups (to move it to an Application Group).
Published Content can be placed in Application Groups. You can then use the Application Group properties
to restrict access to the shortcut.
It does not appear to be possible to set the icon from Studio, but you can do it using PowerShell. See Citrix
Blog Post @XDtipster Changing Delivery Group Icons Revisited (XD7) for instructions to convert an icon to
a base64 string, and import to XenApp using New-BrokerIcon -EnCodedIconData "Base64 String". Then you can link
the icon to the Published Content using Set-BrokerApplication "App Name" -IconUid.
In StoreFront 3.7, you can click the icon and URLs will open in a new browser tab.
HTTP/HTTPS Published Content should open in Receiver. Other URLs (e.g. file:// or UNC path) will probably
show an error message.
You can override this restriction by enabling the group policy setting Allow/Prevent users to publish
unsafe content at Computer Configuration | Policies | Administrative Templates | Citrix Components |
Citrix Receiver | SelfService. This assumes youve installed the Receiver .admx files. (h/t David Prows at
CUGC forums).
In a published applications Properties, on the Identification page, in the Description and keywords field,
you can enter KEYWORDS to control how the app behaves when displayed by StoreFront.
Users will have a better experience with StoreFront if applications are published into folders. The folder
name is specified in the Delivery page in the Category field. Note: Add shortcut to users desktop works in
newer versions of Receiver assuming the app is marked as a Favorite.
Secure Browser
Citrix has a deployment guide for publishing a browser from XenApp. Heres an overview of the
configuration:
When a user launches the published browser, the HTML5 client opens the published app in a local browser
tab. The published browser runs in kiosk mode so that the published browsers user interface is hidden. It
looks like the website is running on the local browser but actually its running from a published browser.
Theres a special XenApp Secure Browser Edition that is only licensed for publishing browsers from RDSH.
See the press release Citrix Radically Simplifies the Secure Delivery of Browser-based Apps.
App-V
The latest App-V 5.1 hotfix is March 2017 servicing release for Microsoft Desktop Optimization Pack. Note:
Windows 10 1607 and Windows 2016 get App-V updates through Windows Update.
The latest App-V 5.0 hotfix is Hotfix Package 3 for Microsoft Application Virtualization 5.0 SP3.
There is a special version of App-V client for RDS (Remote Desktop Session Host). The normal App-V client
in MDOP wont work. Get the RDS version from the Microsoft Volume Licensing website.
Links:
Microsoft App-V Team Blog: Support Tip: Mandatory user profiles and App-V integration with
Configuration Manager configure SCCM to run a logon script to republish App-V packages at every
logon.
Thamim Karim: Driving Down App-V Publishing Times in Non Persistent VDI Environments various
optimization tips and performance measurements
Mns Hurtigh: Integrate Application Virtualization with Citrix Provisioning Services pre-load App-V
apps in master image, then run startup script on Target Devices to update App-V cache
XenApp 7.8 no longer requires App-V management infrastructure and can instead pull the App-V
packages directly from an SMB share as detailed at App-V at Citrix Docs. The computer accounts for
Delivery Controllers and VDAs must have read access to the share. An easy method is to add Domain
Computers. See CTX221296 Citrix App-V Integration Minimum Permission Requirements.
The App-V apps show up as AppLibrary App-V and support the same options as other published
applications.
Make sure the App-V Components are installed on your VDA. Its not checked by default in 7.12 and newer.
On your VDA Windows 10/2016 or newer, in PowerShell, run Enable-Appv. For older OS, install the App-V
client.
There appears to be some limitations to the package share method as detailed by Joe Robinson at
discussions.citrix.com:
Joe Robinson provided a script to force the App-V client to sync before launching the users App-V
application.
On any executable, add the /appvve:<PackageID>_<VersionID> of the package in which one would like
the executable to run
If the App-V process is already running then use the /appvpid:<ProcessId> to inject into a running App-
V virtual environment
If you want something more permanent, you can set the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\<YourApplicationName> with a default
REG_SZ key that has the executable name in it.
Also see Microsoft Knowledgebase article How to launch processes inside the App-V 5.0 virtualized
environment.
AppDisks
See http://www.carlstalhood.com/appdisks/
Change Published Desktop Icon
Citrix Blog Post Changing Delivery Group Icons Revisited (XD7) has instructions on how to use PowerShell
to import a Base-64 icon and then link it to the published desktop.
StoreFront 3.0 and newer overrides custom desktop icons. Run the following PowerShell command (from
discussions.citrix.com) to restore custom desktop icons:
CTX209199 Published 64 bit Aps Cant Be Started With %ProgramFiles% in Command Line If Its Not the
first Application to Start: You can try the following methods to address this issue:
CTX132057 Google Chrome Becomes Unresponsive when Started as Published Application: add the
parameters --allow-no-sandbox-job --disable-gpu in the published app command line.
CTX205876 Non-published Google Chrome browser on XenApp server, called and launched from any
published app, is seen in black/grey screen: The command line parameter has to be added to registry shell
open command for the Chrome browser:
1. In Studio, you can disable a published application by right-clicking it, and clicking Disable.
2. In older versions of XenApp/XenDesktop, when you disable the application, it leaves the application
visible but it is grayed out thus preventing users from launching it. In 7.8, the disabled app is
automatically hidden (no longer shown in the apps list).
3. If desired, you can hide or unhide the disabled application icon by running a PowerShell command:
4. asnp citrix.*
5. Set-BrokerApplication MyApp -Visibile $false
6. When you re-enable the application, Visibility is automatically set back to true.
Receiver 4.7 and newer, combined with and VDA 7.13 and newer, support redirecting URLs from client to
VDA (published Internet Explorer), or from VDA to client. See Bidirectional content redirection policy
settings at Citrix Docs for requirements and limitations.
2. Make sure Internet Explorer is published. Internet Explorer is not in the Start Menu, so you have to
publish it Manually. Only Internet Explorer is supported for bidirectional.
3. Edit a GPO that applies to VDA users.
4. Go to User Config | Policies | Citrix Policies, and edit a Citrix Policy.
5. Find the setting Allow Bidirectional Content Redirection, and enable it (Allowed).
6. Also configure the Allowed URLs policy settings to indicate which URLs should be redirected in
either location.
7. Copy the receiver.admx file from Receiver 4.7 or newer to PolicyDefinitions (SYSVOL or
C:\Windows\PolicyDefinitions).
8. Edit a GPO that applies to client devices (endpoints).
9. Go to User Configuration | Policies | Administrative Templates | Citrix Receiver | User
experience.
10. Double-click the setting Bidirectional Content Redirection.
15. On the client device, run the following command to register the Internet Explorer add-on.
16. When you run Internet Explorer on the VDA or client device, youll be prompted to enable the add-
on. You can configure a GPO to enable this add-on automatically. Redirection wont work unless the
add-on is enabled.
Some applications are not suitable for centralization and instead should run on endpoint devices. These
applications include: phone software, applications needing peripherals, etc. Citrix Local App Access lets you
access these endpoint-installed applications from inside a published desktop. This is sometimes called
Reverse Seamless.
User-managed local applications. Any shortcuts in the endpoints local Start Menu and local
Desktop are made available from inside the published desktop.
Administrator-managed local applications. Use Studio to publish a local application, which is
created as a shortcut inside the published desktop. When the shortcut is launched, it is actually
running from the endpoint device (reverse seamless) instead of the centralized desktop. If you
enable administrator-managed local applications then user-managed local applications are
disabled.
URL Redirection. Administrators define some URLs that should be opened in a local endpoint
browser instead of a VDA browser and then display the local browser inside the published desktop
(reverse seamless).
1. In a Citrix Policy that applies to the VDAs, enable the Allow local app access policy setting.
2. The URL redirection black list setting lets you define a list of URLs that should be opened on the
endpoints browser instead of the VDA browser.
3. On the Endpoints, install Receiver using the ALLOW_CLIENTHOSTEDAPPSURL=1 switch. Feel to add
/includeSSON too. Run the installer from an elevated (Administrator) command prompt. This switch
automatically enables both Local App Access and URL Redirection. Note: the URL Redirection code
does not install on VDAs so URL Redirection might not work if your endpoint has VDA software for
Remote PC.
4. After installation of Receiver, launch Internet Explorer. You should see a prompt to enable the Citrix
URL-Redirection Helper add-on.
5. You can also go to Tools > Manage Add-ons to verify the Browser Helper Object.
6. By default, Local App Access redirects the endpoints Start Menu and Desktop. You can control
which folders are redirected by editing the endpoints registry at HKCU\Software\Citrix\ICA
Client\CHS. Create the Multi-String Values named ProgramsFolders and Desktop Folders and point
them to folders containing shortcuts that you want to make available from inside the published
desktop. Andrew Morgan has a GUI tool for editing these registry values.
7. When you connect to a published desktop, by default, there will be a Local Programs folder in the
Start Menu containing shortcuts to programs on the endpoints Start Menu. These are user-
managed shortcuts.
8. On the VDA Desktop there will be a Local Desktop folder containing shortcuts from the endpoints
desktop. These are user-managed shortcuts.
9. The Local Desktop and Local Programs folders on the VDA can be renamed by editing the VDAs
registry at HKCU\Software\Citrix\Local Access Apps. Andrew Morgan has a GUI tool to modify
these registry values.
10. To enable administrator-managed local applications, login to a machine that has Citrix Studio
installed and edit the registry. Go to HKLM\Software\Wow6432Node\Citrix\DesktopStudio and
create the DWORD value named ClientHostedAppsEnabled and set it to 1.
11. When you open Studio and go to Delivery Groups > Applications, there is a new link to
Create or Add Local App Access Application.
12. In the Getting Started with Local Access Applications page, click Next.
13. In the Groups page, select the Delivery Group or Application Group whose published desktop will
receive the shortcut, and click Next.
14. In the Location page, enter the path to the executable. This is the path on the endpoint. Also enter
a Working Directory. You can get this information from the properties of the shortcut on the
endpoint device. Click Next.
15. In the Identification page, enter a name for the shortcut and click Next.
16. In the Delivery page, these options work as expected. Click Next.
17. In the Summary page, click Finish.
18. When you login to the desktop, youll see the administrator-managed application. If any
administrator-managed Client Hosted Applications are delivered to the user then the default Local
Programs and Local Desktop folders no longer appear.
19. To enable URL Redirection, login to the VDA and run "C:\Program Files
(x86)\Citrix\System32\VDARedirector.exe" /regall. This registers the browser helpers.
20. In Internet Explorer, if you go to Tools > Manage Add-ons, youll see the Citrix VDA-URL-
Redirection Helper add-on.
21. From inside the published desktop, if you go to a website on the blacklist, the VDA browser will
close and a local browser will open in Reverse Seamless mode. If you then go to a website that is
not on the blacklist the local browser will close and the VDA browser will open again.
Andrew Morgan Citrix reverse seamless application deep dive presentation contains details on the inner
workings of Local App Access. The same webpage also contains the GUI configuration tools mentioned
above.
Anonymous Apps
XenApp 7.6 and newer supports publishing apps to anonymous users. Edit the Delivery Group and on the
Users page check the box next to Give access to unauthenticated (anonymous) users.
Anonymous Users are managed differently than regular Domain Users. See VDA Anon instructions for
adding anon accounts, configuring session timeouts, and configuring local group policy.
Anonymous published apps should show up for all authenticated users. However, you can also create a
StoreFront store that does not require any authentication.
Dominik Britz Export And Import Citrix XenDesktop Published Apps two PowerShell scripts, one to export
all published apps to json files and one to import apps with the information of the exported json files. Get
the scripts from the Blog Post.
Group Policy Objects VDA Computer Settings
Last Modified: May 14, 2017 @ 6:51 pm
12 Comments
Navigation
= Recently Updated
1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all
VDA computer objects.
2. Then create sub-OUs, one for each delivery group.
3. Move the VDAs from the Computers container to one of the OUs created in step 2.
4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Citrix
VDA Computer Settings and link it to the OU created in step 1. If this policy should apply to all
Delivery Groups then link it to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.
5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the
GPO is disabled.
6. Create and link two new GPOs to the VDA OU (in addition to the Citrix VDA Computer Settings
GPO). One of the GPOs is called Citrix VDA All Users (including admins) and the other is called
Citrix VDA Non-Admin Users (lockdown).
7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of
the GPO.
8. Click the Citrix VDA Non-Admin Users GPO to highlight it.
9. On the right, switch to the Delegation tab and click Add.
13. For Citrix Admins, place a check mark in the Deny column in the Apply Group Policy row. If desired,
you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
14. Click Yes when asked to continue.
15. For the other two GPOs, add Citrix Admins with Edit Settings permission. But dont deny Apply
Group Policy. The deny entry is only needed on the Lockdown GPO.
Unfortunately, some of the client-focused GPO settings are only available in the Windows 10/2016
templates and not in the GPO templates included with 2012 R2.
1. Download the Administrative Templates (.admx) for Windows 10 Creators Update.
3. In the Welcome to the Administrative Templates (ADMX) for Windows 10 Creators Update Setup
Wizard page, click Next.
5. In the Select Installation Folder page, copy the location to your clipboard. You need to go to this
location later.
6. Select Everyone, and click Next.
12. Go to your domains sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the
files in the PolicyDefinitions folder. If you dont have this folder, then you can create it. Or copy the
files to C:\Windows\PolicyDefinitions as detailed next.
13. If prompted, replace the existing files.
14. If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and
paste the files. Overwrite the existing files.
15. In the PolicyDefinitions folder, look for a file called microsoft-windows-geolocation-wlpadm.admx
and delete it. More information at Microsoft 3077013
Microsoft.Policies.Sensors.WindowsLocationProvider is already defined error when you edit a
policy in Windows.
16. When editing a GPO, if you see the message that Microsoft.Policies.WindowsStore is already
defined, then delete the file WinStoreUI.admx from your PolicyDefinitions folder.
See Group Policy Settings Reference for Windows and Windows Server for a spreadsheet containing all
GPO settings in Windows. The spreadsheet can be filtered to only show the newest settings.
Group Policy Computer Settings
Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located
under Computer Configuration > Policies.
Some of the settings in this section might require the newer Windows Group Policy Templates.
Control Panel
User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the
VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user
settings.
Logon Settings
Power Settings
The following are more applicable to virtual desktops than session hosts:
Cloud Content
Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100
Windows 8 and newer
If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache
disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy
Preferences to create the folder on the cache disk.
Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at
Microsoft Technet Manage connections from Windows operating system components to Microsoft
services.
James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana,
disable services, block DNS domains.
After modifying the GPO, use Group Policy Management Console to update the VDA machines.
Citrix Receiver
If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs,
use receiver.admx to enable pass-through authentication.
26 Comments
Navigation
File Explorer
Internet Explorer/Edge
o Internet Explorer Security Zones
o Internet Explorer Performance
Folder Redirection
Office 2013/2016
Adobe Reader / Acrobat Reader DC
ShareFile Drive Mapper on XenApp/XenDesktop
File Type Association
= Recently Updated
User Lockdown
The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop
Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings
are located at User Configuration > Policies.
This page assumes the GPOs have already been created and Loopback Processing has already been
enabled.
Some of the settings in this section might require the newer Windows Group Policy Templates.
If you prevent access to the Properties of the Computer icon then users might not be able to determine the
name of the machine they are connected to.
If you hide common program groups, then you will need some other method of creating application
shortcuts for each user. Group Policy Preferences Shortcuts is the typical method.
Removing the Run menu also prevents users from entering drive letters in Internet Explorer.
CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Density contains
the following:
Microsoft Technet Customize Windows 10 Start with Group Policy. From Ren Bigler at UPM 5.x Server
2012 R2 Startlayout at discussions.citrix.com: To include Explorer, IE, and Computer icons in the Start
Layout XML, create shortcuts to this standard items in C:\ProgramData\Microsoft\Windows\Start
Menu\Programs and use this new shortcuts to create the tiles in your start layout xml.
Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.
1. User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive
2. Choose Action Update => Drive Letter Existing C => Hide this drive
3. Common Tab: Run in logged-on userss Security
Terence Luk Hide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published
RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these
items. Similar instructions are provided by David Wilkinson at Remove Quick Access from File Explorer in
Windows Server 2016.
File Explorer
From TenForums How to Hide or Show Sync Provider Notifications within File Explorer in Windows 10:
Windows 10 1607 adds notifications inside File Explorer.
To stop these, use Group Policy Preferences to set the following registry value:
Key = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
o Value = ShowSyncProviderNotifications (DWORD) = 0
Windows Spotlight
Windows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows (Start Menu,
lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration |
Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard
Hay Windows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating
System and Chris Hoffman How to Disable All of Windows 10s Built-in Advertising.
Explorer Replacement
Instead of locking down Windows File Explorer, you can run a 3rd party Explorer like Tablacus Explorer.
The tool is detailed by Marco Hofmann at Tablacus Explorer is an awesome replacement for explorer.exe
as a #XenApp published Application!.
Flickering Icons
If you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network
share, then desktop icons might flicker. Helge Turk at XenApp 7.12/13, Server 2016 desktop icons flickering
at Citrix Discussions resolved it be creating the following Registry Key using Group Policy Preferences:
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}
When a new user launches Internet Explorer, the first run wizard appears.
To prevent this from occurring, edit the Citrix VDA All Users GPO.
Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should
be disabled.
Users might see a message that Protected mode is turned off for the Local intranet zone.
To hide this button, edit a Group Policy that applies to users, go to User Configuration | Policies |
Administrative Templates | Windows Components | Internet Explorer | Internet Settings |
Advanced Settings | Browsing, and enable the setting Hide the button (next to the New Tab
button) that opens Microsoft Edge. Source = Ren Bigler on Twitter.
4SysOps Disable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607:
registry keys and PowerShell script to disable it.
If a user launches Internet Explorer as a published application, then Internet Explorer might not be fully
configured and thus some websites wont work. By default, Windows runs per-user configuration
(ActiveSetup) of Internet Explorer only when the user connects to a full desktop, which doesnt happen
when only launching published apps. To override this behavior so it works with published IE even if the
user never connects to a full desktop, do the following:
4. Click Add.
7. Note: running runonce.exe /AlternateShellStartup might cause black borders around windows in
published applications. Black Border (IE 11) in Xen App 7.11 with runonce.exe is an example forum
thread at Citrix Discussions. A workaround detailed at Black Windows title bars at Citrix Discussions
is to export HKCU\Control Panel\Colors from a working session, and use Group Policy Preferences
to deliver to values to the black border sessions.
The Internet Explorer Maintenance settings in group policy (User Configuration > Windows Settings >
Internet Explorer Maintenance) have been removed in Internet Explorer 10 and Windows Server 2012.
If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using
Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or
Internet Explorer 10.
If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option.
If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10.
When configuring a setting, notice the red or green lines (and red or green circles). Only green settings are
applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your
keyboard.
As you look through the tabs, youll see a bunch of green items. These green items will be applied and
might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them
back on, press F5.
On the Common tab you can check the box to Apply once and do not reapply.
There is a group policy setting at User Config | Policies | Administrative Templates | Windows
Components | Internet Explorer | Internet Control Panel | Security Page | Site to Zone Assignment List
that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their
own sites (the user interface in Internet Explorer is grayed out).
This section details an alternative procedure for administrator-configured zones while allowing users to
add their own Trusted Sites.
Note: Zones cant be configured using a Group Policy Preferences Internet Settings object so instead youll
need to configure registry keys as detailed below.
3. Run Group Policy Management Console on the same machine where you have security zones
configured.
4. Edit the Citrix VDA All Users GPO.
5. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Collection
Item. Name it IE Zones or similar.
8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains. Click the key corresponding to the FQDN youre adding. Then select
the registry value on the bottom that corresponds to the protocol (e.g. * or https). Click Select.
Note: 1 indicates Local Intranet zone.
If you dont have access to Windows 8/2012 group policy editor, configure the default home page using a
registry key.
2. Run Group Policy Management Console on the same machine where you have the home page
configured.
3. Edit the Citrix VDA All Users GPO.
4. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Registry
Item.
7. On the Common tab, you can select Apply once and do not reapply. Then click OK.
Proxy Settings
If you dont have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry
keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings. Use Group Policy Preferences or similar to distribute the registry keys.
To prevent users from changing proxy settings, also configure the following group policy setting.
Julian Mooren at XenApp & Internet Explorer Improving User Experience details how to enable Tracking
Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set
registry keys, and adds a folder to Citrix Profile Management synchronization.
LoginVSI Web Browsing & Advertising Impact on VDI Performance is a 33 page paper detailing how to
enable Tracking Protection in Internet Explorer and Firefox, plus ad blocking plugin for Chrome.
Office 2013/2016
Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:
Office GPO settings are tied to a particular version of Office. If you want to copy Office 2013 settings to
Office 2016 settings, see Microsofts Copy-OfficeGPOSettings PowerShell script.
Download the Office 2013 group policy templates or Office 2016 group policy templates.
If you installed the 32-bit version of Office 2013/2016 then youll need the 32-bit (x86) version of the
templates.
1. Go to the downloaded Office 2013 group policy templates and run AdminTemplates_32.exe. Or for
Office 2016, run admintemplates_x86_4286-1000_en-us.exe.
2. Check the box next to Click here to accept and click Continue.
3. Specify a folder to place the extracted templates in.
5. Go to the folder where you extracted the files and in the ADMX folder copy all of the .admx files
and the en-us folder to the clipboard.
6. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the files.
7. If you do not have PolicyDefinitions in your Sysvol then instead go to C:\Windows\PolicyDefinitions
and paste the files.
This section assumes the Group Policy Objects have already been created.
Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under
User Configuration > Policies.
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | First
Run
o Disable First Run Movie = enabled
o Disable Office First Run on application boot = enabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Global
Options |Customize
o Allow roaming of all user customizations = enabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) |
Miscellaneous
o Disable Office Animations = enabled
o Do not use hardware graphics acceleration = enabled
o Suppress recommended settings dialog = enabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Privacy
| Trust Center
o Automatically receive small updates to improve reliability = disabled
o Disable Opt-in Wizard on first run = enabled
o Enable Customer Experience Improvement Program = disabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Tools |
Options | General | Service Options | Online Content
o Online Content Options = enabled, Allow Office to connect to the Internet
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Account Settings | Exchange | Cached Exchange Mode
o Use Cached Exchange Mode for new and existing Outlook profiles = disabled
o If you prefer to use Cached Exchange Mode, see Citrixs Implementation Guide and add
below:
Cached Exchange Mode Sync Settings = enabled, time-window of downloaded
content
Administrative Templates | Microsoft Outlook 2013 | Miscellaneous | PST Settings
| Default location for OST files = enabled, UNC path to user home directories
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Miscellaneous | PST Settings
o Default location for PST files = enabled, users home directory
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Outlook Options | Other | AutoArchive
o AutoArchive Settings = enabled, uncheck box next to Turn on AutoArchive
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Outlook Options | Preferences | Search Options
o Prevent installation prompts when Windows Desktop Search component is not present =
enabled
To fix the Outlook search problem, you can either install Windows Search Service (Windows Feature).
Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components
| Search | Prevent indexing Microsoft Office Outlook.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI\MSO_BORDEREFFECT_WINDOW_CLASS]
"ClassName"="MSO_BORDEREFFECT_WINDOW_CLASS"
"Type"=dword:00001000
From Fixed Issues in XenApp/XenDesktop 7.11 and older: Live scrolling (the synced state of page scrolling
and scrollbar motion) does not work in Excel spreadsheets. The issue occurs because the key and value in
registry location HKEY_CURRENT_USER\Control Panel\Desktop\UserPreferencesMask on the VDA are
overwritten by the wfshell.exe process each time a user logs on to the VDA. To prevent this, create the
following registry key on the VDA and set the value to 1 (same value as next issue).
From Fixed Issues in XenApp/XenDesktop 7.12: Changes you make to Advanced System Settings under
Visual Effects apply to the current VDA session but might not be retained for subsequent sessions. To
make such changes persistent, you must set the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix
o Name: EnableVisualEffect
o Type: REG_DWORD
o Value: 1
If Office 2016 Volume License is not activating correctly, set the following registry value as detailed
at Microsoft Office cant find your license for this application at Citrix Discussions:
Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CtxUvi
o Value = UviProcessExcludes (REG_SZ) = sppsvc.exe
Adobe Reader
1. Download the Adobe Reader XI Policy Templates from Reader XI Administrative Template
2. Copy the .admx file and the en-us folder.
8. Then open the Display splash screen at launch setting and Disable it.
Disable Repair
In Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation.
Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.
Disable Updates
For Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe
ARM\Legacy\Reader\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
o Mode = 0 (disables updates)
Other Optimizations
Rick van Soest Removing The Cloud from Adobe Acrobat Reader DC:
Citrix Blog Post Optimizing Adobe Reader in XenApp details the following optimizations:
Remove toolbar on right side of screen
Remove links from the Help menu
Disable Adobe ARM
Disable Autosave
Adobe.com Citrix Deployments: Before deployment, the product should be configured as needed. In
particular, you will want to disable features and behaviors that should not be accessible to end users in an
IT-managed environment. For example:
The Updater should be disabled as described in this guide and the Preference Reference.
Accept the EULA on behalf of all users by setting the appropriate registry key.
For multilanguage installations (MUI), set the preferred language for all users via the
SUPPRESSLANGSELECTION property or registry settings described in the Preference Reference.
Deploy enterprise files to the products directories (rather than per-user directories) so they are
available to all users.
There are over 500 documented settings. Refer to the Preference Reference for complete registry
and plist details.
Scrolling performance
Distiller performance
In some environments, Distiller performance may suffer if the messages.log file becomes too large
after a number of Distiller operations. Delete this file periodically. It is located at
\Application Data\Adobe\Acrobat\Distiller<version>\messages.log.
Remove unused fonts from the Windows installation.
ShareFile
ShareFile Drive Mapper allows Employee users to connect their account as a mapped drive on the
Windows file system, without performing a full sync of account content. Its fully supported on
XenApp/XenDesktop 7.8 and newer.
ShareFile On-Demand Sync is the older method of connecting to ShareFile files without performing a full
sync.
3. Check the box next to I agree to the license terms, and click Install.
4. In the Setup Successful page, click Close.
8. Go to User Configuration > Policies > Administrative Templates > ShareFile > Drive Mapper.
9. Drive Mapper is enabled by default. If you only want some users to use Drive Mapper, then you can
configure a GPO to disable Drive Mapper, and then configure a different GPO that re-enables it. The
GPO that enables Drive Mapper would be targeted to an AD group, and the GPO would be higher
priority than the GPO that disables it.
10. Edit the Account setting.
11. Enable the setting, and enter your ShareFile URL. Click OK.
12. The mapped drive letter defaults to S:\. You can change it by editing the ShareFile Data
Location setting. You can even eliminate the drive letter by setting the data location to
%userprofile%\ShareFile\DM or similar.
13. Edit a GPO that applies to the machines that have Drive Mapper installed.
14. Go to Computer Configuration > Policies > Administrative Templates > ShareFile > Drive Mapper.
15. The default Cache Location is %localappdata%\Citrix\DriveMapper3.
17. Delete Cache is not needed on non-persistent machines or if roaming profile cache is deleted on
logoff. Make sure the ShareFile cache is excluded from roaming profiles as detailed later.
18. Auto-Update does not apply to Remote Desktop Session Host so youll have to update those
machines manually.
19. Newer versions of Drive Mapper support File Encryption and Personal Cloud Connectors. Both are
enabled by default.
23. Make sure ShareFile is in the list. Note: if this list is empty, you need to fill the list with default
exclusions before you add any new exclusions. Or in Profile Management 5.5 and later, enable
the Enable Default Exclusion List directories setting.
29. After logging into Citrix and logging into ShareFile Drive Mapper, when you launch File Explorer,
youll see ShareFile Drive Mapper on the left.
On-Demand Sync
On most Citrix VDA machines, ShareFile Sync should be configured for On-Demand Sync where files are
only downloaded when the user demands them. On-Demand Sync is enabled using group policy.
1. Go to the downloaded ShareFile On-Demand Sync for Windows 2.15. Download the one with the
push install description.
3. In the Please read the Citrix ShareFile Sync License Agreement page, check the box next to I accept
the terms and click Install.
4. In the Completed the Citrix ShareFile Sync Setup Wizard page, click Finish.
From Dan Brinkmann at discussions.citrix.com: There is a known issue with XenDesktop 7.6 when there
are no XD policies applied it deletes the ShareFile key. Also at the same post: Somehow Sharefile will not
use proxy settings when in On-Demand mode.
Edit the Citrix Computer Settings GPO and enable the Group Policy setting shown below. All are located
under Computer Configuration > Policies.
Computer Configuration\Policies\Administrative Templates\ Citrix\Profile Management\File System
o Exclusion list directories = add ShareFile to the list
Edit the Citrix VDA All Users Settings GPO and enable the Group Policy setting shown below. All are
located under User Configuration > Policies.
However, if you browse to the same folder from another machine, youll see they havent been
downloaded yet. They will be downloaded when the user demands them.
James Rankin Deploying per-user file type associations (FTAs) on Server 2012 R2, Windows 8.1, Server
2016 and Windows 10 (reloaded again!) provides an overview of the challenges of administratively
configuring FTAs on modern versions of Windows.
James Rankin Deploying per-user file type associations in Windows 8.1 / Server 2012 R2 and beyond:
Microsofts new DISM method of changing File Type Associations is done at the machine-level. Use Group
Policy Preferences to change the machine registry key but on a per-user basis.
Citrix Policy Settings
Last Modified: May 27, 2017 @ 12:20 pm
111 Comments
Navigation
= Recently Updated
For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include
settings that are native to Microsoft group policies. See the VDA Group Policies articles for more
information on the recommended Microsoft group policy settings for a XenApp/XenDesktop environment.
Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are
not portable, meaning that you cant export them from one XenApp/XenDesktop site and import them to
another.
GPOs linked to an Active Directory OU and can apply to VDAs in multiple XenApp/XenDesktop sites/farms.
If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.
CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings
Reference for Citrix XenApp and XenDesktop.
If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as
mentioned at Citrix Discussions:
New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"
cd LocalFarmGpo:\User
copy * TargetGPO:\User
To configure and deliver Citrix Policy Settings using a group policy object:
1. Install the Citrix Policy GPO plug-in. Login to a machine (e.g. Controller) that has Group Policy
Management Console (Windows Feature) installed. If this machine doesnt have Citrix Studio
installed then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the
XenApp/XenDesktop 7.14 media. Make sure all Group Policy consoles are closed first.
2. Citrix sometimes releases updates for this component, so whenever you update your Delivery
Controllers, also update your Group Policy editing machines (machines with Group Policy
Management Console installed), and Studio machines.
3. XenApp/XenDesktop 7.14 comes with Citrix Group Policy Management 3.0.0.0.
Computer Settings
3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note:
Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability
template can increase user density by 30%.
5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new
policy that is filtered.
9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings
do not apply to Virtual Delivery Agent 7.x.
10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop
Session Host) but not necessarily both. Read the Applies to section to verify.
12. Click Add next to the setting Auto client reconnect logging.
13. Change the Value to Log auto-reconnect events, and click OK.
19. Change the selection to Allowed, and click OK. Note: Local App Access interferes with Bidirectional
Content Redirection in Receiver 4.7 and newer. See http://www.carlstalhood.com/published-
applications/#laa for more info on Local App Access.
22. Change the Value to Enabled with fallback to Windows native remote printing. Click OK.
23. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
24. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.
25. Change the setting to Allowed, and click OK. See CTX223927 How to use Director to troubleshoot
26. Click Add next to the setting Enable process monitoring. Note: this setting could
significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU,
Memory Usage and Process Information.
27. Change the setting to Allowed, and click OK. This is the last Computer setting.
User Settings
1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between
Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
2. Expand User Configuration, expand Policies, and click Citrix Policies.
3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered.
You can also use the Templates tab to create a policy based on a template.
6. Change the Value to Medium optimized for speech, and click OK.
23. Click Add next to the setting Direct connections to print servers.
24. Change the selection to Disabled, and click OK.
25. Click Add next to the setting Printer auto-creation event log preference.
26. Change the Value to Log errors only, and click OK.
27. Click Add next to the setting Universal print driver usage.
28. Change the Value to Use universal printing only.
33. Change Value to Use client time zone. Note: you must also configure the Microsoft GPO Remote
Desktop Session Host time zone setting.
1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has
pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller
XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase
user density by 30%.
2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains
additional templates that you can download and import.
3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer
settings are in different parts of the GPO.
4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see whats
contained in the template.
5. To use a template, right-click it, and click New Policy.
Framehawk Configuration
1. Framehawk is disabled by default because it uses more bandwidth and more server resources.
Citrix recommends only enabling it for users on lossy connections with high bandwidth. More
details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk
virtual channel at Citrix Docs.
2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need
the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300)
or newer (e.g. 3.0 included in XenApp 7.14) on the machine where you are editing the policy.
3. If configuring a GPO, youll find the Framehawk settings in User Configuration > Policies > Citrix
Policies. Edit one of the Citrix Policies.
4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.
7. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or
newer.
8. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP
Audio.
9. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and
double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
10. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and
the VDAs.
1. Also make sure these ports are open on the VDAs Windows Firewall. VDA 7.8 and newer
opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports
automatically.
7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT
improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In 7.13,
EDT is officially supported. EDT has several requirements:
From inside a session, you can run ctxsession -v to verify that its using UDP.
Director will also show if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data
Transport Protocol is Active
In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro
Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed,
run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable
Hardware Encoding of H.264 streams using Intel Iris Pro
Hardware.
Use video codec for compression can be configured For actively changing regions, which uses
H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower
bandwidth use for the video content combined with sharpness of text in applications they are
working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got
SmarterAgain explains this new setting.
In 7.11 and newer, Use when preferred = Thinwire+ with Selective H264. This is the default
selection, so generally theres no need to change this setting.
The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video
codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus.
To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post Use Video Codec for
Compression: to Use or Not to Use? explains this setting.
Thinwire Plus is a new graphics codec. Its recommended for devices that cant decode H.264. And
Citrix has found that Thinwire Plus uses less bandwidth than H.264.
Citrix Blog Post Why Should You Care About the New HDX Thinwire describes the new Thinwire Plus
codec in XenApp/XenDesktop 7.6.300 and how to use Citrix Policies to configure it.
Citrix CTX202687 HDX Graphics Modes Which Policies Apply to DCR/Thinwire/H.264 An
Overview for XenDesktop/XenApp 7.6 FP3
Citrix Blog Post Protocol & Resolution Impact on Bandwidth and Scalability describes the various
display codecs, bandwidth/CPU consumption, and recommended Citrix Policy settings.
7.0 7.6:
Graphics Tools
Remote Display Analyzer lets you see the current Citrix codec and change it on the fly.
GPUPerf 3.0 free tool that shows Frames per Second and other GPU stats.
From http://discussions.citrix.com/topic/347341-specific-application-freezes-receiver-41-session-window/:
If you experience graphics performance problems in XenDesktop 7.6, consider configuring the following
settings:
Security Settings
Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:
Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the
middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not
apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard
altogether by setting Client clipboard redirection to Prohibit.
Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but
prevents files from being copied to the client device.
For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to
optimize bandwidth consumption and virtual desktop resource utilization:
For more information, please refer to the Citrix Knowledgebase Article CTX131859 Best Practices and
Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.