Você está na página 1de 413

Delivery Controller 7.14.

1 and Licensing

New Install Preparation

Delivery Controller 7.14.1 Install
o Create Site / Databases
o Second Controller
Studio Slow Launch

Concurrent Logon Hard Limit

Local Host Cache
Database Maintenance Change Database connection strings, read-committed snapshot, Director
grooming, Logging Database operations, etc.
Export/Import Configuration
Studio Administrators
Customer Experience Improvement Program (CEIP)
vCenter Connection Hosting Resources
Citrix Licensing Server
o Upgrade Licensing Server to build 20104
o License Server CEIP
o Citrix License Management Service
o Licensing Server High Availability using GSLB
o Citrix License Server Monitoring
Remote Desktop Licensing Server
o Install Remote Desktop Licensing Server
o Active Remote Desktop Licensing Server
Smart Check
o Citrix Scout
Health Check

= Recently Updated

New Install Preparation

Frequent upgrades XenApp and XenDesktop 7.14.1 is a Current Release (CR). It is only supported for 6
months from the date it was released by Citrix. You are expected to in-place upgrade to the next Current
Release the next time it becomes available. If youre not willing to perform frequent upgrades, then the
Long Term Service Release (LTSR) might be more appropriate for you.

Automation If you want to automate the install of Delivery Controllers, see Dennis Span Citrix Delivery
Controller unattended installation with PowerShell and SCCM.
Citrix Licensing If you are going to use an existing Citrix Licensing Server, upgrade it to build

Note: 7.14 and newer supports multiple license types in a single farm. See CTX223926 How to Configure
Multiple License Types within a Single XenApp and XenDesktop Site.

SQL Databases

Citrix CTX209080 Database Sizing Tool for XenDesktop 7

Citrix article CTX114501 Supported Databases for XenApp and XenDesktop Components
There are typically three databases: one for the Site (aka farm), one for Logging (audit log) and one
for Monitoring (Director).
o The name of the monitoring database must not have any spaces in it. See CTX200325
Database Naming Limitation when Citrix Director Accesses Monitoring Data Using OData
o If you want Citrix Studio to create the SQL databases automatically, then the person running
Studio must be a sysadmin on the SQL instances. No lesser role will work. sysadmin
permissions can be granted temporarily and revoked after installation.
o As an alternative, you can use Citrix Studio to create SQL scripts and then run those scripts
on the SQL server. In that case, the person running the scripts only needs the dbcreator and
securityadmin roles.
o It is possible to create the databases in advance. However, you must use the non-
default Latin1_General_100_CI_AS_KS collation. Then use Citrix Studio to configure the
database tables.
If SQL 2016 or newer, create a Basic Availability Group.
o Only SQL Standard Edition is required. Theres no need for SQL Enterprise Edition.
o Two SQL Standard Edition servers plus a file share witness. No more SQL Express.
o The Basic Availability Group has an AAG listener. Point XenDesktop to the listener.
o To setup SQL Basic Availability Group, see Carl Webster Implementing Microsoft SQL Server
2016 Standard Basic Availability Groups for Use in Citrix XenApp and XenDesktop 7.9. Note:
each database has a separate Listener; so, thats three listeners.
If SQL 2014 or older, Citrix recommends SQL Mirroring because it has the fastest failover.
o SQL Mirroring requires two SQL Standard Edition servers and one SQL Express for the
witness server.
o You can setup SQL Mirroring either before installing XenDesktop or after installing
XenDesktop. If after, then see Citrix CTX140319 to manually change XenDesktops database
connection strings How to Migrate XenDesktop Database to New SQL Server.
o To setup SQL Mirroring, see Rob Cartwright: Configure SQL Mirroring For Use With
XenDesktop, XenApp, and PVS Databases.
o If you try to stretch the mirror across datacenters, the SQL witness must be placed in a third
datacenter that has connectivity to the other two datacenters. However, stretching a single
XenApp/XenDesktop site/farm and corresponding SQL mirror across datacenters is not
AlwaysOn Availability Groups and SQL Clustering are also supported. However, these features
require the much more expensive SQL Enterprise Edition.
Windows Features

Installing Group Policy Management on the Delivery Controller lets you edit GPOs and have access
to the Citrix Policies node in the GPO Editor. Or you can install Citrix Studio on a different machine
that has GPMC installed.


Create a role in vSphere Client. Assign a service account to the role at the Datacenter or higher

Delivery Controller Install

1. A typical size for the Controller VMs is 2-4 vCPU and 8+ GB of RAM. If all components (Delivery
Controller, StoreFront, Licensing, Director, SQL Express) are installed on one server, then you might
want to bump up memory to 10 GB or 12 GB.
2. From Local Host Cache sizing and scaling at Citrix Docs:
1. For LHC LocalDB, assign the Controller VMs a single socket with multiple cores.
2. Add two cores for LHC.
3. Add at least three more Gigs of RAM and watch the memory consumption.
4. Since theres no control over LHC election, ensure all Controllers have the same specs.
3. Make sure the User Right Log on as a service includes NT SERVICE\ALL SERVICES or add NT
SERVICE\CitrixTelemetryService to the User Right.

4. Download the XenApp/XenDesktop 7.14.1 ISO.

5. On two Delivery Controllers, install the Delivery Controller software. Run AutoSelect.exe from the
7.14.1 ISO. Make sure its 7.14.1, and not 7.14.0.
6. Click Start next to either XenApp or XenDesktop. The only difference is the product name displayed
in the installation wizard.
7. On the left, click Delivery Controller.

8. In the Licensing Agreement page, select I have read, understand, and accept the terms, and
click Next.

9. In the Core Components page, you can install all components on one server, or on separate servers.
Splitting them out is only necessary in large environments, or if you have multiple farms and want
to share the Licensing, StoreFront, and Director components across those farms.
10. In the Features page, uncheck the box next to Install Microsoft SQL Server 2014 SP2 Express, and
click Next.

11. In the Firewall page, click Next.

12. In the Summary page, click Install.

13. In the Call Home page, make a selection, click Connect, enter your Citrix Cloud or MyCitrix.com
credentials, and then click Next.
14. In the Finish page, click Finish. Studio will automatically launch.
15. Programs and Features should show Citrix XenDesktop 7.14.1 as version

16. Ensure the two Controller VMs do not run on the same hypervisor host. Create an anti-affinity rule.

Create Site

There are several methods of creating the databases for XenApp/XenDesktop:

If you have sysadmin permissions to SQL, let Citrix Studio create the databases automatically.
If you dont have sysadmin permissions to SQL, then use Citrix Studio to generate SQL scripts, and
send them to a DBA.

Use Studio to Create Database Scripts

1. Launch Citrix Studio. After it loads, click Deliver applications and desktops to your users.

2. In the Introduction page, select An empty, unconfigured site. This reduces the number of pages in
this Setup wizard. The other pages will be configured later.
3. Enter a Site Name (aka farm name), and click Next. Only administrators see the farm name.
4. In the Databases page, if you are building two Controllers, click Select near the bottom of the same

5. Click Add.
6. Enter the FQDN of the second Controller, and click OK. Note: the Delivery Controller software must
already be installed on that second machine.
7. Then click Save.
8. If you dont have sysadmin permissions, change the selection to Generate scripts to manually set
up databases on the database server. Change the database names if desired, and click Next.

9. In the Summary page, click Generate scripts.

10. A folder will open with six scripts. Edit each of the scripts.

11. Near the top of each script are two lines to create the database. Uncomment both lines (including
the go line). Then save and close the file.

12. Once all of the scripts are edited, you can send them to your DBA.
13. On the Principal SQL Server, open the file Site_Principal.sql.

14. Open the Query menu, and click SQLCMD Mode.

15. Then execute the script.

16. If SQLCMD mode was enabled properly, then the output should look something like this:

17. If you have a mirrored database, run the second script on the mirror SQL instance. Make sure
SQLCMD mode is enabled.

18. Repeat for the Logging_Principal.sql script.

19. Youll have to enable SQLCMD Mode for each script you open.

20. Repeat for the Monitoring_Principal.sql script.

21. Once again enable SQLCMD Mode.
22. The person running Citrix Studio must be added to the SQL Server as a SQL Login, and granted the
public server role, so that account can enumerate the databases.

23. Back in Citrix Studio, click the Continue database configuration and Site setup button.

24. In the Databases page, enter the SQL server name, and instance name, and click Next.
25. On the Licensing page, enter the name of the Citrix License Server, and click Connect. If you
installed Licensing with your Delivery Controller, then simply enter localhost. See CTX223926 How
to Configure Multiple License Types within a Single XenApp and XenDesktop Site.

26. XenApp/XenDesktop 7.14 requires the newest Licensing Server. If your server isnt compatible,
leave it set to localhost and fix it later.
27. If the Certificate Authentication appears, select Connect me, and click Confirm.

28. Then select your license, and click Next.

29. In the Summary page, if your databases are mirrored, each database will show high availability
servers, and the name of the Mirror server. Click Finish.
30. It will take some time for the site to be created.
Verify Database Mirroring

If your database is mirrored, when you run asnp citrix.* and then run get-brokerdbconnection, youll see
the Failover Partner in the database connection string.

Second Controller

When building the first Delivery Controller, the scripts might have already included the second Delivery
Controller. Thus no special SQL permissions are needed. If the second Delivery Controller has not already
been added to the SQL databases, then there are several methods of adding a second Controller to the
databases for XenApp/XenDesktop:

If you have sysadmin permissions to SQL, let Citrix Studio modify the databases automatically.
If you dont have sysadmin permissions to SQL then use Citrix Studio to generate SQL scripts and
send them to a DBA.

To use Citrix Studio to create the SQL Scripts:

1. On the first Delivery Controller, if StoreFront is installed, delete the default StoreFront store
(/Citrix/Store) and recreate it with your desired Store name (e.g. /Citrix/CompanyStore).

2. On the 2nd Delivery Controller, install XenDesktop as detailed earlier.

3. After running Studio, click Connect this Delivery Controller to an existing Site.

4. Enter the name of the first Delivery Controller, and click OK.

5. If you dont have full SQL permissions (sysadmin), click No when asked if you want to update the
database automatically.
6. Click Generate scripts.

7. A folder will open with six scripts. If not mirroring, then the top three scripts need to be sent to a
DBA. If mirroring, send all six.

8. On the SQL Server, open one of the .sql files.

9. Open the Query menu, and click SQLCMD Mode.

10. Then execute the XenDesktop script.

11. If SQLCMD mode was enabled properly, then the output should look something like this:

12. Repeat for the remaining script files.

13. Back in Citrix Studio, click OK.

14. In Citrix Studio, under Configuration > Controllers, you should see both controllers.

15. You can also test the site again if desired.

Studio Slow Launch

From B.J.M. Groenhout at Citrix Discussions: The following adjustments can be made if Desktop Studio
(and other Citrix management Consoles) will start slowly:

Within Internet Explorer, go to Tools Internet Options Tab Advanced Section Security, and
uncheck the option Check for publishers certificate revocation
After adjustment Desktop Studio (MMC) will be started immediately. Without adjustment it may take
some time before Desktop Studio (MMC) is started.

Registry setting (can be deployed using Group Policy Preferences):

Providers\Software Publishing
o State=dword:00023e00

Concurrent Logon Hard Limit

From Samuel Legrand XenApp 7.14 (Really) Manage a DR! Citrix Policies has a setting called Concurrent
Logon Tolerance. However, it is not a hard limit, meaning once the limits are reached, it continues to let
users connect. You can configure the Controllers to make it a hard limit by setting the following registry

o LogonToleranceIsHardLimit (DWORD) = 1

Local Host Cache

If you have 10,000 or fewer VDAs per zone (up to 40,000 VDAs per multi-zone site/farm), you can enable
Local Host Cache (LHC) instead of Connection Leasing. LHC allows new sessions to be started even if SQL
database is unavailable. VDA limits for LHC are higher in 7.14 than previous versions of

From Local Host Cache sizing and scaling at Citrix Docs:

1. For LHC LocalDB, assign the Controller VMs a single socket with multiple cores.
2. Add two cores for LHC.
3. Add at least three more Gigs of RAM and watch the memory consumption.
4. Since theres no control over LHC election, ensure all Controllers have the same specs.
5. The Docs article has scripts for monitoring LHC performance.

From XenApp 7.12, LHC and a reboot at Citrix Discussions:

If the rebooted DDC is the elected one, a different DDC will take over (causing registration storm)
and when the DDC gets back, it will take over brokering causing second registration storm. Site will
sort itself out and all will work.
If the rebooted DDC is not the elected one, it will not impact any functionality.
If you turn the DDC down when site is working, and start it during outage, LHC will not trigger on
that machine. This DDC will not impact the LHC unless it would become the elected one. In that
scenario it will take control, however not start LHC and resources would not be available.
For Windows Server 2008 R2 Controllers, PowerShell 3, or newer, is required. See LHC XD 7.12 and
W2K8SR2 SP1 at Citrix Discussions.

Local Host Cache can be enabled by running some PowerShell commands.

asnp citrix.*
Set-BrokerSite -ConnectionLeasingEnabled $false
Set-BrokerSite -LocalHostCacheEnabled $true

George Spiers Local Host Cache XenApp & XenDesktop 7.12 shows the Event Log entries when LHC is

Database Maintenance

Enable Read-Committed Snapshot

The XenDesktop Database can become heavily utilized under load in a large environment. Therefore Citrix
recommends enabling the Read_Committed_Snapshot option on the XenDesktop databases to remove
contention on the database from read queries. This can improve the interactivity of Studio and Director. It
should be noted that this option may increase the load on the tempdb files. See Citrix article
CTX137161 How to Enable Read-Committed Snapshot in XenDesktop for configuration instructions.

Change Database Connection Strings

Sometimes the database connection strings need to be modified:

When moving the SQL databases to a different SQL server

For AlwaysOn Availability Groups, to add MultiSubnetFailover to the SQL connection strings
For SQL mirroring, to add Failover Partner to the SQL connection strings

CTX140319 How to Migrate XenDesktop Database to New SQL Server has the correctly ordered list of
PowerShell commands to change the database connection strings. Make sure PowerShell is running as
administrator before running these commands.

Here are the DB Connections that must be changed. This list might be longer than the article. When using
the article, make sure you include all of the DB Connections shown below. You can get the full list of
database commands by running Get-Command Set-*DBConnection. When changing the DB connections,
AdminDBConnection must be the last to be set to NULL, and the first to be configured with the new
connection string.

Set-ConfigDBConnection -DBConnection $null

Set-AppLibDBConnection DBConnection $null #7.8 and newer
Set-OrchDBConnection DBConnection $null #7.11 and newer
Set-TrustDBConnection DBConnection $null #7.11 and newer
Set-AcctDBConnection -DBConnection $null
Set-AnalyticsDBConnection -DBConnection $null
Set-HypDBConnection -DBConnection $null
Set-ProvDBConnection -DBConnection $null
Set-BrokerDBConnection -DBConnection $null
Set-EnvTestDBConnection -DBConnection $null
Set-SfDBConnection -DBConnection $null
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null #Monitoring Database
Set-MonitorDBConnection -DBConnection $null #Site Database
Set-LogDBConnection -DataStore Logging -DBConnection $null #Logging Database
Set-LogDBConnection -DBConnection $null #Site Database
Set-AdminDBConnection -DBConnection $null -force

Citrix CTX221389 Scripts For Updating Connection Strings in XenApp/XenDesktop 7.x was recently updated
for 7.13.

Change_XD_Failover_Partner_v1.ps1 is used to update the mirroring failover partner.

Change_XD_To_ConnectionString.ps1 this takes passed in connection strings and uses them, so a
very generic version.
Change_XD_To_MultiSubnetFailover.ps1 this toggles the MultiSubnetFailover. If it doesnt exist
or is false, it sets it to true. If its set to true, the script sets it back to false. If you need to remove
the option then youll need to use Change_XD_To_ConnectionString.ps1 and provide strings
without the setting.
Change_XD_To_Null.ps1 this is a reset of all the connection strings on the localhost as something
has gone wrong. Note because this resets the connection strings to null, it will actually place the
ddc into a initial state. I.E. if you run Studio, itll ask if you want to create a site, or join to another
DDC. This is useful if something has gone wrong, as you can reset a Controllers settings, and then
attempt to set the connection strings again using Change_XD_To_ConnectionString.ps1.

Director Grooming

If XenDesktop is not Platinum Edition, then all historical Director data is groomed at 30 days.

For XenDesktop/XenApp Platinum Edition, by default, most of the historical Director data is groomed at 90
days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

1. On a Delivery Controller, run PowerShell elevated (as administrator), and run asnp Citrix.*
2. Run Get-MonitorConfiguration to see the current grooming settings.
3. Run Set-MonitorConfiguration to change the grooming settings.

View Logging Database

To view the contents of the Logging Database, in Studio, click the Logging node. On the right is Create
Custom Report. See Citrix article CTX138132 Viewing Configuration Logging Data Not Shown for more info.
The Logging Database can be queried using Get-LogLowLevelOperation. See Stefan Beckmann Get user
who set maintenance mode for a server or client for an example script that uses this PowerShell cmdlet.

Maintain Logging Database

Citrix CTX215069 Troubleshooting and managing Oversized Configuration Logging database: The
articles queries can be used to determine the number of configuration operation types performed by
XenDesktop Administrator, and to analyze the content of the Configuration Logging database when it is
considered oversized. A grooming query is also provided to delete data older than a specified date.

Export/Import Configuration

Ryan Butler has a PowerShell script that can export configuration from one XenDesktop farm and import it
to another.
Studio Administrators

Full Administrators

1. In the Studio, under Configuration, click the Administrators node. The first time you access the
node youll see a Welcome page. Feel free to check the box to Dont show this again, and then click
2. On the Administrators tab, right-click, and click Create Administrator.

3. In the Administrator and Scope page, Browse to a group (e.g. Citrix Admins) that will have
permissions to Studio and Director. These groups typically have access to all objects, so select the
All scope. Alternatively, you can create a Scope to limit the objects. Click Next.

4. On the Role page, select a role, and then click Next. For example:
o Full Administrator for the Citrix Admins group
o Help Desk Administrator for the Help Desk group
o Machine Catalog Administrator for the desktop team

5. In the Summary page, click Finish.

Help Desk

1. In the Studio, under Configuration, click the Administrators node. On the Administrators tab, right-
click, and click Create Administrator.
2. In the Administrator and Scope page, Browse to a Help Desk group that will have permissions to
Studio and Director. Select the All scope. And click Next.

3. On the Role page, select the Help Desk Administrator role, and then click Next.

4. In the Summary page, click Finish.

5. When administrators in the Help Desk role log into Director, all they see is this.

To jazz it up a little, add the Help Desk group to the read-only role.
6. Right-click the Help Desk Administrator, and click Edit Administrator.

7. Click Add.
8. In the Scope page, select a scope, and click Next.

9. In the Role page, select Read Only Administrator, and click Next.

10. In the Summary page, click Finish.

11. Then click OK. Now Director will display the dashboard.

Provisioning Services w/Personal vDisk

From Considerations: Provisioning Services at Configure and manage Personal vDisk at Citrix Docs: The
Provisioning Services Soap Service account must be added to the Administrator node of Studio and must
have the Machine Administrator or higher role. This ensures that the PvD desktops are put into the
Preparing state when the Provisioning Services (PVS) vDisk is promoted to production.

Customer Experience Improvement Program

XenApp/XenDesktop 7.14 enables CEIP by default. If desired, you can disable it in Citrix Studio:

1. On the left, go to the Configuration node.

2. On the right, switch to the Product Support tab.

3. Click End.

4. Click Yes.

Each XenApp/XenDesktop component has a separate configuration for disabling Customer Experience
Improvement Program:

License Server CEIP

Virtual Delivery Agent CEIP
Profile Management CEIP
StoreFront CEIP
Provisioning Services CEIP
Receiver CEIP
Receiver for HTML5 CEIP
Session Recording CEIP
NetScaler CEIP

vCenter Connection
XenDesktop uses an Active Directory service account to log into vCenter. This account needs specific
permissions in vCenter. To facilitate assigning these permissions, create a new vCenter role and assign it to
the XenDesktop service account. The permissions should be applied at the datacenter or higher level.

Hosting Resources

A Hosting Resource = vCenter + Cluster (Resource Pool) + Storage + Network. When you create a machine
catalog, you select a previously defined Hosting Resource, and the Cluster, Storage, and Network defined
in the Hosting Resource object are automatically selected. If you need some desktops on a different
Cluster+Storage+Network then youll need to define more Hosting Resources in Studio.

1. In Studio, expand Configuration and click Hosting. Right-click it, and click Add Connection and

2. In the Connection page, for Connection type, select VMware vSphere.

3. Notice theres a Learn about user permissions blue link to an article that describes the necessary
4. Enter https://vcenter01.corp.local/sdk as the vCenter URL. The URL must contain the FQDN of the
vCenter server.
5. Enter credentials of a service account that can log into vCenter.
6. In the Connection name field, give the connection a name. Typically, this matches the name of the
vCenter server.
7. If you are not using Machine Creation Services, and instead only need the vCenter connection for
machine power management, change the Create virtual machines using selection to Other Tools. If
you intend to use MCS, leave it set to Studio Tools.
8. Click Next.

9. If you see a message about the vCenter certificate, check the box next to Trust certificate, and click

10. Note: this vCenter certificate thumbprint is stored in the XenDesktop database, and is not updated
when the vCenter certificate changes. See CTX217415 Cannot connect to the VCenter server due to
a certificate error for instructions on manually updating the database with the new certificate
o Also see CTX224551 Xendesktop 7.x Steps to perform after certificate change on


11. In the Storage Management page, click Browse, and select a vSphere cluster. Note: as detailed at
CTX223662, make sure theres no comma in the datacenter name.
12. Select Use storage shared by hypervisors.
13. If you have sufficient disk space on each ESXi host, also select Optimize temporary data on
available local storage. From Mark Syms at XA 7.9 MCS with RAM Caching at Citrix Discussions: If
you use just MCS caching to local storage then the VM is not agile at all and cannot be moved even
when powered off as it has a virtual disk permanently associated with a single host.
14. From Martin Rowan at XA 7.9 MCS with RAM Caching at Citrix Discussions: for the temporary cache
disk, Dont format it, the raw disk is what MCS caching uses.
15. Click Next.

16. In the Storage Selection page, OS and Personal vDisk must be selected on at least one datastore.
For maximum flexibility, only select one datastore. To select additional datastores, run this wizard
again to create a separate Hosting Resource.
17. If you selected the temporary data on local storage option, on the bottom, click Select, and choose
the datastores you want to use for disk caching. By default, all local datastores are selected. Click
Next when done.

18. In the Network page, enter a name for the hosting resource. Since each hosting resource is a
combination of vCenter, Cluster, Network, and Datastores, include those names in this field (e.g.
19. Select a network and click Next.

20. In the Summary page, click Finish.

21. If you have multiple datastores for your VDAs, run the wizard again.

22. You can use the existing vCenter connection.

23. This time, select a different datastore.

24. Give it a name that indicates the chosen datastore.

25. When you create a Catalog, select the Hosting Resource for the datastore where you want the
VDAs to be placed. Create additional Catalogs for each datastore. You can then combine the
Catalogs into a single Delivery Group.

26. Later in the Catalog wizard, youre given an option to enable caching and select a cache size. This is
similar to Provisioning Services option Cache in RAM with overflow to disk.
Citrix Licensing Server

XenApp/XenDesktop 7.14 comes with build 20104

If you have a standalone Licensing Server, upgrade it to Citrix Licensing build 20104 if it isnt

1. Go to the downloaded Citrix Licensing build 20104, and run CitrixLicensing.exe.

2. If you see the Subscription Advantage Renewal page, make a selection, and click Next.

3. In the Upgrade page, click Upgrade.

4. Click Finish.

5. If you go to Programs and Features, it should now show version

6. If you login to the license server web console, on the Administration tab, it shows it as version build 120104.

7. You can also view the version in the registry at


License Server CEIP build 19005 and newer enables CEIP by default. This can be disabled in the Citrix Licensing
Manager (https://localhost:8083) by clicking the gear icon.

Scroll down to Share usage statistics with Citrix and make a selection.

Citrix License Management Service

Version and newer include the Citrix License Management Service. This service helps you avoid
prohibited practices:

Duplication of licenses outside a Disaster Recovery (DR) environment

Use of legacy licenses for new product versions
Use of rescinded licenses

Licensing Server HA using GSLB

From Dane Young Creating a Bulletproof Citrix Licensing Server Infrastructure using NetScaler Global
Server Load Balancing (GSLB) and CtxLicChk.ps1 PowerShell Scripts. Here is a summary of the configuration
steps. See the blog post for detailed configuration instructions.

1. Build two License Servers in each datacenter with identical server names. Since server names are
identical, they cant be domain-joined.
2. Install identical licenses on all License Servers.
3. Set the DisableStrictNameChecking registry key on all Citrix Licensing servers.
4. Synchronize the certificate files located at C:\Program Files
(x86)\Citrix\Licensing\WebServicesForLicensing\Apache\conf. They must be identical on all
Licensing Servers.
5. Download CtxLicChk.exe from http://support.citrix.com/article/CTX123935 and place on all
Licensing Servers.
6. Schedule the PowerShell script CtxLicChk.ps1 on all Licensing Servers. Get this script from the blog
post linked above.
7. Configure NetScaler:
1. Configure GSLB ADNS services.
2. Add wildcard Load Balancing service for each Citrix Licensing Server.
3. Configure service TCP monitoring for ports 27000, 7279, 8082, and 8083.
4. Create Load Balancing Virtual Server for each Licensing Server.
5. Set one Load Balancing Virtual Server as backup for the other.
6. Repeat in second datacenter.
7. Configure GSLB Services and GSLB Monitoring.
8. Configure GSLB Virtual Servers. Set one GSLB Virtual Server as backup for the other.
8. Delegate the Citrix Licensing DNS name to the ADNS services on the NetScaler appliances.
9. Configure Citrix Studio to point to the GSLB-enabled DNS name for Citrix Licensing.

Citrix License Server Monitoring

Citrix Licensing 11.13.1 and newer has historical usage reporting:

1. Run Citrix Licensing Manager from the Start Menu. Or use a browser to connect to
2. Use the drop-down menus to select a license type, select dates, and export to a .csv file.

3. The Update Licenses tab lets you check for renewals and download them.

4. On the top right is a gear icon where you can set the historical retention period and configure SA
license auto-renewal.
Jonathan Medd Monitor Citrix License Usage With PowerShell.

Lal Mohan Citrix License Usage Monitoring Using Powershell

Jaroslaw Sobel Monitoring Citrix Licenses usage Graphs using WMI, Powershell and RRDtool. This script
generates a graph similar to the following:

Remote Desktop Licensing Server

Install Remote Desktop Licensing Server

Do the following on your XenDesktop Controllers:

1. In Server Manager, open the Manage menu, and click Add Roles and Features.

2. In the Installation Type page, select Role-based or feature-based installation.

3. Click Next until you get to the Server Roles page. Check the box next to Remote Desktop
Services, and click Next.

4. Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing,
and click Next.
5. Click Add Features if prompted.

6. Then finish the wizard to install the role service.

Activate Remote Desktop Licensing

1. After RD Licensing is installed, in Server Manager, open the Tool menu, expand Terminal Services
(or Remote Desktop Services), and click Remote Desktop Licensing Manager.

2. The tool should find the local server. If it does not, right-click All servers, click Connect, and type in
the name of the local server.
3. Once the local server can be seen in the list, right-click the server and click Activate Server.

4. In the Welcome to the Activate Server Wizard page, click Next.

5. In the Connection Method page, click Next.

6. In the Company Information page, enter the required information, and click Next.
7. All of the fields on the Company Information page are optional, so you do not have to enter
anything. Click Next.

8. In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses
Wizard now, and click Finish. Since the session hosts will be configured to pull Per User licenses,
there is no need to install licenses on the RD Licensing Server.
9. In RD Licensing Manager, right-click the server, and click Review Configuration.

10. Ensure you have green check marks. If the person installing Remote Desktop Licensing does not
have permissions to add the server to the Terminal Server License Servers group in Active Directory,
ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.

11. Click Continue when prompted that you must have Domain Admins privileges.
12. Click OK when prompted that the computer account has been added.

13. Click OK to close the window.

Smart Check

Citrix Cloud offers a Smart Check service that can scan your XenApp/XenDesktop infrastructure for known
issues. Soon Smart Check will require Citrix Customer Success Services (Select).

For a list of checks, see About health checks at Citrix Docs.

For a comparison of Smart Check and Citrix Insight Services, see Citrix Blog Post What Data is Smart
Check Collecting?

To run Smart Check:

1. Go to https://citrix.cloud.com, and login.

2. After logging in, find Smart Tools, and click Manage.

3. Click Smart Check.

4. If you enabled Smart Tools during the installation of XenDesktop 7.14, then the site should already
be there. Click Complete Setup.

5. If you didnt enable Smart Check during XenDesktop installation, then on the top right, click Add

1. In step 1, click Download Agent.

2. Step 2 indicates it is waiting for you to install the Agent.

3. On a Delivery Controller, run the downloaded CitrixLifecycleManagementAgent.exe.

4. Check the box next to I accept the terms in the License Agreement, and click Install.
5. In the Completed the Citrix Smart Tools Agent Setup Wizard page, click Finish.

6. Step 2 now shows that the Agent was installed successfully. Click Next.
6. Enter credentials for your XenDesktop farm, and click Add Site.

7. Eventually youll see a Get Started link.

8. Or, if the site is already added to your list of sites, click View Report next to the site.

9. At the top right, if you click Perform Check, you can run one of the checks.

10. If you click Configure.

11. You can schedule the checks to automatically run periodically.

12. To view the alerts, click one of the alert badges in the component category. Also see Smart Check
alerts reference at Citrix Docs.
13. Expand a component, and click an alert.
14. On the right, theres an option to Hide Alert.

15. To view the hidden alerts, at the top right, click the menu icon, and click Show Hidden Alerts.
16. The hidden alert is grayed out. If you click the alert, you can restore it.

Citrix Scout

XenDesktop 7.14 includes a new Citrix Scout that can be launched from the Start Menu.

The tool can run a manual collection, run a trace, or schedule periodic collection. The results are uploaded
to Citrix Smart Tools.
Links with more information:

Bas van Kaam With XenDesktop & XenApp 7.14 comes Scout 3.0 some big changes, read whats
new compares old Scout with new Scout
Citrix Docs Citrix Scout

XenApp/XenDesktop Health Check

Sacha Tomet Finally 1.0 but never finalized!: XenApp & XenDesktop 7.x Health Check script has now
Version 1.0.

Andrew Morgan New Free Tool: Citrix Director Notification Service: The Citrix Director Notification
service sits on an edge server as a service (or local to the delivery controller) and periodically checks the
health of:

Citrix Licensing.
Database Connections.
Broker Service.
Core Services.
Hypervisor Connections.

And if any of these items fall out of bounds, an SMTP alert is sent to the mailbox of your choice for action.
The tool will also send All Clear emails when these items are resolved, ensuring you are aware when the
service has resumed a healthy state.
Director 7.14
Last Modified: Jun 20, 2017 @ 7:41 pm

Leave a comment


Director Licensing Platinum Edition

Install Director 7.14 on Standalone Server
Director Default Webpage
Director Spinning Circle
Director Tweaks
Director Configuration Script
Director Saved Filters
Director and HDX Insight
Director and Self-Service Password Reset
Director Monitoring Database Grooming
Director Single Sign On
Director Multiple XenDesktop Sites
Director Process Monitoring
Director Alerts and Notifications
Director SCOM Integration
Director Custom Reports
Use Director

= Recently Updated

Director Licensing Platinum Edition

See the XenApp and XenDesktop Feature Matrix. Scroll down to Director Platinum Edition for the list of
Director features that require Platinum Edition licensing.

Up to a years worth of performance data that provides a comprehensive view of capacity trends
Proactive notification and alerting including SNMP integration
SCOM alerts
Desktop and server OS usage reporting
Create customized reports
Reboot warnings
Octoblu integration
NetScaler MAS integration
Override control over roaming sessions

See CTX224793 Director Version Matrix Install or Upgrade compatibility of Director with Delivery
Controller, VDA for a list of which Director feature came with each version, and the licensing Edition
needed for each

Director 7.14 on Standalone Server

If you are installing Director 7.14 on a standalone server, see Citrix CTX142260 Installing or Upgrading to
Citrix Director 7.6.200
1. If you intend to install Director on a standalone server, start with running AutoSelect.exe from the
XenApp/XenDesktop 7.14 media.

2. In the Extend Deployment section, on the bottom left, click Citrix Director.
3. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click

4. In the Core Components page, click Next.

5. In the Delivery Controller page, it will ask you for the location of one Controller in the farm. Only
enter one Controller per farm. If you have multiple Director servers, each Director server can point
to a different Controller in the farm. From Citrix Docs: Director automatically discovers all other
Controllers in the same Site and falls back to those other Controllers if the Controller you specified
fails. Click Test Connection, and then click Add.
6. In the Features page, click Next.
7. In the Firewall page, click Next.
8. In the Summary page, click Install.
9. In the Finish page, click Finish.

10. In IIS Manager, go to Default Web Site > Director > Application Settings,
find Service.AutoDiscoveryAddresses, and make sure it points to one Controller in the farm, and
not to localhost. From Citrix Docs: Director automatically discovers all other Controllers in the same
Site and falls back to those other Controllers if the Controller you specified fails.
11. If you built multiple Director servers, use NetScaler to load balance them.
12. If you are upgrading Director, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe
/upgrade to complete the upgrade process.

13. For info on the new monitoring features in Director 7.14 and older, see Use Director below.

Director Default Webpage

From CTX223907 How to Make Director the Default Page within IIS: If Director is installed on a standalone
server, do the following to set /Director as the default path.

1. Open Notepad elevated (as administrator) and paste the following text:
2. <script type="text/javascript">
3. <!--
4. window.location="https://director.corp.com/Director";
5. // -->

6. Adjust the window.location line to match your FQDN.

7. Select File > Save As and browse to the IIS folder, by default C:\inetpub\wwwroot is the IIS folder.
8. Select the Save as type to All types.
9. Type a file name with an html extension, and select Save.

10. Open IIS Manager.

11. Select the SERVERNAME node (top-level) and double-click Default Document, as shown in the
following screen shot:

12. On the right, click Add,

13. Enter the file name of the .html file provided in Step 5.
14. Ensure the .html file is located at the top of the list, as shown in the following screen shot:

Director Spinning Circle

If after login to Director the spinning circle doesnt go away:

Do the following to fix it:

1. Edit the file C:\inetpub\wwwroot\Director\web.config using an elevated text editor.

2. Search for <serviceHostingEnvironment (line 273).
3. Add the following attribute:

Also see CTX202564 Citrix Director Becomes Unresponsive after Submitting the Credentials when IIS X-
Frame-Options is enabled

Director Tweaks

Prepopulate the domain field

From http://www.xenblog.dk/?p=33: On the Controllers having the Director role installed, locate and edit
the LogOn.aspx file. By default you can find it at C:\inetpub\wwwroot\Director\Logon.aspx

In line 450 you will have the following. To find the line, search for ID=Domain. Note: onblur
and onfocus attributes were added in newer versions of Director.

<asp:TextBox ID="Domain" runat="server" CssClass="text-box" onfocus="showIndicator(this);"


In the ID=Domain element, insert a Text attribute and set it to your domain name. Dont change or add
any other attributes. Save the file.

<asp:TextBox ID="Domain" runat="server" Text="Corp" CssClass="text-box" onfocus="showIndicator(this);"


This will prepopulate the domain field text box with your domain name and still allow the user to change it,
if that should be required. Note: this only seems to work if Single Sign-on is disabled.

Session timeout

By default the idle time session limit of the Director is 245 min. If you wish to change the timeout, here is
how to do it.

1. Log on to the Director Server as an administrator

2. Open the IIS Manager
3. Browse to SitesDefault Web SiteDirector in the left hand pane.
4. Open Session State in the right hand pane
5. Change the Time-out (in minutes) value under Cookie Settings
6. Click Apply in the Actions list
SSL Check

From http://euc.consulting/blog/citrix-desktop-director-2-1: If you are not securing Director with an SSL

certificate you will get this error at the logon screen.

To stop this:

1. Log on to the Director Server as an administrator

2. Open the IIS Manager
3. Browse to SitesDefault Web SiteDirector in the left hand pane.
4. Open Application Settings in the right hand pane
5. Set UI.EnableSslCheck to false.

Disable Activity Manager

From Disable the visibility of running applications in the Activity Manager in Advanced Configuration at
Citrix Docs: By default, the Activity Manager in Director displays a list of all the running applications and
the Windows description in the title bars of any open applications for the users session. This information
can be viewed by all administrators that have access to the Activity Manager feature in Director. For
Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help
Desk Administrator.

To protect the privacy of users and the applications they are running, you can disable the Applications tab
from listing running applications.

On the VDA, modify the registry key located

at HKLM\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1.
Change the value to 0, which means the information will not be displayed in the Activity Manager.
On the server with Director installed, modify the setting that controls the visibility of running
applications. By default, the value is true, which allows visibility of running applications in
the Applications Change the value to false, which disables visibility. This option affects only the
Activity Manager in Director, not the VDA. Modify the value of the following setting:

UI.TaskManager.EnableApplications = false

Large Active Directory / Multiple Forests

From CTX133013 Desktop Director User Account Search Process is Slow or Fails: By default, all the Global
Catalogs for the Active Directory Forest are searched using Lightweight Directory Access Protocol (LDAP). In
a large Active Directory environment, this query can take some time or even time out.

If multiple forests, see Citrix Blog Post Using Citrix Director in a MultiForest Environment.

1. In Information Server (IIS) Management, under the Desktop Director site, select Application
Settings and add a new value called ActiveDirectory.ForestSearch. Set it to False. This disables
searching any domain except the users domain and the servers domain.
2. To search more domains, add the searchable domain or domains in the ActiveDirectory.Domains

Site Groups

From Citrix Blog Post Citrix Director 7.6 Deep-Dive Part 4: Troubleshooting Machines:

If there are a large number of machines, the Director administrator can now configure site groups to
perform machine search so that they can narrow down searching for the machine inside a site group. The
site groups can be created on the Director server by running the configuration tool via command line by
running the command:

C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /createsitegroups

Then provide a site group name and IP address of the delivery controller of the site to create the site

Director Configuration Script

Johan Greefkes at Script for configuring Director at Citrix Discussions was kind enough to provide a script
that does the following:

Sets the XenDesktop Controllers that Director communicates with

Disables SSL Check
Sets Logon.aspx file to default to a domain name
Adds a footer that displays the name of the Director server

Director Saved Filters

From Scott Osborne and Jarian Gibson at Citrix Discussions: In Director, you can create a filter and save it.

The saved filter is then accessible from the Filters menu structure.

The saved filters are stored on each Director server at C:\Inetpub\wwwroot\Director\UserData. Each user
has their own saved filters. The saved filters are not replicated across Director servers.
You can instead configure multiple Director servers to store the filters on a shared UNC path: (h/t CTP
Jarian Gibson)

1. Create and share a folder (e.g. DirectorData).

2. The Director server computer accounts need Modify permission to the share.

3. On each Director server, run IIS Manager.

4. Go to Sites > Default Web Site > Director. In the middle, double-click Application Settings.

5. Change the Service.UserSettingsPath setting to the UNC path of the new share.

6. Repeat this on other load balanced Director servers.

Director and HDX Insight

You can connect Director to NetScaler Management & Analytics System (NetScaler MAS) or Citrix Insight
Center to add Network tabs to Directors Trends and Machine Details views. Citrix Blog Post Configure
Director with NetScaler Management & Analytics System (MAS).
Director and Self-Service Password Reset (SSPR)

If you have XenApp/XenDesktop Platinum Edition, its possible to install SSPR on the Director server.
See George Spiers Citrix Self-Service Password Reset for a detailed implementation guide.

However this might break Director, and all you will see is a spinning circle.

To fix it, in IIS Manager (inetmgr), edit the bindings of the Default Web Site, and Remove the HTTP 8080
binding. Or implement the multisitebinding fix.
More info at Citrix Discussions Installing SSPR 1.0 appears to have broken Director 7.11 on same server.

Director Grooming

If XenDesktop is not Platinum Edition, then all historical Director data is groomed at 30 days.

For XenDesktop/XenApp Platinum Edition, by default, most of the historical Director data is groomed at 90
days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

1. On a XenDesktop Delivery Controller, run PowerShell and run asnp Citrix.*

2. Run Get-MonitorConfiguration to see the current grooming settings.

3. Run Set-MonitorConfiguration to change the grooming settings.

Director Single Sign-on

You can configure Director to support Integrated Windows Authentication (Single Sign-on). Note: there
seem to be issues when not connecting from the local machine or when connecting through a load

1. Run IIS Manager. You can launch it from Server Manager (Tools menu), or from the Start Menu, or
by running inetmgr.

2. On the left, expand Sites, expand Default Web Site, and click Director.

3. In the middle, double-click Authentication in the IIS section.

4. Right-click Windows Authentication, and Enable it.

5. Right-click Anonymous Authentication, and Disable it.

6. Pass-through auth wont work from another computer until you set the http SPN for the Director
server. See Director 7.7 Windows Authentication not working with NS LB at Citrix Discussions.

7. If Director is not installed on a Controller then youll need to configure Kerberos delegation.

8. If you are load balancing Director then additional config is required. See Director 7.7 Windows
Authentication not working with NS LB at Citrix Discussions for more info.
1. Create an AD service account that will be used as the Directors ApplicationPoolIdentity.
2. Create SPN and link it to the service account.

setspn -S http/loadbalanced_URL domain\user

3. Trust the user account for delegation to any service (Kerberos only) (trust the Director
servers for delegation is not necessary in this case). You have to create the SPN before you
can do this step.

4. In IIS manager, on the Application Pools (Director), specify the Identity as user we have
created in step 1.
5. In IIS manager, select Default Web Site and open the Configuration Editor.

6. Use the drop-down to navigate to the following section:

7. Set useAppPoolCredentials = True and useKernelMode = False. Click Apply on the top right.

9. When you connect to Director you will be automatically logged in. You can change the login
account by first logging off.

10. Then change the drop-down to User credentials.

Director Multiple XenDesktop Sites

1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu, or
by running inetmgr.

2. On the left, expand Sites, expand Default Web Site, and click Director.

3. In the middle pane, double-click Application Settings.

4. Find the entry for Service.AutoDiscoveryAddresses, and double-click it.

5. If Director is installed on a Controller, localhost should already be entered.

6. Add a comma, and the NetBIOS name of one of the controllers in the 2 nd XenDesktop Site (farm).
Only enter one Controller name. If you have multiple Director servers, you can point each Director
server to a different Controller in the 2nd XenDesktop Site (farm). From Citrix Docs: Director
automatically discovers all other Controllers in the same Site and falls back to those other
Controllers if the Controller you specified fails.

Director Process Monitoring

Director 7.11 and newer have Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU,
Memory Usage and Process Information.

Process Monitoring is disabled by default. To enable it, configure the Enable process monitoring setting in
a Citrix Policy. For Citrix Policies in a GPO, find this setting in the computer half of the GPO. Note: this
setting could significantly increase the size of the Monitoring database.

Director Alerts and Notifications

Director supports alert conditions and email notifications. This feature requires XenApp/XenDesktop to be
licensed with Platinum Edition. See Citrix Blog Post Configuring & Managing Alerts and Notifications Using
Director for more information.

Director 7.11 and newer have CPU, Memory, and ICT RTT alerts. Citrix Blog Post 7 New Categories in
Director for Proactive Notifications & Alerts

To configure alerts:

1. While logged into Director, at the top of the page, click the Alerts button.

2. Switch to the Email Server Configuration tab.

3. Enter your SMTP information, and click Send Test Message. Then click Save.

4. Switch to the Citrix Alerts Policy tab.

5. There are four high-level categories of alerts: Site Policy, Delivery Group Policy, Server OS Policy,
and User Policy. Click whichever one you want to configure.
6. Then click Create.

7. Give the alert a name.

8. On the bottom left, select a condition, and enter thresholds.
9. On the bottom right, in the Notifications preferences section, click Add.

10. Enter an email address, and click Add.

11. Click Save when done. Feel free to create more alerts and notifications.
12. For Server OS and User Policy, there are new ICA RTT alerts. See Citrix Blog Post 7 New Categories
in Director for Proactive Notifications & Alerts for details on the new alerts in 7.11 and newer.

13. In Director 7.12 and newer, you can configure alerts to generate an SNMP trap. This is configured in
PowerShell as described at Configure alerts policies with SNMP traps at Citrix Docs.
14. Set-MonitorNotificationSnmpServerConfiguration #see Docs for parameter details
Set-MonitorNotificationPolicy -IsSnmpEnabled $true -Uid <Policy ID>
15. Citrix has an experimental Desktop Notification Tool. See Citrix Blog Post Desktop Notification Tool
For Citrix XenDesktop.

Director Alerts can be configured with a WebHook that allows Octoblu to perform actions when a Director
Alert occurs. See Configure alerts policies with Octoblu webhooks at Citrix Docs for details.

Set-MonitorNotificationPolicy Uid 5 Webhook <Webhook URL>

Director SCOM Integration

Director 7.8 and newer can display alerts from System Center Operations Manager 2012 R2. This feature
requires XenApp/XenDesktop Platinum Edition.

1. See Configure SCOM integration at Citrix Docs for detailed configuration instructions. Also see
Marius Sandbu Integrating Citrix XenDesktop 7.7 and System Center Operations Manager.
2. If Director server or System Center Operations Manager server is 2008 R2, then login to the 2008
R2 server, open PowerShell and run Enable-PSRemoting. Yes to everything. This is not needed on
Windows Server 2012 R2 servers.
3. On Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configscom

4. FYI, the DirectorConfig.exe /configscom command enables the following features on the Director
server: /FeatureName:IIS-NetFxExtensibility45 /FeatureName:IIS-ASPNET45 /FeatureName:WCF-
5. FYI, the System Center Operations Manager server is listed in IIS Manager at Default Web Site >
Director > Application Settings (middle pane) > Connector.SCOM.ManagementServer.

6. On the System Center Operations Manager server, edit Remote Management Users local group,
and add Citrix Admins, and other Director users.
7. In System Center Operations Manager Console, go to Administration > User Roles, and edit
Operations Manager Operators. Add the Citrix Admins, and other Director users.
8. See Citrix Blog Post SCOM Alerts in Citrix Director for information on how to view System Center
Operations Manager alerts in Director.
Director Custom Reports

In Director 7.12 and newer, in the Trends view, theres a Custom Reports tab that guides you through
creating a custom OData Query. This tab only appears if you have XenApp/XenDesktop Platinum Edition.

The Monitoring database contains more data than is exposed in Director. To view this data, the Monitoring
service has an OData Data Feed that can be queried.

You can use Excel to pull data from the OData Data feed. See Citrix Blog Post Citrix Director
Analyzing the Monitoring Data by Means of Custom Reports. This particular blog post shows how to
use an Excel PivotChart to display the connected Receiver versions.
o Also see Alexander Ollischer Citrix XenDesktop 7.x Query Citrix Receiver Versions
connecting to your environment XLS Report
Citrix CTX211428 Using Excel to Report on Desktop Director Data uses Power Pivot.
Or for Linqpad, see Citrix Blog Post Creating Director Custom reports for Monitoring XenDesktop
using Linqpad
CTA David Ott XenDesktop Usage Report shows that querying OData can be slow and its
sometimes faster to query the actual Monitoring database. Updated Report.

Use Director

The newer Director features usually require Delivery Controllers and VDAs to be at the same version or
newer than Director. Director depends on the Monitoring Service that is built into the Delivery Controller.
The Monitoring Service gathers data from the VDAs.
See Monitor deployments at Citrix Docs.

See the various Troubleshoot topics at Citrix Docs.

In Director 7.14 and newer, see CTX223928 How to use Director to monitor storage performance.

Citrix Blog Post Citrix Director Now Provides Disk Usage Information!:

IOPS and disk latency data is enabled by default.

IOPS and disk latency is pushed to the database from each VDA at 1 hour interval.
Approximately 276 KB of disk space is required to store the CPU, memory, IOPS and disk latency
data for one VDA over a period of one year.
In Director 7.14 and newer, see CTX223925 How to use Director to monitor NVIDIA GPU usage.

In Director 7.14 and newer, see CTX223927 How to use Director to troubleshoot application launch errors.
This feature is configured in Citrix Policy Settings located in the Computer half at Virtual Delivery Agent
Settings > Monitoring.
Citrix Director 7.13 and newer have an Application Instances tab on the Filters page that lets you filter
published application sessions based on Session Idle Time (RDS sessions only), Application Name, and all
other existing fields, like machine name, and so on. Requires Director 7.13, Controller 7.13, VDA 7.13, and
Platinum Edition licensing. See Citrix Blog Post Monitoring Idle Applications and Sessions in Citrix Director.
See Troubleshoot applications at Citrix Docs.
If idle time column shows n/a, then you need to wait 10-15 minutes.

In Director 7.13 and newer, the Session Details panel can show if Enlightened Data Transport (EDT, aka
HDX on UDP) is enabled in the users session. See Citrix Blog Post HDX Adaptive Transport Protocol
Monitoring via Director.
George Spiers has a comprehensive guide of all Director 7.12 features at http://www.jgspiers.com/citrix-

Director 7.12 and newer have Connection Failure Details, which is detailed in Citrix Blog Post Director 7.12:
Easier Troubleshooting of Machine & Connection Failures. Also see CTX223812 Citrix Director Failure

Director 7.11 and newer have Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU,
Memory Usage and Process Information.
Director 7.9 and newer have Logon Duration improvements.

Citrix Blog Post Interactive Session of Logon Duration in Citrix Director Explained: Interactive Session
Duration = Desktop Ready Event Timestamp (EventId 1000 on VDA) User Profile Loaded Event Timestamp
(EventId 2 on VDA). More details in the Blog Post.

Citrix Blog Post Director 7.6 Failure Reasons Demystified lists possible failure reasons behind an
Unregistered alert, and the true meaning of failure reasons such as Connection Refused
and Communication Error. It details each failure reason, defines the meanings of these failures, and lists
action items that serve as a starting point for troubleshooting the specific scenario. The list is based on
Director 7.6.300.
Virtual Delivery Agent (VDA) 7.14.1
Last Modified: Jun 17, 2017 @ 12:10 pm



VDA Virtual Machine Hardware

Windows Configuration

Install Virtual Delivery Agent 7.14.1

o Customer Experience Improvement Program (CEIP)
o Connection Quality Indicator
o Adaptive Transport
o Slow Logons
o Change Controller Registration Port to something other than port 80
o Verify VDA Registration with Controller
o Citrix PDF Printer 7.11.0 for Receiver for HTML5
o Citrix File Access 2.0.3 for Receiver for Chrome
Framehawk Configuration
Remote Desktop Licensing Configuration
Reduce C: Drive Permissions
Configure Pagefile for Provisioning Services
Direct Access Users Group allow non-administrators to RDP to the VDA
Enable Windows Profiles v3/v4
Registry Settings published Explorer, Screen Saver, HTML5 Clipboard, HTML5 Upload Folder, 4K
Monitors, COM Ports
Restore Legacy Client Drive Mapping
Print Driver for Mac and Linux Clients
HTML5 Receiver SSL for VDA
Anonymous Accounts
Optimize Performance
Seal and Shut Down
Troubleshooting Graphics
Uninstall VDA

= Recently Updated


Hypervisor Host Hardware

Citrix Blog Post Citrix Scalability The Rule of 5 and 10: Simply take the number of physical cores in
a hypervisor host, multiply it by 5 or 10, and the result will be your Single Server Scalability. Use 5 if
youre looking for the number of XenDesktop VMs you can host on a box, and use 10 if youre
looking for the number of XenApp user sessions you can host on a box.
Virtual Machine Hardware

1. For virtual desktops, give the virtual machine: 2+ vCPU and 2+ GB of RAM
2. For Windows 2008 R2 RDSH, give the virtual machine 4 vCPU and 12-24 GB of RAM
3. For Windows 2012 R2 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM
4. If using RAM caching (MCSIO or PvS), add more RAM for the cache
5. Remove the floppy drive
6. Remove any serial or LPT ports
7. If vSphere:
1. To reduce disk space, reserve memory. Memory reservations reduce or eliminate the virtual
machine .vswp file.
2. The NIC should be VMXNET3.
8. If this VDA will boot from Provisioning Services:
1. For vSphere, the NIC must be VMXNET3.

2. For vSphere, configure the CD-ROM to boot from IDE instead of SATA. SATA comes with VM
hardware version 10. SATA wont work with PvS.

9. For Windows 10:

1. CTX224843 Windows 10 compatibility with Citrix XenDesktop: Current Branch (CB) is not
2. Visual Studio 2017 is not supported on LTSB. See Visual Studio 2017 Product Family System

10. Install the latest version of drivers (e.g. VMware Tools).

1. If Windows 7 on vSphere, dont install the VMware SVGA driver. For more details, see Citrix
CTX201804 Intermittent Connection Failures/Black Screen Issues When Connecting from
Multi-Monitor Client Machines to Windows 7 VDA with VDA 7.x on vSphere/ESXi.

If vSphere, disable NIC Hotplug

1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
2. To disable this functionality, power off the virtual machine.

3. Once powered off, right-click the virtual machine, and click Edit Settings.
4. On the VM Options tab, expand Advanced, and then click Edit Configuration.

5. Click Add Row.

6. On the left, enter devices.hotplug. On the right, enter false.
7. Then click OK a couple times to close the windows.

8. The VM can then be powered on.

Windows Preparation
1. If RDSH (Server OS), disable IE Enhanced Security Configuration in Server Manager > Local Server.

2. Optionally, go to Action Center (Windows 8.1 or 2012 R2) or Control Panel > Security and
Maintenance (Windows 10/2016) to disable User Account Control, and enable SmartScreen.

1. In Windows 10 1703 and newer, search the Settings app for Change User Account Control
2. SmartScreen is configured in Windows Defender Security Center > App & browser control.
3. Run Windows Update.

4. Add your Citrix Administrators group to the local Administrators group on the VDA. Computer

5. The Remote Desktop Services Prompt for Password policy prevents Single Sign-on to the Virtual
Delivery Agent. Check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services. If fPromptForPassword = 1 then you need to fix group policy. The following GPO
setting will prevent Single Sign-on from working.
Computer Configuration | Policies | Administrative Templates | Windows Components | Remote
Desktop Services | Remote Desktop Session Host | Security | Always prompt for password upon

Or set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PorticaAutoLogon (DWORD) = 0x10.

6. For Windows 7/2008 R2 VDAs that will use Personal vDisk, or AppDisk, or any other layering
technology, install Microsoft hotfix 2614892 A computer stops responding because of a deadlock
situation in the Mountmgr.sys driver. This hotfix solved a Personal vDisk Image update issue
detailed at Citrix Discussions.

7. If this VDA is Windows Server 2008 R2, see http://www.carlstalhood.com/windows-server-2008-r2-


8. To remove the built-in apps in Windows 10, see Robin Hobo How to remove built-in apps in
Windows 10 Enterprise.
9. For Remote Assistance in Citrix Director, configure the GPO setting Computer Configuration |
Policies | Administrative Templates | System | Remote Assistance | Offer Remote Assistance. See
Jason Samuel How to setup Citrix Director Shadowing with Remote Assistance using Group
Policy for more details.
10. If you intend to use Citrixs SCOM Management Packs for XenApp/XenDesktop, make sure WinRM
is enabled on the VDA by running winrm quickconfig. Or you can enable WinRM using Group Policy.

Install Virtual Delivery Agent 7.14.1

1. For virtual desktops, make sure you are logged into the console. The VDA wont install if you are
connected using RDP.
2. Make sure .NET Framework 4.5.2 or newer is installed.

CLI Install:

Command Line Install Options are detailed at Install using the command line at Citrix Docs.

The Citrix Telemetry Service seems to cause problems. You can use the Command Line Installer to exclude
Telemetry Service as detailed at VDA upgrade cmdlet at Citrix Discussions.

XenDesktopVDASetup.exe /quiet /noreboot /masterimage /Enable_HDX_PORTS /enable_framehawk_port

/Enable_REAL_TIME_TRANSPORT /optimize /controllers "xdc01.corp.local xdc02.corp.local" /Exclude "Citrix Telemetry Service"

GUI Install:

1. Go to the downloaded XenDesktop 7.14.1 iso file and extract it. If Windows 8 or newer, you can
instead mount it, but be aware that with mounting, the install wont resume correctly after a
2. Run AutoSelect.exe.

3. Alternatively, you can download the standalone VDA package and run that instead. Go the main
XenDesktop 7.14.1 download page. Expand the section labelled Components that are on the
product ISO but also packaged separately to download the Standalone VDA installers. 7.14.1 has a
VDA installer called Desktop OS Core Services that is designed for Remote PC deployments.
4. Click Start next to either XenApp or XenDesktop. The only difference is the product name displayed
in the installation wizard.

5. Click Virtual Delivery Agent for Windows Desktop OS, or Windows Server OS, depending on which
type of VDA you are building.
6. In the Environment page, select Create a Master Image, and click Next.

7. For virtual desktops, in the HDX 3D Pro page, click Next.

8. In the Core Components page, if you dont need Citrix Receiver installed on your VDA, then uncheck
the box. Receiver is usually only needed for double-hop connections (connect to first VDA, and then
from there, connect to second VDA). Click Next.

9. In the Additional Components page, uncheck Citrix AppDisk/Personal vDisk. This feature has been
deprecated and is being replaced by Citrix App Layering (Unidesk). Click Next.
10. In the Delivery Controller page, select Do it manually. Enter the FQDN of each Controller. Click Test
connection. And then make sure you click Add. Click Next when done.
11. In the Features page, check boxes. In 7.12 and newer, only the top box is checked by default. If you
want to use the other features, check the boxes. If this is a virtual desktop, you can leave Personal
vDisk unchecked now and enable it later. Then click Next.

12. In the Firewall page, click Next.

13. In the Summary page, click Install.
14. If RDSH, click Close when you are prompted to restart.

15. After the machine reboots twice, login and installation should continue.
16. If you see a Locate XenApp installation media window, click Cancel.

1. Mount the XenApp_and_XenDesktop_7_14_1.iso.

2. Run AutoSelect.exe.

3. Click the Virtual Desktop Agent box to resume installation.

17. Installation will continue automatically.

18. Note: NT SERVICE\CitrixTelemetryService needs permission to login as a service.

19. In the Smart Tools page, click Connect, enter your MyCitrix.com credentials, and then click Next.
20. In the Finish page, click Finish to restart the machine again.

21. Programs and Features shows Citrix Virtual Delivery Agent 7.14.1 as version
Customer Experience Improvement Program (CEIP)

VDA 7.12 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable it,
create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0
(zero). Also see CEIP at Citrix Insight Services at Citrix Docs.

See http://www.carlstalhood.com/delivery-controller-7-14-and-licensing/#ceip for additional places where

CEIP is enabled.

Connection Quality Indicator

The Connection Quality Indicator tells the user the quality of the connection. For example:

Position of the indicator is configurable by the user. Thresholds are configurable through group policy.
Download it from CTX220774 Connection Quality Indicator and install it. The article is very detailed.

Group Policy templates are located at C:\Program Files (x86)\Citrix\Connection Quality

Indicator\Configuration. Copy the files and folder to <Sysvol>\Policies\PolicyDefinitions, or
Find the settings under Computer Config | Policies | Administrative Templates | Citrix Components |
Virtual Desktop Agent | CQI

Notification display settings lets you customize the user notifications, or disable them.
Connection Threshold Settings lets you set the notification thresholds.

Adaptive Transport

XenApp/XenDesktop 7.13 and newer include Adaptive Transport, which uses EDT protocol, which uses
UDP Ports 1494/2598 for HDX connections to the VDA. The UDP ports should already be open in the
Windows Firewall.
Adaptive Transport is disabled by default, but can be enabled in the Citrix Policy setting HDX Adaptive

Slow Logons

Citrix Discussions Xenapp 7.9: Wait for local session manager: I have a Xenapp 7.9 environment on
Windows 2012 R2. When logging in through Citrix I got message Wait for local session manager for 20-30
seconds. When logging in to the server with RDS, I do not have to wait for this.

Add the following 2 registry keys to your 7.9 VDA server then try connecting to it using ICA to see if the
issue still occurs:

Add reg keys in HKLM\SOFTWARE\Citrix\GroupPolicy

Dword: CacheGpoExpireInHours Value = 5-24 (# of Hours) ***start with value of 5***
Dword: GpoCacheEnabled Value = 1

Restart the machine after adding these registry keys and attempt an ICA connection (at least twice) to see
if that helps the Login delay.

Mark DePalma at XenApp slow logon times, user get black screen for 20 seconds at Citrix Discussions says
that pushing Tile Refresh to a background task speeds up logons.

1. Regedit:
2. Windows Registry Editor Version 5.00
4. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DisableUPMResetCache]
5. @="DisableUPMResetCache"
6. "Version"="1,1,1,1"
7. "StubPath"="REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\StateStore /v
ResetCache /t REG_DWORD /d 0 /f"

8. UPM Exclusions:
9. Directory - '!ctx_localappdata!\Microsoft\Windows\Caches'
Registry - 'SOFTWARE\Microsoft\Active Setup\Installed Components\DisableUPMResetCache'
Marvin Neys at XenApp slow logon times, user get black screen for 20 seconds at Citrix Discussions says
that deleting HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC at logoff reduces logon
times from 40 seconds to 6 seconds.

Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\UFH\SHC

For additional logon delay troubleshooting, see Alexander Ollischer XenApp/XenDesktop Please Wait
For Local Session Manager message when logging into RDS. He found some Windows Updates that caused
a logon delay.

XenApp recalculates WMI filters on every reconnect. CTX212610 Session Reconnect 30 sec Delay
DisableGPCalculation WMI Filters indicates that recalculation can be disabled by
setting HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Reconnect\DisableGPCalculation (DWORD) to 1.

CTX212439 Desktop Session Stuck in Pre-Logon State with Message Please wait for the Local Session

ize (DWORD) = 48000
Delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal

Controller Registration Port

Some environments will not accept the default port 80 for Virtual Delivery Agent registration, even though
registration is authenticated and encrypted on port 80. To change the port, do the following on the Virtual
Delivery Agent:
1. Open Programs and Features. If Windows 10 1703 or newer, open Apps and Features.
2. Find Citrix Virtual Delivery Agent, and click Change or Modify (Windows 10 1703 and newer).
3. Click Customize Virtual Delivery Agent Settings.

4. Edit the Delivery Controllers, and click Next.

5. On the Protocol and Port page, change the port number, and click Next.
6. In the Summary page, click Reconfigure.

7. In the Finish Reconfiguration page, click Finish to restart the machine.

8. You must also change the VDA registration port on the Delivery Controllers by running
BrokerService.exe /VDAPort.

Controller Registration Verify

1. If you restart the Virtual Delivery Agent machine, or restart the Citrix Desktop Service
2. In Windows Logs Application log, you should see an event 1012 from Citrix Desktop Service saying
that it successfully registered with a controller. If you dont see this then youll need to fix the

ListOfDDCs registry key. See VDA registration with Controllers at Citrix Docs.
3. You can also run Citrixs Health Assistant on the VDA.

4. See CTX220772 Technical Primer: VDA Registration for a very detailed explanation of the VDA
Registration process.

Citrix PDF Printer 7.11.0 for Receiver for HTML5/Chrome

1. To allow printing from Receiver for HTML5/Chrome, install Citrix PDF Printer. Get it from
the Receiver for HTML5 download page in the Additional Components section. Note: this PDF
Printer is only used by Receiver for HTML5 and Receiver for Chrome.

2. Go to the extracted CitrixPDFPrinter_7.11.0 and run CitrixPDFPrinter64.msi.

3. In the Please read the Citrix PDF printer License Agreement page, check the box next to I accept the
terms, and click Install.
4. In the Completed the Citrix PDF Universal Driver Setup Wizard page, click Finish.

5. In Programs and Features, it is shown as version

6. Configure a Citrix Policy to enable the PDF printer. The setting is called Auto-create PDF Universal
Printer in the user half of a Citrix Policy GPO.

Citrix File Access 2.0.3 for Receiver for Chrome

1. If you support Receiver for Chrome (Chromebook) and want to open files on Google Drive using
published applications, install Citrix File Access on the VDAs. Get it from the Receiver for Chrome
download page, in the Additional Components section.

2. Go to the extracted Citrix_File_Access_2.0.3, and run FileAccess.msi.

3. In the Please read the File Access License Agreement page, check the box next to I accept the terms,
and click Install.

4. In the Completed the File Access Setup Wizard page, click Finish.

5. File Access is listed in Programs and Features as version

6. File Access has a default list of supported file extensions. The list can be expanded by editing the
registry on the VDA. See CTX219983 Receiver for Chrome Error: Invalid command line arguments:
Unable to open the file as it has an unsupported extension.

7. To open a file from Google Drive, right-click and and open the file using Citrix Receiver.

Framehawk Configuration

To enable Framehawk, see http://www.carlstalhood.com/citrix-policy-settings/#framehawkconfig

Remote Desktop Licensing Configuration

On 2012 R2 and newer RDSH, the only way to configure Remote Desktop Licensing is using group policy
(local or domain). This procedure also works for 2008 R2 RDSH. This procedure is not needed on virtual

1. For local group policy, run gpedit.msc. Alternatively, you can configure this in a domain GPO.
2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Licensing.

3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter
the names of the RDS Licensing Servers (typically installed on XenDesktop Controllers). Click OK.
4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User.
Click OK.

5. Optionally, you can install the Remote Desktop Licensing Diagnoser Tool. In the Server Manager >
Add Roles and Features Wizard, on the Features page, expand Remote Server Administration
Tools, expand Role Administration Tools, expand Remote Desktop Services Tools, and select
Remote Desktop Licensing Diagnoser Tool. Then Finish the wizard.
6. If it wont install from Server Manager, you can install it from PowerShell by running Install-
WindowsFeature rsat-rds-licensing-diagnosis-ui.

7. In Server Manager, open the Tools menu, expand Remote Desktop Services (or Terminal Services),
and click Remote Desktop Licensing Diagnoser.
8. The Diagnoser should find the license server, and indicate the licensing mode. If youre configured
for Per User licenses, then its OK if there are no licenses installed on the Remote Desktop License

Several people in Citrix Discussions reported the following issue: If you see a message about RD Licensing
Grace Period has expired even though RD Licensing is properly configured, see Eric Verdumen No remote
Desktop Licence Server availible on RD Session Host server 2012. The solution was to delete the
REG_BINARY in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\RCM\GracePeriod only leaving the default. You must take ownership and give admin users full
control to be able to delete this value.

C: Drive Permissions

This section is more important for shared VDAs like RDSH (Windows Server 2008 R2, Windows Server 2012
R2, and Windows Server 2016).

The default permissions allow users to store files on the C: drive in places other than their profile.
1. Open the Properties dialog box for C:.
2. On the Security tab, click Advanced.

3. If UAC is enabled, click Change permissions.

4. Highlight the line containing Users and Create Folders, and click Remove.

5. Highlight the line containing Users and Create files (or Special), and click Remove. Click OK.
6. Click Yes to confirm the permissions change.

7. If you see any of these Error Applying Security windows, click Continue. This window should appear
multiple times.

8. Click OK to close the C: drive properties.


If this image will be converted to a Provisioning Services vDisk, then you must ensure the pagefile is smaller
than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and
if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB, and Provisioning
Services will be unable to move it to the cache disk. This causes Provisioning Services to cache to server
instead of caching to your local cache disk (or RAM).
1. Open System. In 2012 R2 and newer, you can right-click the Start button, and click System. Note: in
Windows 10 1703 and newer, this method no longer opens the correct tool.
2. Another option is to open File Explorer, right-click This PC, and click Properties. This works in
Windows 10 1703.

3. Click Advanced system settings.

4. On the Advanced tab, click the top Settings button.

5. On the Advanced tab, click Change.

6. Uncheck the box next to Automatically manage paging file size for all drives. Then either turn off
the pagefile, or set the pagefile to be smaller than the cache disk. Dont leave it set to System
managed size. Click OK several times.
Direct Access Users

When Citrix Virtual Delivery Agent is installed on a machine, non-administrators can no longer RDP to the
machine. A new local group called Direct Access Users is created on each Virtual Delivery Agent. Add your
non-administrator RDP users to this local group so they can RDP directly to the machine.

Windows Profiles v3/v4/v5/v6

Roaming Profiles are compatible only between the following client and server operating system pairs. The
profile version is also listed.

v6 = Windows 10 (1607 and 1703) and Windows Server 2016

v5 = Windows 10 (1511 and older)
v4 = Windows 8.1 and Windows Server 2012 R2
v3 = Windows 8 and Windows Server 2012
v2 = Windows 7 and Windows Server 2008 R2
v2 = Windows Vista and Windows Server 2008

For Windows 2012 R2, install Microsoft hotfix 2890783, and set the UseProfilePathExtensionVersion
registry value to 1.


Published Explorer

From Citrix CTX128009 Explorer.exe Fails to Launch: When publishing the seamless explorer.exe
application, the session initially begins to connect as expected. After the loading, the dialog box
disappears, and the Explorer application fails to appear. On the VDA, use the following registry change to
set the length of time a client session waits before disconnecting the session:

Key = HKLM\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
o Value = LogoffCheckerStartupDelayInSeconds (DWORD) = 10 (Hexadecimal)

Screen Saver

From Citrix CTX205214 Screensaver Not Working in XenDesktop: By default, Screen Saver doesnt work on
Desktop OS. To enable it, on the VDA, configure the following registry value:

o Value = SetDisplayRequiredMode (DWORD) = 0

Logon Disclaimer Window Size

From XenApp 7.8 Session Launch Security/Warning Login Banner at Citrix Discussions: If your logon
disclaimer window has scroll bars, set the following registry values:

Key = HKEY_LOCAL_MACHINE\Software\Wow6432node\Citrix\CtxHook\AppInit_DLLS\Multiple Monitor Hook

o Value = LogonUIWidth (DWORD) = 300
o Value = LogonUIHeight (DWORD) = 200

Login Timeout

From Citrix CTX203760 VDI Session Launches Then Disappears: XenDesktop, by default, only allows 180
seconds to complete a logon operation. The timeout can be increased by setting the following:

o Value = AutoLogonTimeout ( DWORD) = decimal 240 or higher (up to 3600).

Also see Citrix Discussions Machines in Registered State, but VM closes after Welcome screen.

HDX Flash
From Citrix Knowledgebase article CTX139939 Microsoft Internet Explorer 11 Citrix Known Issues: The
registry key value IEBrowserMaximumMajorVersion is queried by the HDX Flash service to check for
maximum Internet Explorer version that HDX Flash supports. For Flash Redirection to work with Internet
Explorer 11 set the registry key value IEBrowserMaximumMajorVersion to 11 on the machine where HDX
flash service is running. In case of XenDesktop it would be the machine where VDA is installed.

Key = HKLM\SOFTWARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer
o Value = IEBrowserMaximumMajorVersion (DWORD) = 11 (Decimal)

From Citrix Discussions: Add the DWORD FlashPlayerVersionComparisonMask=0 on the VDA under
HKLM\Software\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer. This disables the Flash major
version checking between the VDA and Client Device.

Receiver for HTML5/Chrome Enhanced Clipboard

From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, create a
REG_SZ registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual
Clipboard\Additional Formats\HTML Format\Name=HTML Format. Create any missing registry keys. This
applies to both virtual desktops and Remote Desktop Session Hosts.

Receiver for HTML5/Chrome Upload Folder

The Receiver for HTML5 (or Chrome) lets upload files.

By default, the user is prompted to select a upload location. If you use the Upload feature multiple times,
the last selected folder is not remembered.

Citrix CTX217351 How to Customize File Upload and Download Using Receiver for HTML5 and Receiver for
Chrome. You can specify a default uploads location by
editing HKLM\Software\Citrix\FileTransfer\UploadFolderLocation on the VDA. Environment variables are
supported. When this value is configured, users are no longer prompted to select an upload location. The
change takes effect at next logon.
Note: HTML5/Chrome Receiver also adds a Save to My Device location to facilitate downloads.

4K Monitors

From Citrix Knowledgebase article CTX218217 Unable to span across multiple monitors after upgrade to
7.11 VDA, Black/Blank screen appears on the monitors while connecting to ICA session: .

1. For VDA 7.11 and newer, calculate the video memory that is required for monitors using the
following formula:

SumOfAllMons (Width * Height) * 4 / 0.3, where width and height are resolution of the
monitor. Note: There is no hard and fast rule that will work for all cases.

Example: Consider the resolution of monitor 1 is 1920*1200 and monitor 2 is 1366*768. Then
SumOfAllMons will be (1920*1200 + 1366*768)

2. CTX115637 Citrix Session Graphics Memory Reference describes how multi-monitor resolution is
3. Open the registry (regedit) and navigate to:
4. Increase the value of MaxVideoMemoryBytes REG_DWORD value to the above calculated
5. Reboot the VDA.

Citrix Policies also control graphics performance.

COM Port Threads

CTX212090 COM Port Intermittently Inaccessible During ICA Sessions: increase the default value of
MaxThreads under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\picaser\Parameters from 20 to a value
greater than the number of COM port connections you want to support. For example, if a XenApp server
supports 100 sessions and each session opens two COM ports, the value of MaxThreads should be
greater than 200.

Legacy Client Drive Mapping

Citrix CTX127968 How to Enable Legacy Client Drive Mapping Format on XenApp: Citrix Client Drive
Mapping no longer uses drive letters and instead they appear as local disks. This is similar to RDP drive
The old drive letter method can be enabled by setting the registry value:

Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UncLinks (create the key)

o Value = UNCEnabled (DWORD) = 0

When you reconnect, the client drives will be mapped as drive letters (starts with V: and goes backwards).

Print Driver for Non-Windows Clients

This section applies to Windows 8.1/2012 and newer VDAs.

From CTX139020 Configuring Virtual Machines for Mac Client Printer Mapping with Windows 8.x. By
default, Non-Windows clients cannot map printers due to a missing print driver on the VDA machine.

1. Requirements:
o Internet Access
o Windows Update service enabled
2. Click Start, and run Devices and Printers.
3. In Windows 10 1703, open Printers & scanners, then scroll down, and click Devices and printers.

4. In the Printers section, highlight a local printer (e.g. Microsoft XPS Document Writer). Then in the
toolbar, click Print server properties.
5. Switch to the Drivers tab. Click Change Driver Settings.

6. Then click Add.

7. In the Welcome to the Add Printer Driver Wizard page, click Next.

8. In the Processor Selection page, click Next.

9. In the Printer Driver Selection page, click Windows Update. The driver we need wont be in the list
until you click this button. Internet access is required.
10. Once Windows Update is complete, highlight HP on the left, and then select HP Color LaserJet 2800
Series PS (Microsoft) on the right. Click Next.

11. In the Completing the Add Printer Driver Wizard page, click Finish.

12. Repeat these instructions to install the following additional drivers:

o HP LaserJet Series II
o HP Color LaserJet 4500 PCL 5


If you intend to use HTML5 Receiver internally, install certificates on the VDAs so the WebSockets (and ICA)
connection will be encrypted. Internal HTML5 Receivers will not accept clear text WebSockets. External
users dont have this problem since they are SSL-proxied through NetScaler Gateway. Notes:

Each Virtual Delivery Agent needs a machine certificate that matches the machine name. This is
feasible for a small number of persistent VDAs. For non-persistent VDAs, youll need some
automatic means for creating machine certificates every time they reboot.
As detailed in the following procedure, use PowerShell on the Controller to enable SSL for the
Delivery Group. This forces SSL for every VDA in the Delivery Group, which means every VDA in the
Delivery Group must have SSL certificates installed.

The following instructions for manually enabling SSL on VDA can be found at Configure SSL on a VDA using
the PowerShell script at Citrix Docs.
1. On the VDA machine, run mmc.exe.
2. Add the Certificates snap-in.
3. Point it to Local Computer.
4. Request a certificate from your internal Certificate Authority. You can use either the Computer
template or the Web Server template.

1. You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers.
5. Browse to the XenApp/XenDesktop 7.14.1 ISO. In the Support\Tools\SslSupport folder, shift+right-
click the Enable-VdaSSL.ps1 script and click Copy as path.

6. Run PowerShell as administrator (elevated).

7. Run the command Set-ExecutionPolicy unrestricted. Enter Y to approve.

8. In the PowerShell prompt, type in an ampersand (&), and a space.

9. Right-click the PowerShell prompt to paste in the path copied earlier.
10. At the end of the path, type in -Enable
11. If theres only one certificate on this machine, press Enter.

12. If there are multiple certificates, youll need to specify the thumbprint of the certificate you want to
use. Open the Certificates snap-in, open the properties of the machine certificate you want to use,
and copy the Thumbprint from the Details tab.

In the PowerShell prompt, at the end of the command, enter -CertificateThumbPrint, add a space, and
type quotes (").

Right-click the PowerShell prompt to paste the thumbprint.

Type quotes (") at the end of the thumbprint. Then remove all spaces from the thumbprint. The
thumbprint needs to be wrapped in quotes.

13. If this VDA machine has a different service already listening on 443 (e.g. IIS), then the VDA needs to
use a different port for SSL connections. At the end of the command in the PowerShell prompt,
enter -SSLPort 444 or any other unused port.

14. Press <Enter> to run the Enable-VdaSSL.ps1 script.

15. Press <Y> twice to configure the ACLs and Firewall.
16. You might have to reboot before the settings take effect.

17. Login to a Controller, and run PowerShell as Administrator (elevated).

18. Run the command asnp Citrix.*

19. Enter the command:

Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' | Set-

BrokerAccessPolicyRule -HdxSslEnabled $true

where <delivery-group-name> is the name of the Delivery Group containing the VDAs.
20. You can run Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' to verify that HDX SSL is

21. Also run the following command:

Set-BrokerSite DnsResolutionEnabled $true

You should now be able to connect to the VDA using the HTML5 Receiver from internal machines.

The Citrix blog post How To Secure ICA Connections in XenApp and XenDesktop 7.6 using SSL has a method
for automatically provisioning certificates for pooled virtual desktops by enabling certificate auto-
enrollment and setting up a task that runs after the certificate has been enrolled.

For certificate auto-enrollment on non-persistent Remote Desktop Session Hosts (aka Server OS
VDAs), see Non-Persistent Server SSL to VDA by Alfredo Magallon Arbizu at CUGC.

Anonymous Accounts

If you intend to publish apps anonymously then follow this section.

1. Anonymous accounts are created locally on the VDAs. When XenDesktop creates Anon accounts it
gives them an idle time as specified at
The default is 10 minutes. Adjust as desired.

2. You can pre-create the Anon accounts on the VDA by running C:\Program
Files\Citrix\ICAConfigTool\CreateAnonymousUsersApp.exe. If you dont run this tool then Virtual
Delivery Agent will create them automatically when users log in.

3. You can see the local Anon accounts by opening Computer Management, expanding System Tools,
expanding Local Users and Groups and clicking Users.
4. If you open one of the accounts, on the Sessions tab, notice that idle timeout defaults to 10
minutes. Feel free to change it.

Group Policy for Anonymous Users

Since Anonymous users are local accounts on each Virtual Delivery Agent, domain-based GPOs will not
apply. To work around this limitation, youll need to edit the local group policy on each Virtual Delivery

1. On the Virtual Delivery Agent, run mmc.exe.

2. Open the File menu, and click Add/Remove Snap-in.

3. Highlight Group Policy Object Editor, and click Add to move it to the right.
4. In the Welcome to the Group Policy Wizard page, click Browse.

5. On the Users tab, select Non-Administrators.

6. Click Finish.

7. Now you can configure group policy to lockdown sessions for anonymous users. Since this is a local
group policy, youll need to repeat the group policy configuration on every Virtual Delivery Agent
image. Also, Group Policy Preferences is not available in local group policy.


Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsofts virus scanning recommendations (e.g. exclude group policy files)


Citrixs Recommended Antivirus Exclusions

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a
consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on
the key processes, folders, and files that we have seen cause issues in the field:

Set real-time scanning to scan local drives only and not network drives
Disable scan on boot
Remove any unnecessary antivirus related entries from the Run key
Exclude the pagefile(s) from being scanned
Exclude Windows event logs from being scanned
Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller,
and Provisioning Services. The Blog Post also has links to additional KB articles on antivirus.

Symantec links:

Symantec TECH91070 Citrix and terminal server best practices for Endpoint Protection.
Symantec TECH197344 Best practices for virtualization with Symantec Endpoint Protection 12.1.2
and later
Symantec TECH180229 Symantec Endpoint Protection 12.1 Non-persistent Virtualization Best
Symantec TECH123419 How to prepare Symantec Endpoint Protection clients on virtual disks for
use with Citrix Provisioning Server has a script that automates changing the MAC address registered
with Symantec.
Citrix Blog Post How to prepare a Citrix Provisioning Services Target Device for Symantec Endpoint
If profiles are deleted on logoff, set Symantec registry value CloseUserLogFile to 1. Symantec
TECH210170 Citrix user sessions are held open by ccSvcHst.exe during log off

Trend Micro

Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries
can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE
until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 Slow Server Performance After Trend Micro Installation. Citrix session hosts experience
slow response and performance more noticeable while users try to log in to the servers. At some point the
performance of the servers is affected, resulting in issues with users logging on and requiring the server to
be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the
affected servers. Add new DWORD Value as:


Trend Micro Links:

Trend Micro Docs Trend Micro Virtual Desktop Support

Trend Micro Docs VDI Pre-Scan Template Generation Tool
Trend Micro 1055260 Best practice for setting up Virtual Desktop Infrastructure (VDI) in
Trend Micro 1056376 Frequently Asked Questions (FAQs) about Virtual Desktop
Infrastructure/Support In OfficeScan


Best Practice for running Sophos on virtual systems: weve amassed the following practical information
about how you can optimize our software to work with this technology.

Sophos Anti-Virus for Windows XP+: Installation and configuration considerations for Sophos Anti-Virus on
a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use
with cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
Have the desired version of Sophos Anti-Virus already installed and configured on the created

Windows Defender Antivirus

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment

Optimize Performance

VDA Optimizer

Installation of the VDA might have already done this but theres no harm in doing it again. This tool is only
available if you installed VDA in Master Image mode.

1. On the master VDA, go to C:\Program Files\Citrix\PvsVm\TargetOSOptimizer, and

run TargetOSOptimizer.exe.
2. Then click OK. Notice that it disables Windows Update.

Windows 10 / Windows 2012 R2 / Windows 2016 and newer

VMware OS Optimization Tool. See VMware Windows Operating System Optimization Tool Guide
Technical Paper for details on this tool. This tool has templates for Windows 10/2016, plus
templates for older versions of Windows.
o LoginVSI has an OSOT template for Windows Server 2016. See How to improve your
Windows Server 2016 performance. This template was recently added to default
download of OSOT.

Citrix Daniel Feller links:

o Windows Server 2016 Optimizations For Citrix XenApp
o Optimize Vdi: Windows 10 Scheduled Tasks (Original, Anniversary And Creator Updates)
contains a list of Scheduled Tasks that can be disabled.
o Optimize VDI: Windows 10 Default Apps (Original, Anniversary And Creator Updates) lists

the built-in UWP apps that should be removed.

o Optimize Vdi: Windows 10 User Interface And Runtime (Original, Anniversary And Creator
Updates) contains registry keys to improve Windows 10 performance.

James Rankin Improving Windows 10 logon time:

o Use Remove-AppXProvisionedPackage to remove Modern apps. See the article for a list of
apps to remove. Also see James Rankin Everything you wanted to know about virtualizing,
optimizing and managing Windows 10but were afraid to ask part #3: MODERN APPS
o Import a Standard Start Tiles layout (Export-StartLayout)
o Create a template user profile
David Wilkinson links:
o Citrix XenDesktop and Windows 10 Optimisation Script Optimise Windows 10 in
XenDesktop based environment as per citrix optimisation recommendations/Various blogs
and my own experience in running citrix environments.

o Citrix XenApp and Windows Server 2016 Optimisation Script Optimise Windows Server
2016 in XenApp/RDS based environment as per citrix optimisation Guide in 2008 R2/Various
blogs and my own experience in running citrix environments.

Citrix Links:
o Citrixs Windows 10 Optimization Guide remove built-in apps, delete Scheduled Tasks,
disable services, etc.
o Citrixs Windows 8 and 8.1 Virtual Desktop Optimization Guide contains the following:
A list of services to disable
A list of computer settings
A list of scheduled tasks to disable
A script to do all of the above
Microsoft links:
o Microsoft TechNet Blog Guidance on Disabling System Services on Windows Server 2016
with Desktop Experience contains a spreadsheet with a list of services categorized as

o Carl Luberti (Microsoft) Windows 10 VDI Optimization Script

o Microsofts Windows 8 VDI optimization script.
Desktop Virtualization Best Practice Analyzer (BP Analyzer)

Optimization Notes:

If this machine is provisioned using Provisioning Services, do not disable the Shadow Copy services.
Windows 8 detects VDI and automatically disables SuperFetch. No need to disable it yourself.
Windows 8 automatically disables RSS and TaskOffload if not supported by the NIC.
Citrix CTX213540 Unable To View Printers In Devices And Printers Win 2012 R2 dont disable the
Device Setup Manager Service
Citrix CTX131995 User Cannot Launch Application in Seamless Mode in a Provisioning Services
Server when XenApp Optimization Best Practices are Applied. Do not enable

RDSH 2008 R2
Citrix CTX131577 XenApp 6.x (Windows 2008 R2) Optimization Guide is a document with several registry
modifications that are supposed to improve server performance. Ignore the XenApp 6 content and instead
focus on the Windows content.

Norskale has Windows 2008 R2 Remote Desktop and XenApp 6 Tuning Tips Update.

Windows 7

Microsoft has compiled a list of links to various optimization guides. Its a common practice to optimize a
Windows 7 virtual machine (VM) template (or image) specifically for VDI use. Usually such customizations
include the following.

Minimize the footprint, e.g. disable some features and services that are not required when the OS is
used in stateless or non-persistent fashion. This is especially true for disk-intensive workloads
since disk I/O is a common bottleneck for VDI deployment. (Especially if there are multiple VMs
with the same I/O patterns that are timely aligned).
Lock down user interface (e.g. optimize for specific task workers).

With that said the certain practices are quite debatable and vary between actual real-world deployments.
Exact choices whether to disable this or that particular component depend on customer requirements and
VDI usage patterns. E.g. in personalized virtual desktop scenario theres much less things to disable since
the machine is not completely stateless. Some customers rely heavily on particular UI functions and
other can relatively easily trade them off for the sake of performance or standardization (thus enhance
supportability and potentially security). This is one of the primary reasons why Microsoft doesnt publish
any VDI Tuning guide officially.

Though there are a number of such papers and even tools published either by the community or third
parties. This Wiki page is aimed to serve as a consolidated and comprehensive list of such resources.

Daniel Ruiz XenDesktop Windows 7 Optimization and GPOs Settings

Microsoft Whitepaper Performance Optimization Guidelines for Windows 7 Desktop Virtualization

Seal and Shut Down

If this VDA will be a master image in a Machine Creation Services or Provisioning Services catalog, after the
master is fully prepared (including applications), do the following:
1. Go to the properties of the C: drive, and run Disk Cleanup.

2. If Disk Cleanup is missing, you can run cleanmgr.exe instead.

3. Windows 10 1703 and newer has a new method for cleaning up temporary files.
1. Right-click the Start button, and click System.
2. Click Storage on the left, and click This PC (C:) on the right.
3. Click Temporary Files.
4. Check boxes, and click Remove files.

4. On the Tools tab, click Optimize to defrag the drive.

5. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining. It is
not necessary to manually rearm licensing. XenDesktop will do it automatically.

6. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.

7. Machine Creation Services and Provisioning Services require DHCP.

8. Session hosts (RDSH) commonly have DHCP reservations.

9. Login Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable

using Group Policy.

10. Shut down the master image. You can now use Studio (Machine Creation Services) or Provisioning
Services to create a catalog of linked clones.

Troubleshooting Graphics

If Windows 7 on vSphere, dont install the VMware SVGA driver. For more details,
see CTX201804 Intermittent Connection Failures/Black Screen Issues When Connecting from Multi-Monitor
Client Machines to Windows 7 VDA with VDA 7.x on vSphere/ESXi.
For Citrix Policies that control graphics codecs, see http://www.carlstalhood.com/citrix-policy-

Citrix Blog post Optimising the performance of HDX 3D Pro Lessons from the field

From Citrix Knowledgebase article CTX218217 Unable to span across multiple monitors after upgrade to
7.11 VDA, Black/Blank screen appears on the monitors while connecting to ICA session:

1. For VDA 7.11 and newer, calculate the video memory that is required for monitors using the
following formula :

SumOfAllMons (Width * Height) * 4 / 0.3, where width and height are resolution of the
monitor. Note: There is no hard and fast rule that will work for all cases.

Example: Consider the resolution of monitor 1 is 1920*1200 and monitor 2 is 1366*768. Then
SumOfAllMons will be (1920*1200 + 1366*768)

2. CTX115637 Citrix Session Graphics Memory Reference describes how multi-monitor resolution is
3. Open the registry (regedit) and navigate to:
4. Increase the value of MaxVideoMemoryBytes REG_DWORD value to the above calculated
5. Reboot the VDA

From Citrix Discussions: To exclude applications from Citrix 3D rendering, create a REG_DWORD registry
value app.exe with value 0 or a registry value * with value 0.

XD 7.1 and XD 7.5:

o x86: reg add hklm\software\citrix\vd3d\compatibility /v * /t REG_DWORD /f /d 0
o x64: reg add hklm\software\Wow6432Node\citrix\vd3d\compatibility /v * /t REG_DWORD
/f /d 0
XD 7.6/7.7/7.8/7.9/7.11 both x86 and x64:
o reg add hklm\software\citrix\vd3d\compatibility /v * /t REG_DWORD /f /d 0

Wildcards are not supported. The asterisk * here has a special meaning all apps but is not a traditional
wildcard. To blacklist multiple apps e.g. both appa.exe and appb.exe must be done by creating a registry
value for each app individually.

This is most problematic in Remote PC since most physical PCs have GPUs. I recently had to blacklist
Internet Explorer to prevent lockup issues when switching back to physical.

Uninstall VDA

Uninstall the VDA from Programs and Features.

Then see CTX209255 VDA Cleanup Utility.

To run the VDA Cleanup Tool silently:

1. Execute VDACleanupUtility.exe /silent /noreboot to suppress reboot.

2. Once the VDACleanupUtility has finished executing, setup Auto logon for the current user.
3. Reboot.
4. After reboot, tool will launch automatically to continue Cleanup.

Another option is to delete CitrixVdaCleanup value under

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Then after reboot,
run VDACleanupUtility.exe /silent /reboot to indicate that its running after the reboot.

Matt Bodholdt XenDesktop 7.x Controller Service Status Script at CUGC PowerShell script that checks the

Lists Controllers with boot time

Licensing status
Service status on each Controller
DB Connections
Controller Available Memory
Hypervisor Connections Status
Catalogs, Delivery Groups, Zones
Last Modified: Jun 1, 2017 @ 6:43 pm



Persistent vs Non-persistent
Zones (XenApp/XenDesktop 7.7 and newer)
Zone Preference (XenApp/XenDesktop 7.11 and newer)
Machine Creation Services
o MCS Full Clones (XenApp/XenDesktop 7.11 and newer)
o MCS Machine Naming
o MCS Memory Caching (XenApp/XenDesktop 7.9 and newer)
o MCS Image Prep Licensing Rearm
o MCS Base Disk Deletion
Controller Name Cache

Delivery Group License Type (XenApp/XenDesktop 7.14 and newer)

Delivery Group Published Apps and Desktops in 7.8 and newer
Tags in XenApp/XenDesktop 7.12 and newer
RDSH Scheduled Restart
Allow one user to have Multiple Sessions
Static Catalog Export/Import Machine Assignments
Monitor Number of Free Desktops
Published Applications

= Recently Updated

Persistent vs Non-persistent

VDA design One of the tasks of a Citrix Architect is VDA design. There are many considerations, including
the following:

Machine type single user (virtual desktop), or multi-user (Remote Desktop Session Host). RDSH is
more hardware efficient.
Machine operating system Windows 7, Windows 10, Windows Server 2008 R2, Windows Server
2012 R2, Windows Server 2016
Machine persistence persistent, non-persistent
Number of new machines concurrent vs named-users
Machine provisioning full clones, Machine Creation Services (MCS), Provisioning Services (PvS)
Hardware for the new machines hypervisor clusters, storage
How the machines are updated SCCM, MCS, PvS, etc.
Application integration locally installed, App-V, Layering, XenApp published, leave on local
endpoint machine, cloud apps, etc.
User Profiles roaming, mandatory, home directories
Group Policies session lockdown, automation
Disaster Recovery replication. VDAs running in a warm site. DR for profiles and home directories
Desktop Management in a Citrix environment Some environments try to use Citrix to improve desktop
management. Here are some desktop management aspects of Citrix that arent possible with distributed
physical desktops:

Datacenter network speeds The VDAs have high speed connectivity to the desktop management
tools, which eliminates WAN bandwidth as a desktop management consideration. For example, you
can use Microsoft App-V to stream apps to VDAs.
Non-persistence Non-persistent VDAs revert at every reboot. To update non-persistent VDAs,
simply update your master image.
Layering The VDA VMs can be composed of multiple layers that are combined during machine
boot, or when the user logs in. Citrix AppDisk and Unidesk are examples of this technology. A single
layer can be shared by multiple VDAs. The layers are updated once, and all machines using the layer
receive the updated layer at next boot/login.

Non-persistent VDAs Probably the easiest of these desktop-management technologies to implement is

non-persistence. However, there are several drawbacks to non-persistence:

Master Images must be designed Which apps go on which master image? Do you install the same
app on multiple master images?
o How do you know which apps a user needs? Most Citrix admins, and even desktop teams,
dont know every app that a user needs. You can use tools like Liquidware Labs or Lakeside
Software to discover app usage, but its a very complicated process to find commonality
across multiple users.
o How are One-off apps handled? If you have an app used by only a small number of users,
do you add it to one of your master images? Do you create a new master image? Do you
publish it from XenApp (double hop)? Do you stream it using App-V? Layering is another
o Application Licensing for licensed apps, do you install the licensed app into the master
image and try to hide it from non-licensed users? Or do you create a new master image for
the licensed users?
o Patching multiple images when a new OS patch needs to be deployed, you have to update
every master image running that OS version. Thus Citrix admins usually try to limit the
number of master images, which makes image design more complicated.
o How do you manage an app that is installed on multiple master images? Layering might
help with this.
Who manages the master images? Citrix admins? Desktop team? Its unlikely that traditional
desktop management tools (e.g. SCCM) will ever be completely removed from an enterprise
environment, which means that master image management is an additional task that was not
performed before. Does the Citrix admin team have the staff to take on this responsibility? Would
the desktop management team be willing to perform this new process?
o Politically feasible? Large enterprises usually have mature desktop management
practices. Would this new process interfere with existing desktop management
o Responsibility if the Citrix admins are not maintaining the master images, and if a Catalog
update causes user problems, who is responsible?
o RDSH Apps are complicated who is responsible for integrating apps into Remote Desktop
Session Host (XenApp)? Does the desktop team have the skills to perform the additional
RDSH testing?
Change Control Longer Deployment Times Any change to a master image would affect every
machine/user using that image, thus dev/QA testing is recommended for every change, which
slows down app update deployment. And once a change is made to the master, it doesnt take
effect until the users VDA is rebooted.
Roaming Profiles some apps (e.g. Office) save user settings in user profiles. Since the machines
are non-persistent, the profiles would be lost on every reboot unless roaming profiles are
implemented. This adds a dependency on roaming profile configuration, and the roaming profile
file share.
o How is the Outlook OST file handled? With Cloud Hosted Exchange, for best performance,
Outlook needs to run in Cached Exchange mode. How is the large OST file roamed? One
option is to use group policy to minimize the size of the OST file. Another is to purchase a
3rd party OST handling product like FSLogix.
IT Applications (e.g. antivirus) on non-persistent machines Many IT apps (antivirus. asset mgmt,
security, etc.) have special instructions to work on non-persistent machines. Search the vendors
knowledgebase for VDI, non-persistent, Citrix, etc. Antivirus in particular has a huge impact on VDA
performance. And the special instructions for non-persistent VDAs are in addition to normal
antivirus configuration.
Connection Leasing does not support non-persistent virtual desktops if the XenDesktop SQL
database is down, Connection Leasing wont help you. Its not possible to connect to non-persistent
virtual desktops until the XenDesktop SQL database connection is recovered. This affects multi-
datacenter designs.

Application Integration Technologies Additional technologies can be used to overcome some of the
drawbacks of non-persistent machines:

Microsoft App-V this technology can dynamically stream apps to a non-persistent image.
Different users get different apps. And the apps run in isolated bubbles. However:
o App-V is an additional infrastructure that must be built and maintained.
o App-V requires additional skills for the people packaging the apps, and the people
troubleshooting the apps.
o Since the apps are isolated, app interaction is configured manually.
o Because of application isolation, not every app can run in App-V. Maybe 60-80% of apps
might work. How do you handle apps that dont work?
Layering each application is a different layer (VHD file). The layering tool combines multiple layers
into a single unified image. Layers are updated in one place, and all images using the layer are
updated, which solves the issue of a single app in multiple images. Layering does not use
application isolation, so almost 100% of apps should work with layering. Layers can be mounted
dynamically based on whos logging in. Theres also a persistent layer that lets users install apps, or
admins can install one-off apps. Unidesk is probably the most feature rich of the layering products.
o Unidesk is not free. Citrix AppDisk is free, but its features are very limited.
o Unidesk is a separate infrastructure that must be built and maintained. Citrix AppDisk is built
into XenDesktop.
o Somebody has to create the layers. This is extremely easy in Unidesk since you simply install
the applications normally (no new skills to learn). However, its an additional task on top of
normal desktop management packaging duties.

Persistent virtual desktops Another method of building VDAs is by creating full clone virtual desktops
that are persistent. Each virtual desktop is managed separately using traditional desktop management
tools. If your storage is an All Flash Array with inline deduplication and compression, then full clone
persistent virtual desktops probably take no more disk space than non-persistent linked clones. (Note:
persistent RDSH VDAs are not included in this section since RDSH user sessions are essentially non-
persistent) Here are some advantages of full clone persistent virtual desktops as opposed to non-persistent
Skills and Processes No new skills to learn. No new desktop management processes. Use existing
desktop management tools (e.g. SCCM). The existing desktop management team can manage the
persistent virtual desktops, which reduces the workload of the Citrix admins.
One-off applications If a user needs a one-off applications, simply install it on the users
persistent desktop. The application can be user-installed, SCCM self-service installed, or
administrator installed.
User Profile Outlooks OST file is no longer a concern since the users profile persists on the users
virtual desktop. Its not necessary to implement roaming profiles when using persistent virtual
desktops. If you want a process to move a user profile from one persistent virtual desktop to
another, how do you do it on physical desktops today?
API integration a self-service portal can use VMware PowerCLI and Citrixs PowerShell SDK to
automatically create a new persistent virtual desktop for a user. Chargeback can also be
Offline XenDesktop SQL Database if the Citrix XenDesktop SQL database is not reachable, then
Citrix Connection Leasing can still broker sessions to persistent virtual desktops that have already
been assigned to users. This is not possible with non-persistent virtual desktops.

Concurrent vs Named User one advantage of non-persistent virtual desktops is that you only need
enough virtual desktops to handle the concurrent user load. With persistent virtual desktops, you need a
separate machine for each named user, whether that user is using it or not.

Disaster Recovery for non-persistent VDAs, one option is to replicate the master images to the DR site,
and then create a Catalog of machines either before the disaster, or after. If before the disaster, the VDAs
will already be running and ready for connections; however, the master images are maintained separately
in each datacenter.

Persistent virtual desktops have several disaster recovery options:

Immediately after the disaster, instruct the persistent users to connect to a pool of non-persistent
In the DR site, create new persistent virtual desktops for the users. Users would then need to use
SCCM or similar to reinstall their apps. Scripts can be used to backup the users profile and restore
it on the DR desktop. This method is probably closest to how recovery is performed on physical
The persistent virtual desktops can be replicated and recovered in the DR site. When the machines
are added to Citrix Studio in DR, each machine is assigned to specific users. This process is usually


Caveats Zones let you stretch a single XenApp/XenDesktop site/farm across multiple datacenters.
However, note these caveats:

Studio If all Delivery Controllers in the Primary Zone are down, then you cant manage the
farm/site. This is true even if SQL is up, and Delivery Controllers are available in Satellite Zones. Its
possible to designate an existing zone as the Primary Zone by running Set-ConfigSite -PrimaryZone
<Zone>, where <Zone> can be name, UID, or a Zone object.
Version/Upgrade All Delivery Controllers in the site/farm must be the same version. During an
upgrade, you must upgrade every Delivery Controller in every zone.
Offline database In XenApp/XenDesktop 7.11 and older, there is no offline database option
similar to XenApp 6.5s Local Host Cache. If the database is down, then Connection Leasing is used.
In XenApp/XenDesktop 7.12 and newer, theres Local Host Cache. However, the LHC in 7.12 and
newer has limitations: no non-persistent desktops (dirty desktops are an option in 7.14 and newer),
maximum of 5,000 VDAs per zone (10,000 per zone, 40K per site, in 7.14 and newer), has issues if
Controller is rebooted, etc. Review the Docs article for details.
Complexity Zones do not reduce the number of servers that need to be built. And they increase
complexity when configuring items in Citrix Studio.
Zone Preference to choose a VDA in a particular zone, your load balancer needs to include a
special HTTP header (X-Citrix-ZonePreference) that indicates the zone name. This requires
StoreFront 3.7, and XenApp/XenDesktop 7.11.

The alternative to zones is to build a separate site/farm in each datacenter, and use StoreFront to
aggregate the published icons. Here are benefits of multiple sites/farms as compared to zones:

Isolation Each datacenter is isolated. If one datacenter is down, it does not affect any other
Versioning Isolation lets you upgrade one datacenter before upgrading other datacenters. For
example, you can test upgrades in a DR site before upgrading production.
SQL High Availability since each datacenter is a separate farm/site with separate databases, there
is no need to stretch SQL across datacenters.
Home Sites StoreFront can prioritize different farms/sites for different user groups. No special
HTTP header required.

Here are some general design suggestions for XenApp/XenDesktop in multiple datacenters:

For multiple central datacenters, build a separate XenApp/XenDesktop farm in each datacenter.
Use StoreFront to aggregate the icons from all farms. Use NetScaler GSLB to distribute users to
StoreFront. This provides maximum flexibility with minimal dependencies across datacenters.
For branch office datacenters, zones with Local Host Cache (7.12 and newer) is an option. Or each
branch office can be a separate farm.

Create Zones This section details how to create zones and put resources in those zones. In 7.9 and older,
theres no way to select a zone when connecting. In 7.11 and newer, NetScaler and StoreFront can now
specify a zone and VDAs from that zone will be chosen. See Zone Preference for details.

Citrix Links:

Zones at docs.citrix.com.
Citrix Blog Post Deep Dive: XenApp and XenDesktop 7.7 Zones
Citrix Blog Post Zones, Latency and Brokering Performance

There is no SQL in Satellite zones. Instead, Controllers in Satellite zones connect to SQL in Primary zone.
Here are tested requirements for remote SQL connectivity. You can also set
HKLM\Software\Citrix\DesktopServer\ThrottledRequestAddressMaxConcurrentTransactions to throttle
launches at the Satellite zone.

From Mayunk Jain: I guess we can summarize the guidance from this post as follows: the best practice
guidance has been to recommend a datacenter for each continental area. A typical intra-continental
latency is about 45ms. As these numbers show, in those conditions the system can handle 10,000 session
launch requests in just under 20 minutes, at a concurrency rate of 36 requests.

If Satellite zone loses connectivity to SQL, then the Connection Leasing feature kicks in. See docs.citrix.com
Connection leasing and CTX205169 FAQ: Connection Leasing in XenApp/XenDesktop 7.6 for information on
Connection Leasing limitations (e.g. no pooled virtual desktops, 2 week-old leases, etc.).

The following items can be moved into a satellite zone:

Controllers always leave two Controllers in the Primary zone. Add one or two Controllers to the
Satellite zone.
Hosting Connections e.g. for vCenter in the satellite zone.
Catalogs any VDAs in satellite catalogs automatically register with Controllers in the same zone.
NetScaler Gateway requires StoreFront that understands zones (not available yet). StoreFront
should be in satellite zone.

Do the following to create a zone and move items into the zone:

1. In Citrix Studio 7.7 or newer, expand the Configuration node, and click Zones.
2. If you upgraded from an older XenApp/XenDesktop and dont see zones, then run the following
3. cd 'C:\Program
5. Import-AdminRoleConfiguration Path .\RoleConfigSigned.xml
6. Right-click Zones, and click Create Zone.

7. Give the zone a name. Note: Citrix supports a maximum of 10 zones.

8. You can select objects for moving into the zone now, or just click Save.
9. Select multiple objects, right-click them, and click Move Item.

10. Select the new Satellite zone and click Yes.

11. To assign users to the new zone, create a Delivery Group that contains machines from a Catalog
thats in the new zone. Zone Preference requires StoreFront 3.7 and XenApp/XenDesktop 7.11.
12. If your farm has multiple zones, when creating a hosting connection, youll be prompted to select a

13. If your farm has multiple zones, when creating a Manual catalog, youll be prompted to select a
14. MCS catalogs are put in a zone based on the zone assigned to the Hosting Connection.

15. The Provisioning Services XenDesktop Setup Wizard ignores zones so youll have to move the PvS
Machine Catalog manually.
16. New Controllers are always added to the Primary zone. Move it manually.

Zone Preference

XenApp/XenDesktop 7.11 adds Zone Preference, which means NetScaler (11.0 build 65 and newer) and
StoreFront (3.7 and newer) can request XenDesktop Controller to provide a VDA in a specific zone.

Citrix Blog Post Zone Preference Internals details three methods of zone preference: Application Zone,
User Zone, and NetScaler Zone.
To configure zone preference:
1. Create separate Catalogs in separate zones, and add the machines to a single Delivery Group.

2. You can add users to one zone by right-clicking the zone, and clicking Add Users to Zone. If there
are no available VDAs in that preferred zone, then VDAs are chosen from any other zone.

3. Note: a user can only belong to one home zone.

4. You can delete users from a zone, or move users to a different zone.

5. If you edit the Delivery Group, on the Users page, you can specify that Sessions must launch in a
users home zone. If there are no VDAs in the users home zone, then the launch fails.
6. For published apps, on the Zone page, you can configure it to ignore the users home zone.

7. You can also configure a published app with a preferred zone, and force it to only use VDAs in that
zone. If you dont check the box, and if no VDAs are available in the preferred zone, then VDAs can
be selected from any other zone.
8. Or you can Add Applications to Zone, which allows you to add multiple Applications at once.

9. NetScaler can specify the desired zone by inserting the X-Citrix-ZonePreference header into the
HTTP request to the StoreFront 3.7 server. This header can contain up to 3 zones. The first Zone in
the header is the preferred Zone, and the next 2 are randomised such as EMEA,US,APAC or
EMEA,APAC,US. StoreFront 3.7 will then forward the zone names to Delivery Controller 7.11, which
will select a VDA in the desired zone. This functionality can be combined with GSLB as detailed in
the 29 page document Global Server Load Balancing (GSLB) Powered Zone Preference. Note: only
StoreFront 3.7 and newer will send the zone name to the Delivery Controller.

10. Delivery Controller entries in StoreFront can be split into different entries for different zones.
Create a separate Delivery Controller entry for each zone, and associate a zone name with each.
StoreFront uses the X-Citrix-ZonePreference header to select the Delivery Controller entry so the
XML request is sent to the Controllers in the same zone. HDX Optimal Gateways can also be
associated to zoned Delivery Controller entries. See The difference between a farm and a zone
when defining optimal gateway mappings for a store at Citrix Docs.

11. Citrix Blog Post Zone Preference Internals indicates that theres a preference order to zone
selection. The preference order can be changed.
1. Applications Zone
2. Users Home Zone
3. The Zone specified by NetScaler in the X-Citrix-ZonePreference HTTP header sent to

Machine Creation Services

CTP Aaron Parker Machine Creation Services Capacity Sizing on Hyper-V details storage sizing for the

Delta Clones (aka linked clones) Master Image, AppDisks, Personal vDisks, and other Hyper-V files
Delta Clones with Storage Optimization (aka MCS Memory Caching)
Full Clones

MCS Full Clones

In XenApp/XenDesktop 7.9 and earlier, Persistent Linked Clones are created by selecting Yes, create a
dedicated virtual machine in the Create Catalog wizard. Please, never do this in 7.9 or earlier, since you
cant move the machines once theyre created. A much better option is to use vCenter to do Full Clones of
a template Virtual Machine. Then when creating a Catalog, select Another service or technology to add
the VMs that have already been built.
In XenApp/XenDesktop 7.11 and newer, you can create MCS Full Clones. Full Clones are a full copy of a
template virtual machine. The Full Clone can then be moved to a different datastore (including Storage
vMotion), different cluster, or even different vCenter. You cant do that with Linked Clones.

For Full Clones, simply prepare a Master Image like normal. There are no special requirements. Theres no
need to create Customization Specifications in vCenter since Sysprep is not used. Instead, MCS uses its
identity technology to change the identity of the full clone. That means every full clone has two disks: one
for the actual VM, and one for identity (machine name, machine password, etc).

During creation of a Full Clones Catalog, MCS still creates the master snapshot replica and ImagePrep
machine, just like any other linked clone Catalog. The snapshot replica is then copied to create the Full
In 7.11 and newer, during the Create Catalog wizard, if you select Yes, create a dedicated virtual machine:

After you select the master image, theres a new option for Use full copy for better data recovery and
migration support. This is the option you want. The Use fast clone option is the older, not recommended,
Since these are Full Clones, once they are created, you can do things like Storage vMotion.

During Disaster Recovery, restore the VM (both disks). You might have to remove any Custom Attributes
on the machine, especially the XdConfig attribute.
Inside the virtual machines, you might have to change the ListOfDDCs registry value to point to your DR
Delivery Controllers. One method is to use Group Policy Preferences Registry.

In the Create Catalog wizard, select Another Service or technology.

And use the Add VMs button to add the Full Clone machines. The remaining Catalog and Delivery Group
steps are performed normally.

MCS Machine Naming

Once a Catalog is created, you can run the following commands to specify the starting count:

Set-AcctIdentityPool -IdentityPoolName "NAME" -StartCount VALUE

MCS Memory Caching (XenApp/XenDesktop 7.9 and newer)

Memory caching in MCS is very similar to Memory caching in PvS. All writes are cached to memory instead
of written to disk. With memory caching, some benchmarks show 95% reduction in IOPS. Here are some

You configure a size for the memory cache. If the memory cache is full, it overflows to a cache disk.
Whatever memory is allocated to the MCS memory cache is no longer available for normal
Windows operations, so make sure you increase the amount of memory assigned to each virtual
The overflow disk (temporary data disk) can be stored on shared storage, or on storage local to
each hypervisor host. Since memory caching dramatically reduces IOPS, there shouldnt be any
problem placing these overflow disks on shared storage. If you put the overflow disks on hypervisor
local disks then you wont be able to vMotion the machines.
The overflow disk is uninitialized and unformatted. Dont touch it. Dont format it.
For a good overview of the feature, see Citrix Blog Post Introducing MCS Storage Optimization
Andrew Morgan Everything you need to know about the new Citrix MCS IO acceleration details the
performance counters that show memory cache and disk cache usage.

Memory caching requirements:

XenApp/XenDesktop 7.9, VDA 7.9, and newer

Random Catalogs only (no dedicated Catalogs)

Studio needs to be configured to place the temporary overflow disks on a datastore. You can configure this
datastore when creating a new Hosting Resource, or you can edit an existing Hosting Resource.

To create a new Hosting Resource:

1. In Studio, go to Configuration > Hosting, and click the link to Add Connection and Resources.

2. In the Storage Management page, select shared storage.

3. You can optionally select Optimize temporary data on local storage, but this might prevent
vMotion. The temporary data disk is only accessed if the memory cache is full, so placing the
temporary disks on shared storage shouldnt be a concern.

4. Select a shared datastore for each type of disk.

Or you can edit an existing Hosting Resource:

1. In Studio, go to Configuration > Hosting, right-click an existing resource, and click Edit Storage.
2. On the Temporary Storage page, select a shared datastore for the temporary overflow disks.

Memory caching is enabled when creating a new Catalog. You cant enable it on existing Catalogs. Also, no

1. For virtual desktops, in the Desktop Experience page, select random.

2. Master Image VDA must be 7.9 or newer.

3. In the Virtual Machines page, allocate some memory to the cache. For virtual desktops, 256 MB is
typical. For RDSH, 4096 MB is typical. More memory = less IOPS.
4. Whatever you enter for cache memory, also add it to the Total memory on each machine.

5. Once the machines are created, add them to a Delivery Group like normal.
6. The temporary overflow disk is not initialized or formatted. From Martin Rowan at
discussions.citrix.com: Dont format it, the raw disk is what MCS caching uses.

MCS Image Prep

From Citrix Discussions: When a Machine Creation Services catalog is created or updated, a snapshot of the
master image is copied to each LUN. This Replica is then powered on and a few tasks are performed like
KMS rearm and Personal vDisk enabling.

From Citrix Blog Post Machine Creation Service: Image Preparation Overview and Fault-Finding and
CTX217456 Updating a Catalog Fails During Image Preparation: if you are creating a new Catalog, here are
some PowerShell commands to control what Image Prep does: (run asnp citrix.* first)

Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value EnableDHCP

Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value OsRearm
Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value OfficeRearm
Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value "OsRearm,OfficeRearm"
Set-ProvServiceConfigurationData -Name ImageManagementPrep_DoImagePreparation -Value $false

If you are troubleshooting an existing Catalog, here are some PowerShell commands to control what Image
Prep does: (run asnp citrix.* first)

Get-ProvScheme Make a note of the ProvisioningSchemeUid associated with the catalog.

Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps -Value
Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps -Value
Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps -Value
Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_DoImagePreparation -
Value $false

If multiple excluded steps, separate them by commands: -Value "OsRearm,OfficeRearm"

To remove the excluded steps, run Remove-ProvServiceConfigurationData -

Name ImageManagementPrep_Excluded_Steps or Remove-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name

A common issue with Image Prep is Rearm. Instead of the commands shown above, you can set the
following registry key on the master VDA to disable rearm. See Unable to create new catalog at Citrix

o SkipRearm (DWORD) = 1

Mark DePalma at XA 7.6 Deployment Failure Error : Image Preparation Office Rearm Count Exceeded at
Citrix Discussions had to increase the services timeout to fix the rearm issue:

o ServicesPipeTimeout (DWORD) = 180000

From Mark Syms at Citrix Discussions: You can add one (or both) of the following MultiSZ registry values


The values are expected to be an executable or script (PoSh or bat), returning 0 on success

Citrix CTX140734 Error: Preparation of the Master VM Image failed when Creating MCS Catalog in
XenApp or XenDesktop: To troubleshoot image prep failures, do the following:

1. In PowerShell on a Controller, for a new Catalog, run:

2. asnp citrix.*
4. Set-ProvServiceConfigurationData -Name ImageManagementPrep_NoAutoShutdown -Value $True
5. For an existing Catalog, run the following:
6. asnp citrix.*
7. Get-ProvScheme
Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_NoAutoShutdown -Value

8. On the master image, set the DWORD registry value

HKLM\Software\Citrix\MachineIdentityServiceAgent\LOGGING to 1
9. If you now attempt catalog creation, an extra VM will be started; log into this VM (via the
hypervisor console, it has no network access) and see if anything is obviously wrong (e.g. its
bluescreened or something like that!). If it hasnt there should be two log files called image-
prep.log and PvsVmAgentLog.txt created in c:\ scan these for any errors.
10. When youve finished doing all this debugging, remember to run one of the following:
11. Remove-ProvServiceConfigurationData -Name ImageManagementPrep_NoAutoShutdown
Remove-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_NoAutoShutdown

MCS Base Disk Deletion

Citrix CTX223133 How to change the disk deletion interval to delete unused base disks on the VM storage.
Every 6 hours, XenDesktop runs a task to delete unused base disks.

The Disk Reaper interval is configured using PowerShell. The default values are shown below:

Set-ProvServiceConfigurationData -Name DiskReaper_retryInterval -Value 0:6:0 | Out-Null

Set-ProvServiceConfigurationData -Name DiskReader_heartbeatInterval -Value 0:1:0 | Out-Null

If the unused base disks are not deleting, then see MCS Deleting basedisk from VM Storage at Citrix
Discussions for troubleshooting steps.

Controller Name Caching

George Spiers in Active Directory user computer name caching in XenDesktop explains how the Broker
Service in XenDesktop Controller caches Active Directory user and computer names. The cache can be
updated by running Update-BrokerNameCache -Machines or Update-BrokerNameCache -Users. Also see Update-
BrokerNameCache at Citrix Docs.

Delivery Group License Type (7.14 and newer)

XenApp/XenDesktop 7.14 and newer supports multiple license types (e.g. XenApp Concurrent and
XenDesktop User/Device) within a Single farm/site. However, a farm/site only supports a single Edition
(i.e. Enterprise or Platinum, but not both). The license model and product are configured at the Delivery
Group. See CTX223926, and Multi-type licensing at Citrix Docs.

To configure license model and product, run the following PowerShell commands (run asnp citrix.* first):

Set-BrokerDesktopGroup Name "DeliveryGroupName" LicenseModel LicenseModel

Set-BrokerDesktopGroup Name "DeliveryGroupName" ProductCode ProductCode

LicenseModel can be UserDevice, or Concurrent. ProductCode can be XDT (XenDesktop) or MPS (XenApp).
Delivery Groups in 7.8 and newer

In XenApp/XenDesktop 7.8, when creating a Delivery Group, there are new options for publishing
applications and publishing desktops.

On the Applications page of the Create Delivery Group wizard, From start menu reads icons from a
machine in the Delivery Group and lets you select them. Manually lets you enter file path and other details
manually. These are the same as in prior releases.
Existing is the new option. This lets you easily publish applications across multiple Delivery Groups.
You can also go to the Applications node, edit an existing application, change to the Groups tab, and
publish the existing app across additional Delivery Groups.
Once multiple Delivery Groups are selected, you can prioritize them by clicking the Edit Priority button.

On the Desktops page of the Create Delivery Group wizard, you can now publish multiple desktops from a
single Delivery Group. Each desktop can be named differently. And you can restrict access to the published
There doesnt seem to be any way to publish a Desktop across multiple Delivery Groups.
Its still not possible to publish apps and desktops across a subset of machines in a Delivery Group. But the
new method of publishing apps across multiple Delivery Groups should make it easier to split your
machines into multiple Delivery Groups.

Tags in XenApp/XenDesktop 7.12 and newer

In 7.12 and newer, you can assign tags to machines. Then you can publish apps and/or desktops to only
those machines that have the tag. This means you can publish icons from a subset of the machines in the
Delivery Group, just like you could in XenApp 6.5.

Tags also allow different machines to have different restart schedules.

1. In Citrix Studio, find the machines you want to tag (e.g. double-click a Delivery Group). You can
right-click one machine, or select multiple machines and right-click them. Then click Manage Tags.
2. Click Create.

3. Give the tag a name, and click OK. This tag could be assigned to multiple machines.
4. After the tag is created, check the box next to the tag to assign it to these machines. Then click
5. Edit a Delivery Group that has published desktops. On the Desktops page, edit one of the desktops.

6. You can use the Restrict launches to machines with tag checkbox and drop-down to filter the
machines the desktop launches from. This allows you to create a new published desktop for every
machine in the Delivery Group. In that case, each machine would have a different tag. Create a
separate published desktop for each machine, and select one of the tags.

7. A common request is to create a published desktop for each XenApp server. See Citrix Blog
Post How to Assign Desktops to Specific Servers in XenApp 7 for a script that can automate this

8. When you create an Application Group, on the Delivery Groups page, theres an optional checkbox
to Restrict launches to machines with tag. Any apps in this app group only launch on machines that
have the selected tag assigned. This lets you have common apps across all machines in the Delivery
Group, plus one-off apps that might be on only a small number of machines in the Delivery Group.
In that case, youll have one app group with no tag restrictions for the common apps. And a
different app group with tag restriction for the one-off apps.

RDSH Scheduled Restart

If you create a Scheduled Restart inside Citrix Studio, it applies to every machine in the Delivery Group.
Alternatively, you can use the 7.12 tags feature to allow different machines to have different
restart schedules.

1. Once an RDSH Delivery Group is created, you can right-click it and click Edit Delivery Group.

2. The Restart Schedule page lets you schedule a restart of the session hosts.
3. XenApp 7.7 and newer lets you send multiple notifications.

Or use a reboot script:

Shaun Ritchie XenDesktop 7 Rolling Reboot Script

Dane Young Citrix Chained Reboot Scripts, now supporting XenApp 5, 6, 6.5 and XenDesktop 7.0,
7.1, 7.5, and 7.6!
Citrix Blog Post XenApp 7.x Reboot Schedules
Citrix Blog Post XenApp & XenDesktop 7.x Server OS VDA Staggered Reboot Framework v2
Citrix Blog Post XenApp and XenDesktop 7.x Server OS VDA Staggered Reboot
Citrix CTX203346 Scheduled Reboots for XenApp 7.6 Application Servers (odds, evens) Using


Multiple Sessions

From Configure session roaming at Citrix Docs: By default, users can only have one session. On XenApp 7.6
(experimental support) and XenApp 7.7+ (full support), you can configure SessionReconnection setting
available via PowerShell. On any Server OS delivery group, run:

Set-BrokerEntitlementPolicyRule <Delivery Group Name> ?SessionReconnection <Value>

Where <Value> can be:

Always This is the default and matches the behavior of a VDI session. Sessions always roam,
regardless of client device.
DisconnectedOnly This reverts back to the XenApp 6.x and earlier behavior. Sessions may be
roamed between client devices by first disconnecting them (or using Workspace Control) to
explicitly roam them. However, active sessions are not stolen from another client device, and a
new session is launched instead.
SameEndpointOnly This matches the behavior of the ReconnectSame registry setting in XenApp
6.x. Each user will get a unique session for each client device they use, and roaming between
clients is completely disabled.

This will change the roaming behavior for desktop sessions. For app sessions, use:

Set-BrokerAppEntitlementPolicyRule <Delivery Group Name> ?SessionReconnection <Value>

Static Catalog Export/Import Machine Assignments

It is sometimes useful (e.g. DR) to export machine assignments from one Catalog/Delivery Group and
import to another.

From Adil Dean at Exporting Dededicated VDI machine names and user names from catalog in Xendesktop
7.x at Citrix Discussions: Hopefully this is what you are after, it turns out you dont actually need
PowerShell as the functionality is built into the tool.

1. In Studio, click Delivery Groups on the lefthand menu

2. Right click Edit delivery group
3. Select Machine allocation tab on the left
4. Click Export list
5. Select a file name > Click Save
6. Create the new machine catalog
7. Right click the delivery group > Click Edit
8. Select Machine allocation tab on the left
9. Click Import list..
10. Select the list you exported in step 4
11. Click Apply

Your clients will now have users re-assigned to machines.

Shane ONeill produced an export utility that can be scheduled to run periodically. See XenDesktop Farm
Migration Utility Update Version 1.2.

Monitor the Number of Free Desktops

Sacha Thomet wrote a script at victim of a good reputation Low free pooled XenDesktops that polls
Director to determine the number of free desktops in a Delivery Group. If lower than the threshold, an
email is sent.
Published Applications
Last Modified: Jun 20, 2017 @ 7:22 pm



Catalogs / Delivery Groups

RDSH Application Testing

Application Groups (XenApp 7.9 and newer)

Limit Icon Visibility based on AD Group Membership
Published Content (XenApp 7.11 and newer)
Application Usage Limits
Keywords for StoreFront
Secure Browser

App-V hotfix, Citrixs Share Method

Published Desktop Icon
Other Published App Tips
Hide Disabled Published Applications

Bidirectional Content Redirection

Local App Access (Reverse Seamless)
Anonymous Apps
Export/Import Published Applications

= Recently Updated

RDSH Application Testing

Installing apps on Remote Desktop Session Host (XenApp) is more complicated than installing apps on a
single-user operating system (virtual desktop). Here are some RDSH-specific considerations that must be
tested before integrating a new application into RDSH. These considerations usually dont apply to virtual

Multi-user Capable can the application run multiple times on the same machine by different
users? Most applications dont have a problem, but a few do, especially applications that put
temporary files or other writable files in global locations. For example, the first user of an app could
write temporary files to C:\Temp. The second user writes to the same location, overwriting the
temp files needed by the first user. Test the app with multiple users running the app on the same
RDSH machine.
Lockdown to prevent one user from affecting another What restrictions are needed to prevent
one user from affecting another? For example, if an apps configuration files are stored in a global
location, you dont want one user to edit the configuration file, and thus affect a different user. Test
the app with multiple users running the app on the same RDSH machine.
Permission Relaxations what relaxations (e.g. NTFS) are needed to allow non-administrators and
GPO locked-down users to run the application? Test the application as a non-administrator with
GPO lock down policies applied.
First Time Use when a user launches an application the first time, the application should be
automatically fully configured with default settings (e.g. back-end server connections). Use group
policy to apply application settings. Automated FTU also helps with a user whose profile is reset.
Test the RDSH app with a user that has a new (clean) profile.
Roaming users could connect to a different RDSH machine every day, and thus user settings need
to roam across machines. Test running the app on one RDSH, make changes, then login to a
different RDSH machine to ensure the changes are still there.
Application Licensing if an application requires licensing, can licensed and non-licensed users
connect to the same machine? Can it be guaranteed that non-licensed users cant run the
application that requires licensing? Adobe Acrobat is an example of a challenging application
because of the global .pdf file-type association, and the global PDF printer.
Client Devices (USB, printers, COM ports) the client device mapping capabilities on RDSH are not
as extensive as virtual desktops. For example, generic USB wasnt added until Windows Server 2012
R2. When the application prints, does it show printers from every user, instead of just the user
running the app? Does the app need COM port mapping?
Shared IP does the app have any problems with multiple users sharing the same IP address? If so,
you might have to configure RDS IP Virtualization.
Fair Sharing of Hardware Resources does the app sometimes consume a disproportionate amount
of hardware resources? For example, can the app be used to launch a task that consumes 100%
CPU for some time? One option is to put this app on its own Delivery Group. Or you can use Citrix
Workspace Environment Manager to ensure fair sharing of hardware resources.
Published Application can the app run as a published application that doesnt have Explorer
running in the background? Does the app (e.g. Internet Explorer web apps) need RunOnce.exe
/AlternateShellStartup to fully initialize before it will run correctly as a published application? Some
apps work without issue in a published desktop, but dont work properly as published applications.
When testing a published app, test it with a user that has a new (clean) profile. Connecting to the
published desktop once will cause Active Setup to run, changing the users profile, thus distorting
the published app testing results.
Integration Testing when installing a new app on a RDSH server, dont forget to test the other
apps already on the RDSH server, because the new app might have broken the other apps. The
more apps you put on an RDSH server, the longer it takes to perform integration testing.

Also see MSDN Remote Desktop Services programming guidelines.

Some of the issues in this list can be overcome by using an application virtualization tool (e.g. Microsoft
App-V) that runs apps in isolated bubbles.

Application Groups

Citrix Blog Post Introducing Application Groups in XenApp and XenDesktop 7.9

XenApp 7.9 and newer has an Application Group feature. This feature lets you group published apps
together so you can more easily apply properties to every app in the group. Today, you can do the

Control visibility of every app in the app group (Users page).

Publish every app on the same Delivery Groups.
Prevent or allow apps in different Application Groups from running in the same session.
With one published app icon, test users launch from test Delivery Group, while production users
launch from production Delivery Group.

To create an Application Group:

1. In Citrix Studio, right-click Applications, and click Create Application Group.

2. In the Getting Started page, click Next.

3. In the Delivery Groups page, select the delivery groups you want these apps published from.

4. In the Users page, select the users that can see the apps in this app group.
5. Note: there are three levels of authorization. An app is only visible to a user if the user is assigned
to all of the following:
o Delivery Group
o Application Group
o Individual Published Apps in the Application Group
6. Click Next.

7. In the Applications page, publish applications like normal, and then click Next.
8. In the Summary page, give the Application Group a name, and click Finish.

9. In the Applications node in Studio, theres a new Application Groups section.

10. If you highlight your Application Group, on the right is the list of apps in the group. You can edit
each of these published apps like normal.
11. You can drag applications into an Application Group.

12. However, this more of a copy than a move. To actually move the app exclusively into the
Application Group, edit the individual app, and on the Groups page, remove all Delivery Groups (or
other Application Groups). The app will instead inherit the Delivery Groups from the app group.
13. If you edit the Application Group:

14. The Settings page has an option for session sharing between Application Groups. Clearing this
checkbox allows you to force applications in different Application Groups to run in different

15. The Delivery Groups tab lets you set Delivery Group priority. If priority is identical, then sessions
are load balanced. If priorities are different, then sessions are launched on Delivery Groups in
priority order.

16. In XenApp/XenDesktop 7.13 and newer, you can use PowerShell to cause an Application Group to
launch multiple app instances in separate sessions. Citrix Blog Post XenApp and XenDesktop 7.13:

Launching an Application in Multiple Sessions.

Limit Icon Visibility

For Published Applications, there are three levels of application authorization: Delivery Group, Application
Groups, and Published App Limit Visibility. A published app icon is only visible if the user is added to all
three levels.
1. Delivery Group (Users page). If the user is not assigned to the Delivery Group, then the user wont
see any application or desktop icon published from that Delivery Group.
2. Limit Visibility You can use the published apps Limit Visibility page to restrict an icon to a subset
of Delivery Group users.
3. In XenApp/XenDesktop 7.9 and newer, you can use Application Groups to restrict access to
published icons.

4. App Icons wont appear unless users are added to all three of the above locations.

Published Desktops have separate authorization configuration:

1. XenApp/XenDesktop 7.8 and newer have a Desktops page in Delivery Group properties where you
can publish multiple desktops and restrict access to those individual published desktops.

2. In XenApp/XenDesktop prior to version 7.8, if a desktop is published from the Delivery Group, by
default, every user assigned to the Delivery Group can see the icon. You can use the PowerShell
command Set-BrokerEntitlementPolicyRule to limit the desktop icon to a subset of the users assigned to
the Delivery Group.
1. Run asnp citrix.*
2. Run Get-BrokerEntitlementPolicyRule to see the published desktops.
3. Then run Set-BrokerEntitlementPolicyRule to set the IncludedUsers or ExcludedUsers filters.
Published Content

XenApp 7.11 adds Published Content where you can publish URLs that are opened in the users local
browser. You can also publish UNC paths, which are opened with local Explorer or local application.

Currently there is no GUI to publish content. Instead, use PowerShell.

The New-BrokerApplication cmdlet requires you to specify a Delivery Group. This Delivery Group must have at
least one registered machine in it. However, the published content does not actually launch from the
Delivery Group since the URLs and/or UNCs open locally.

First run asnp citrix.*

Then run New-BrokerApplication -ApplicationType PublishedContent. Here is a sample PowerShell command:

New-BrokerApplication -Name "CitrixHomePage" -PublishedName "Citrix Home Page" -ApplicationType PublishedContent -

CommandLineExecutable https://www.citrix.com -DesktopGroup RDSH12R2

Instead of publishing to a Delivery Group, you can publish to an Application Group by using the -
ApplicationGroup switch. The Application Group must have Delivery Group(s) assigned to it.

Once the Published Content is created, you can see it in Studio. You can also edit it from Studio, including
Limit Visibility and Groups (to move it to an Application Group).
Published Content can be placed in Application Groups. You can then use the Application Group properties
to restrict access to the shortcut.

It does not appear to be possible to set the icon from Studio, but you can do it using PowerShell. See Citrix
Blog Post @XDtipster Changing Delivery Group Icons Revisited (XD7) for instructions to convert an icon to
a base64 string, and import to XenApp using New-BrokerIcon -EnCodedIconData "Base64 String". Then you can link
the icon to the Published Content using Set-BrokerApplication "App Name" -IconUid.
In StoreFront 3.7, you can click the icon and URLs will open in a new browser tab.

HTTP/HTTPS Published Content should open in Receiver. Other URLs (e.g. file:// or UNC path) will probably
show an error message.

You can override this restriction by enabling the group policy setting Allow/Prevent users to publish
unsafe content at Computer Configuration | Policies | Administrative Templates | Citrix Components |
Citrix Receiver | SelfService. This assumes youve installed the Receiver .admx files. (h/t David Prows at
CUGC forums).

Application Usage Limits

In XenApp/XenDesktop 7.7 or newer, if you edit an applications Properties, on the Delivery page, you can
restrict the number of concurrent instances of the application.

Keywords for StoreFront

In a published applications Properties, on the Identification page, in the Description and keywords field,
you can enter KEYWORDS to control how the app behaves when displayed by StoreFront.

Enter KEYWORDS:Mandatory or KEYWORDS:Auto to cause the application to automatically be

subscribed or favorited in Citrix Receiver.
o In StoreFront 3.0 and newer, the user can go to the Apps tab, click an Apps Details button,
and mark the app as a Favorite.
o In the older StoreFront interface, users subscribe to applications by clicking the plus icon to
add the application to the middle of the screen.
o Mandatory means the app cant be removed from Favorites or unsubscribed.
o Auto means the app is automatically favorited or subscribed, and can be un-favorited or
unsubscribed by the user.
Enter KEYWORDS:Featured to make the application show up in the Featured list.
You can separate multiple keywords with a space. KEYWORDS:Mandatory Featured.
See the StoreFront 3.7 Keywords documentation at Citrix Docs for more information.

Users will have a better experience with StoreFront if applications are published into folders. The folder
name is specified in the Delivery page in the Category field. Note: Add shortcut to users desktop works in
newer versions of Receiver assuming the app is marked as a Favorite.
Secure Browser
Citrix has a deployment guide for publishing a browser from XenApp. Heres an overview of the

Install Chrome on an RDSH VDA.

In Studio, publish IE and/or Chrome in Kiosk Mode to anonymous users.
o Create a different published app for each website.
In StoreFront, create a Store for Unauthenticated Users.
In StoreFront, enable Receiver for HTML5.
In StoreFront, enable web links so you can link to the published browser from a different website.

When a user launches the published browser, the HTML5 client opens the published app in a local browser
tab. The published browser runs in kiosk mode so that the published browsers user interface is hidden. It
looks like the website is running on the local browser but actually its running from a published browser.

Theres a special XenApp Secure Browser Edition that is only licensed for publishing browsers from RDSH.
See the press release Citrix Radically Simplifies the Secure Delivery of Browser-based Apps.


App-V Client Hotfix

The latest App-V 5.1 hotfix is March 2017 servicing release for Microsoft Desktop Optimization Pack. Note:

Windows 10 1607 and Windows 2016 get App-V updates through Windows Update.

The latest App-V 5.0 hotfix is Hotfix Package 3 for Microsoft Application Virtualization 5.0 SP3.

There is a special version of App-V client for RDS (Remote Desktop Session Host). The normal App-V client
in MDOP wont work. Get the RDS version from the Microsoft Volume Licensing website.

App-V GPO ADMX templates

The latest GPO ADMX templates for App-V can be downloaded from Microsoft Desktop Optimization Pack
Group Policy Administrative Templates.

App-V and Logon Times


Microsoft App-V Team Blog: Support Tip: Mandatory user profiles and App-V integration with
Configuration Manager configure SCCM to run a logon script to republish App-V packages at every
Thamim Karim: Driving Down App-V Publishing Times in Non Persistent VDI Environments various
optimization tips and performance measurements
Mns Hurtigh: Integrate Application Virtualization with Citrix Provisioning Services pre-load App-V
apps in master image, then run startup script on Target Devices to update App-V cache

XenApp 7.8 and newer App-V

XenApp 7.8 no longer requires App-V management infrastructure and can instead pull the App-V
packages directly from an SMB share as detailed at App-V at Citrix Docs. The computer accounts for
Delivery Controllers and VDAs must have read access to the share. An easy method is to add Domain
Computers. See CTX221296 Citrix App-V Integration Minimum Permission Requirements.

XenApp 7.11 adds an Isolation Groups tab.

Once App-V packages are added to Citrix Studio, you can publish an app and select App-V from the drop-

The App-V apps show up as AppLibrary App-V and support the same options as other published
Make sure the App-V Components are installed on your VDA. Its not checked by default in 7.12 and newer.

On your VDA Windows 10/2016 or newer, in PowerShell, run Enable-Appv. For older OS, install the App-V

There appears to be some limitations to the package share method as detailed by Joe Robinson at

No File Type Associations

No Custom Deployment Config Files (no scripts)
No Category for published App-V apps

Joe Robinson provided a script to force the App-V client to sync before launching the users App-V

Launch App Inside App-V Bubble

From Citrix Blog Post Process Launching in an App-V V5 Virtual Environment:

On any executable, add the /appvve:<PackageID>_<VersionID> of the package in which one would like
the executable to run
If the App-V process is already running then use the /appvpid:<ProcessId> to inject into a running App-
V virtual environment
If you want something more permanent, you can set the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\<YourApplicationName> with a default
REG_SZ key that has the executable name in it.

Also see Microsoft Knowledgebase article How to launch processes inside the App-V 5.0 virtualized


See http://www.carlstalhood.com/appdisks/
Change Published Desktop Icon

Citrix Blog Post Changing Delivery Group Icons Revisited (XD7) has instructions on how to use PowerShell
to import a Base-64 icon and then link it to the published desktop.

StoreFront 3.0 and newer overrides custom desktop icons. Run the following PowerShell command (from
discussions.citrix.com) to restore custom desktop icons:

& 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1'

Disable-DSStoreSubstituteDesktopImage -SiteId 1 -VirtualPath /Citrix/Store

Other Published App Tips

CTX209199 Published 64 bit Aps Cant Be Started With %ProgramFiles% in Command Line If Its Not the
first Application to Start: You can try the following methods to address this issue:

1. Use the absolute path to publish the application.

2. Use %ProgramW6432% for 64-bit applications instead of %ProgramFiles%.

CTX132057 Google Chrome Becomes Unresponsive when Started as Published Application: add the
parameters --allow-no-sandbox-job --disable-gpu in the published app command line.

CTX205876 Non-published Google Chrome browser on XenApp server, called and launched from any
published app, is seen in black/grey screen: The command line parameter has to be added to registry shell
open command for the Chrome browser:

1. In Regedit, navigate to HKEY_CLASSES_ROOT\http\shell\open\command

2. Edit the Default value as follows:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-no-sandbox-job --disable-gpu -- "%1"

Disable Application and Hide It

1. In Studio, you can disable a published application by right-clicking it, and clicking Disable.

2. In older versions of XenApp/XenDesktop, when you disable the application, it leaves the application
visible but it is grayed out thus preventing users from launching it. In 7.8, the disabled app is
automatically hidden (no longer shown in the apps list).

3. If desired, you can hide or unhide the disabled application icon by running a PowerShell command:
4. asnp citrix.*
5. Set-BrokerApplication MyApp -Visibile $false

6. When you re-enable the application, Visibility is automatically set back to true.

Bidirectional Content Redirection

Receiver 4.7 and newer, combined with and VDA 7.13 and newer, support redirecting URLs from client to
VDA (published Internet Explorer), or from VDA to client. See Bidirectional content redirection policy
settings at Citrix Docs for requirements and limitations.

1. Make sure Local App Access is not enabled on the VDAs.

2. Make sure Internet Explorer is published. Internet Explorer is not in the Start Menu, so you have to
publish it Manually. Only Internet Explorer is supported for bidirectional.
3. Edit a GPO that applies to VDA users.
4. Go to User Config | Policies | Citrix Policies, and edit a Citrix Policy.
5. Find the setting Allow Bidirectional Content Redirection, and enable it (Allowed).

6. Also configure the Allowed URLs policy settings to indicate which URLs should be redirected in
either location.

7. Copy the receiver.admx file from Receiver 4.7 or newer to PolicyDefinitions (SYSVOL or
8. Edit a GPO that applies to client devices (endpoints).
9. Go to User Configuration | Policies | Administrative Templates | Citrix Receiver | User
10. Double-click the setting Bidirectional Content Redirection.

11. Enable the setting.

12. In the Published Application field, enter the name of the Internet Explorer published application.
13. In the Allowed URLs fields, configure the URLs you want to redirect in either direction.
14. On the VDA, run the following command to register the Internet Explorer add-on.

"C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regIE

15. On the client device, run the following command to register the Internet Explorer add-on.

"C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /regIE

16. When you run Internet Explorer on the VDA or client device, youll be prompted to enable the add-
on. You can configure a GPO to enable this add-on automatically. Redirection wont work unless the
add-on is enabled.

Local App Access

Some applications are not suitable for centralization and instead should run on endpoint devices. These
applications include: phone software, applications needing peripherals, etc. Citrix Local App Access lets you
access these endpoint-installed applications from inside a published desktop. This is sometimes called
Reverse Seamless.

Local App Access has three modes of functionality:

User-managed local applications. Any shortcuts in the endpoints local Start Menu and local
Desktop are made available from inside the published desktop.
Administrator-managed local applications. Use Studio to publish a local application, which is
created as a shortcut inside the published desktop. When the shortcut is launched, it is actually
running from the endpoint device (reverse seamless) instead of the centralized desktop. If you
enable administrator-managed local applications then user-managed local applications are
URL Redirection. Administrators define some URLs that should be opened in a local endpoint
browser instead of a VDA browser and then display the local browser inside the published desktop
(reverse seamless).

Local App Access requires Platinum Licensing.

Do the following to configure Local App Access:

1. In a Citrix Policy that applies to the VDAs, enable the Allow local app access policy setting.

2. The URL redirection black list setting lets you define a list of URLs that should be opened on the
endpoints browser instead of the VDA browser.

3. On the Endpoints, install Receiver using the ALLOW_CLIENTHOSTEDAPPSURL=1 switch. Feel to add
/includeSSON too. Run the installer from an elevated (Administrator) command prompt. This switch
automatically enables both Local App Access and URL Redirection. Note: the URL Redirection code
does not install on VDAs so URL Redirection might not work if your endpoint has VDA software for
Remote PC.
4. After installation of Receiver, launch Internet Explorer. You should see a prompt to enable the Citrix
URL-Redirection Helper add-on.

5. You can also go to Tools > Manage Add-ons to verify the Browser Helper Object.

6. By default, Local App Access redirects the endpoints Start Menu and Desktop. You can control
which folders are redirected by editing the endpoints registry at HKCU\Software\Citrix\ICA
Client\CHS. Create the Multi-String Values named ProgramsFolders and Desktop Folders and point
them to folders containing shortcuts that you want to make available from inside the published
desktop. Andrew Morgan has a GUI tool for editing these registry values.
7. When you connect to a published desktop, by default, there will be a Local Programs folder in the
Start Menu containing shortcuts to programs on the endpoints Start Menu. These are user-
managed shortcuts.

8. On the VDA Desktop there will be a Local Desktop folder containing shortcuts from the endpoints
desktop. These are user-managed shortcuts.

9. The Local Desktop and Local Programs folders on the VDA can be renamed by editing the VDAs
registry at HKCU\Software\Citrix\Local Access Apps. Andrew Morgan has a GUI tool to modify
these registry values.
10. To enable administrator-managed local applications, login to a machine that has Citrix Studio
installed and edit the registry. Go to HKLM\Software\Wow6432Node\Citrix\DesktopStudio and
create the DWORD value named ClientHostedAppsEnabled and set it to 1.

11. When you open Studio and go to Delivery Groups > Applications, there is a new link to
Create or Add Local App Access Application.

12. In the Getting Started with Local Access Applications page, click Next.
13. In the Groups page, select the Delivery Group or Application Group whose published desktop will
receive the shortcut, and click Next.

14. In the Location page, enter the path to the executable. This is the path on the endpoint. Also enter
a Working Directory. You can get this information from the properties of the shortcut on the
endpoint device. Click Next.
15. In the Identification page, enter a name for the shortcut and click Next.

16. In the Delivery page, these options work as expected. Click Next.
17. In the Summary page, click Finish.

18. When you login to the desktop, youll see the administrator-managed application. If any
administrator-managed Client Hosted Applications are delivered to the user then the default Local
Programs and Local Desktop folders no longer appear.

19. To enable URL Redirection, login to the VDA and run "C:\Program Files
(x86)\Citrix\System32\VDARedirector.exe" /regall. This registers the browser helpers.
20. In Internet Explorer, if you go to Tools > Manage Add-ons, youll see the Citrix VDA-URL-
Redirection Helper add-on.

21. From inside the published desktop, if you go to a website on the blacklist, the VDA browser will
close and a local browser will open in Reverse Seamless mode. If you then go to a website that is
not on the blacklist the local browser will close and the VDA browser will open again.

Andrew Morgan Citrix reverse seamless application deep dive presentation contains details on the inner
workings of Local App Access. The same webpage also contains the GUI configuration tools mentioned

Citrix TV Local App Access in XenDesktop 7

Anonymous Apps

XenApp 7.6 and newer supports publishing apps to anonymous users. Edit the Delivery Group and on the
Users page check the box next to Give access to unauthenticated (anonymous) users.
Anonymous Users are managed differently than regular Domain Users. See VDA Anon instructions for
adding anon accounts, configuring session timeouts, and configuring local group policy.

Anonymous published apps should show up for all authenticated users. However, you can also create a
StoreFront store that does not require any authentication.

Export/Import Published Applications

Dominik Britz Export And Import Citrix XenDesktop Published Apps two PowerShell scripts, one to export
all published apps to json files and one to import apps with the information of the exported json files. Get
the scripts from the Blog Post.
Group Policy Objects VDA Computer Settings
Last Modified: May 14, 2017 @ 6:51 pm



Create Group Policy Objects

Windows 10 / Windows 2016 Group Policy Templates

Group Policy Computer Settings for VDAs

VDA Receiver Configuration
Group Policy VDA User Settings (separate article)

= Recently Updated

Create Group Policy Objects

1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all
VDA computer objects.
2. Then create sub-OUs, one for each delivery group.
3. Move the VDAs from the Computers container to one of the OUs created in step 2.

4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Citrix
VDA Computer Settings and link it to the OU created in step 1. If this policy should apply to all
Delivery Groups then link it to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.
5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the
GPO is disabled.
6. Create and link two new GPOs to the VDA OU (in addition to the Citrix VDA Computer Settings
GPO). One of the GPOs is called Citrix VDA All Users (including admins) and the other is called
Citrix VDA Non-Admin Users (lockdown).

7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of
the GPO.
8. Click the Citrix VDA Non-Admin Users GPO to highlight it.
9. On the right, switch to the Delegation tab and click Add.

10. Find your Citrix Admins group and click OK.

11. Change the Permissions to Edit settings and click OK.

12. Then on the Delegation tab click Advanced.

13. For Citrix Admins, place a check mark in the Deny column in the Apply Group Policy row. If desired,
you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
14. Click Yes when asked to continue.

15. For the other two GPOs, add Citrix Admins with Edit Settings permission. But dont deny Apply
Group Policy. The deny entry is only needed on the Lockdown GPO.

Windows Group Policy Templates

Unfortunately, some of the client-focused GPO settings are only available in the Windows 10/2016
templates and not in the GPO templates included with 2012 R2.
1. Download the Administrative Templates (.admx) for Windows 10 Creators Update.

2. Run the downloaded Windows_ 10_Creators_Update_ADMX.msi file.

3. In the Welcome to the Administrative Templates (ADMX) for Windows 10 Creators Update Setup
Wizard page, click Next.

4. In the License Agreement page, select I Agree, and click Next.

5. In the Select Installation Folder page, copy the location to your clipboard. You need to go to this
location later.
6. Select Everyone, and click Next.

7. In the Confirm Installation page, click Next.

8. In the Installation Complete page, click Close.

9. Go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Creators Update.

10. Open the PolicyDefinitions folder.
11. Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files and
folders to the clipboard.

12. Go to your domains sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the
files in the PolicyDefinitions folder. If you dont have this folder, then you can create it. Or copy the
files to C:\Windows\PolicyDefinitions as detailed next.
13. If prompted, replace the existing files.

14. If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and
paste the files. Overwrite the existing files.
15. In the PolicyDefinitions folder, look for a file called microsoft-windows-geolocation-wlpadm.admx
and delete it. More information at Microsoft 3077013
Microsoft.Policies.Sensors.WindowsLocationProvider is already defined error when you edit a
policy in Windows.

16. When editing a GPO, if you see the message that Microsoft.Policies.WindowsStore is already
defined, then delete the file WinStoreUI.admx from your PolicyDefinitions folder.
See Group Policy Settings Reference for Windows and Windows Server for a spreadsheet containing all

GPO settings in Windows. The spreadsheet can be filtered to only show the newest settings.
Group Policy Computer Settings

Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located
under Computer Configuration > Policies.
Some of the settings in this section might require the newer Windows Group Policy Templates.

Control Panel

Settings Page Visibility Computer Configuration | Policies | Administrative Templates | Control

o Settings Page Visibility (Windows 10 1703 and newer) Winaero How To Hide Settings
Pages in Windows 10 describes this new setting in 1703. Note: this is a Computer Setting
only. There doesnt appear to be any way to hide pages for non-admins but show them for
admins. Also see TechNet Hiding pages in Settings with Windows 10 1703.

Group Policy Settings

Group Policy Computer Configuration | Policies | Administrative Templates | System | Group

o Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
o Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer
o Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace
depending on the desired result

User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the
VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user

Logon Settings

To get rid of the Windows 10 were happy youre here message:

Logon Computer Configuration | Policies | Administrative Templates | System | Logon

o Show first sign-in animation = disabled
Sven Huisman Windows 10 in non-persistent VDI Login speed part 1 has some additional group policy
settings to speed up Windows 10 logon. Scroll down to the Group Policy section.

Power Settings

The following are more applicable to virtual desktops than session hosts:

Hard Disk Settings Computer Configuration | Policies | Administrative Templates | System |

Power Management | Hard Disk Settings
o Turn Off the hard disk (plugged in) = enabled, 0 seconds
Sleep Settings Computer Configuration | Policies | Administrative Templates | System | Power
Management | Sleep Settings
o Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
o Specify the system sleep timeout (plugged in) = enabled, 0 seconds
o Turn off hybrid sleep (plugged in) = enabled, 0 seconds
Video and Display Settings Computer Configuration | Policies | Administrative Templates |
System | Power Management | Video and Display Settings
o Turn off the display (plugged in) = enabled, 0 seconds
Remote Assistance Settings

Configure the following so you can shadow users using Director:

Remote Assistance Computer Configuration | Policies | Administrative Templates | System |

Remote Assistance
o Configure Solicited Remote Assistance = disabled
o Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator
groups that can offer remote assistance

User Profiles Settings

User Profiles Computer Configuration | Policies | Administrative Templates | System | User

o Add the Administrators security group to roaming user profiles = enabled
o Delete cached copies of roaming profiles = enabled (only enable on persistent session
o Do not check for user ownership of Roaming Profile Folders = enabled

Cloud Content

Cloud Content Computer Configuration | Policies | Administrative Templates | Windows

Components | Cloud Content (Windows 10 1511 and newer)
o Turn off Microsoft consumer experiences = enabled

File Explorer Settings

Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100
Windows 8 and newer

File Explorer Computer Configuration | Policies | Administrative Templates | Windows

Components | File Explorer
o Allow the use of remote paths in file shortcut icons = enabled
Event Viewer Settings

If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache
disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy
Preferences to create the folder on the cache disk.

Application Computer Configuration | Policies | Administrative Templates | Windows

Components | Event Log Service | Application
o Control the location of the log file = enabled, D:\EventLogs\Application.evtx
Security Computer Configuration | Policies | Administrative Templates | Windows Components |
Event Log Service | Security
o Control the location of the log file = enabled, D:\EventLogs\Security.evtx
System Computer Configuration | Policies | Administrative Templates | Windows Components |
Event Log Service | System
o Control the location of the log file = enabled, D:\EventLogs\System.evtx
Folder Computer Configuration | Preferences | Folder
o Action = update
o Path = D:\EventLogs

Microsoft Account Windows 10 (1703 and newer)

Microsoft account Computer Configuration | Policies | Administrative Templates | Windows

Components | Microsoft account
o Block all consumer Microsoft account user authentication = Enabled

OneDrive Settings Windows 10

OneDrive Computer Configuration | Policies | Administrative Templates | Windows Components

| OneDrive
o Prevent the usage of OneDrive for file storage = enabled

Remote Desktop Services Settings

Connections Computer Configuration | Policies | Administrative Templates | Windows

Components | Remote Desktop Services | Remote Desktop Session Host | Connections
o Restrict Remote Desktop Services users to a single Remote Desktop Services session =
o More details at http://support.citrix.com/article/CTX131245
Device and Resource Redirection Computer Configuration | Policies | Administrative Templates |
Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and
Resource Redirection
o Allow time zone redirection = enabled
o Do not allow smart card device redirection = enabled
Licensing Computer Configuration | Policies | Administrative Templates | Windows Components
| Remote Desktop Services | Remote Desktop Session Host | Licensing
o Set the Remote Desktop license mode = enabled, Per User
o Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers
(e.g. the XenDesktop Controllers)
Remote Session Environment Computer Configuration | Policies | Administrative Templates |
Windows Components | Remote Desktop Services | Remote Desktop Session Host | Remote
Session Environment
o Use the hardware default graphics adapter for all Remote Desktop Services sessions =
o Source = Marco Hofmann Basic XenApp HDX 3D Pro Proof of Concept What I missed
Security Computer Configuration | Policies | Administrative Templates | Windows Components |
Remote Desktop Services | Remote Desktop Session Host | Security
o Always prompt for password upon connection = disabled (to override other GPOs where it
might be enabled)
Session Time Limits Computer Configuration | Policies | Administrative Templates | Windows
Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
o Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
o Set time limit for disconnected sessions = enabled, 3 hours or similar

Search Settings Windows 8.1 / 2012 R2, Windows 10

Search Computer Configuration | Policies | Administrative Templates | Windows Components |

o Allow Cortana = disabled (Windows 10)
o Dont search the web or display web results in search = enabled
o Additional search settings can be found here

Store Settings Windows 8.1 / 2012 R2, Windows 10

Store Computer Configuration | Policies | Administrative Templates | Windows Components |

o Turn off the Store application = enabled

Windows Update Settings

Windows Update Computer Configuration | Policies | Administrative Templates | Windows

Components | Windows Update
o Allow non-administrators to receive update notifications = disabled
Additional Settings

Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at
Microsoft Technet Manage connections from Windows operating system components to Microsoft

James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana,
disable services, block DNS domains.

After modifying the GPO, use Group Policy Management Console to update the VDA machines.

Or run the command gpupdate /force. Or wait 90 minutes.

Citrix Receiver

If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs,
use receiver.admx to enable pass-through authentication.

1. See the instructions at http://www.carlstalhood.com/receiver-for-windows/#admx to

copy the receiver.admx file to PolicyDefinitions.
2. Edit the Citrix Computer Settings GPO.
3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix
Receiver > User Authentication. On the right, open Local user name and password.

4. Enable the setting.

5. Check the top two boxes and click OK.
Group Policy Objects VDA User Settings
Last Modified: May 29, 2017 @ 3:58 pm



Create Group Policy Objects (separate article)

VDA Group Policy Computer Settings (separate article)
User Lockdown

File Explorer
Internet Explorer/Edge
o Internet Explorer Security Zones
o Internet Explorer Performance
Folder Redirection

Office 2013/2016
Adobe Reader / Acrobat Reader DC
ShareFile Drive Mapper on XenApp/XenDesktop
File Type Association

= Recently Updated

User Lockdown

The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop
Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings
are located at User Configuration > Policies.

This page assumes the GPOs have already been created and Loopback Processing has already been

Some of the settings in this section might require the newer Windows Group Policy Templates.

Control Panel GPO Settings

User Configuration | Policies | Administrative Templates | Control Panel
o Always open All Control Panel Items when opening Control Panel = enabled
o Show only specified Control Panel items = enabled, canonical names =
Microsoft.System (lets users see the computer name)
User Configuration | Policies | Administrative Templates | Control Panel | Add or Remove
o Remove Add or Remove Programs = enabled
User Configuration | Policies | Administrative Templates | Control Panel | Programs
o Hide the Programs Control Panel = enabled

Desktop GPO Settings

User Configuration | Policies | Administrative Templates | Desktop

o Hide Network Locations icon on desktop = enabled
o Prohibit user from manually redirecting Profile Folders = enabled
o Remove Properties from the Computer icon context menu = enabled
o Remove Properties from the Recycle Bin icon context menu = enabled

If you prevent access to the Properties of the Computer icon then users might not be able to determine the
name of the machine they are connected to.

Start Menu & Taskbar GPO Settings

User Configuration | Policies | Administrative Templates | Start Menu & Taskbar

o Clear the recent programs list for new users = enabled
o Do not allow pinning Store app to the taskbar = enabled
o Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands =
o Remove common program groups from Start Menu = enabled (only if you have some other
means for putting shortcuts back on the users Start Menu/Desktop. Also, enabling this
setting might prevent Outlook 2013 desktop alerts. Microsoft 3014833)
o Remove Help menu from Start Menu = enabled
o Remove links and access to Windows Update = enabled
o Remove Network Connections from Start Menu = enabled
o Remove Network icon from Start Menu = enabled
o Remove Run menu from Start Menu = enabled
o Remove the Action Center icon = enabled (not in Windows 10)
o Remove the networking icon = enabled
o Remove the Security and Maintenance icon = enabled (Windows 10)
o Remove user folder link from Start Menu = enabled

If you hide common program groups, then you will need some other method of creating application
shortcuts for each user. Group Policy Preferences Shortcuts is the typical method.

Removing the Run menu also prevents users from entering drive letters in Internet Explorer.

CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Density contains
the following:

Lock down a section of the Start Menu

Configure Citrix Profile Management to roam the Start Menu
Remove Provisioned Apps
Tune Windows using OS Optimization Tool
Disable Telemetry services

Microsoft Technet Customize Windows 10 Start with Group Policy. From Ren Bigler at UPM 5.x Server
2012 R2 Startlayout at discussions.citrix.com: To include Explorer, IE, and Computer icons in the Start
Layout XML, create shortcuts to this standard items in C:\ProgramData\Microsoft\Windows\Start
Menu\Programs and use this new shortcuts to create the tiles in your start layout xml.

System GPO Settings

User Configuration | Policies | Administrative Templates | System

o Prevent access to registry editing tools = enabled, Disable regedit from running silently =
o Prevent access to the command prompt = enabled, Disable command prompt script
processing = No

Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.

Explorer GPO Settings

User Configuration | Policies | Administrative Templates | Windows Components | File Explorer

(Windows 8+) or Windows Explorer (Windows 7)
o Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only
o Hides the Manage item on the File Explorer context menu = enabled
o Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only.
If this setting is enabled, you cant use Start Menus search to find programs.
o Prevent users from adding files to the root of their Users Files folder = enabled
o Remove Map Network Drive and Disconnect Network Drive = enabled
o Remove Hardware tab = enabled
o Remove Security Tab = enabled
o Turn off caching of thumbnail pictures = enabled

From Citrix Discussions: To hide specific drive letters:

1. User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive
2. Choose Action Update => Drive Letter Existing C => Hide this drive
3. Common Tab: Run in logged-on userss Security

Windows Update GPO Settings

User Configuration | Policies | Administrative Templates | Windows Components | Windows

o Remove access to use all Windows Update features = enabled, 0 Do not show any

Hide Favorites, Libraries, Network and redirected local drives

Terence Luk Hide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published
RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these
items. Similar instructions are provided by David Wilkinson at Remove Quick Access from File Explorer in
Windows Server 2016.
File Explorer

From TenForums How to Hide or Show Sync Provider Notifications within File Explorer in Windows 10:
Windows 10 1607 adds notifications inside File Explorer.

To stop these, use Group Policy Preferences to set the following registry value:

Key = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
o Value = ShowSyncProviderNotifications (DWORD) = 0

Windows Spotlight

Windows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows (Start Menu,
lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration |
Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard
Hay Windows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating
System and Chris Hoffman How to Disable All of Windows 10s Built-in Advertising.

Explorer Replacement

Instead of locking down Windows File Explorer, you can run a 3rd party Explorer like Tablacus Explorer.
The tool is detailed by Marco Hofmann at Tablacus Explorer is an awesome replacement for explorer.exe
as a #XenApp published Application!.

Flickering Icons

If you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network
share, then desktop icons might flicker. Helge Turk at XenApp 7.12/13, Server 2016 desktop icons flickering

at Citrix Discussions resolved it be creating the following Registry Key using Group Policy Preferences:


Internet Explorer / Edge Settings

This section assumes the GPOs have already been created.

Internet Explorer First Run Wizard

When a new user launches Internet Explorer, the first run wizard appears.

To prevent this from occurring, edit the Citrix VDA All Users GPO.

Internet Explorer First Run GPO Settings

User Config | Policies | Administrative Templates | Windows Components | Internet Explorer

o Prevent managing SmartScreen Filter = enabled, on
o Prevent running First Run Wizard = enabled, Go directly to home page
o Specify default behavior for a new tab page = enabled, Home page
o Turn on Suggested Sites = disabled
User Config | Policies | Administrative Templates | Windows Components | Internet Explorer |
Compatibility View
o Include updated Web site lists from Microsoft = enabled
User Config | Policies | Administrative Templates | Windows Components | Internet Explorer |
Internet Control Panel | Advanced Page
o Turn on Enhanced Protected Mode = disabled

Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should
be disabled.
Users might see a message that Protected mode is turned off for the Local intranet zone.

To prevent this message, do the following:

1. Edit the Citrix VDA All Users GPO.

2. Go to User Configuration > Preferences > Windows Settings > Registry.
3. Create a new Registry Item.
4. Set the Hive to: HKEY_CURRENT_USER
5. Set the Key Path to: Software\Microsoft\Internet Explorer\Main
6. Set the Value name to: NoProtectedModeBanner
7. Set the Value type to: REG_DWORD
8. Set the Value data to: 1
9. Click OK.

IE 11 in Windows 10 1703 and newer has a new button to open Edge.

To hide this button, edit a Group Policy that applies to users, go to User Configuration | Policies |
Administrative Templates | Windows Components | Internet Explorer | Internet Settings |
Advanced Settings | Browsing, and enable the setting Hide the button (next to the New Tab
button) that opens Microsoft Edge. Source = Ren Bigler on Twitter.

4SysOps Disable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607:
registry keys and PowerShell script to disable it.

Published Internet Explorer Settings Runonce

If a user launches Internet Explorer as a published application, then Internet Explorer might not be fully
configured and thus some websites wont work. By default, Windows runs per-user configuration
(ActiveSetup) of Internet Explorer only when the user connects to a full desktop, which doesnt happen
when only launching published apps. To override this behavior so it works with published IE even if the
user never connects to a full desktop, do the following:

1. Edit the Citrix VDA All Users GPO.

2. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
3. Double-click Logon.

4. Click Add.

5. In the Script Name field, enter runonce.exe.

6. In the Script Parameters field, enter /AlternateShellStartup. Click OK.

7. Note: running runonce.exe /AlternateShellStartup might cause black borders around windows in
published applications. Black Border (IE 11) in Xen App 7.11 with runonce.exe is an example forum
thread at Citrix Discussions. A workaround detailed at Black Windows title bars at Citrix Discussions
is to export HKCU\Control Panel\Colors from a working session, and use Group Policy Preferences
to deliver to values to the black border sessions.

8. Runonce.exe /AlternateShellStartup also causes the items in the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to be
executed when a published app is launched. Consider deleting the items (e.g. VMware Tools icon),
or they might keep sessions open after users close their apps. Also see CTX891671 Graceful Logoff
from a Published Application Renders the Session in Active State.

9. An alternative to runonce.exe /AlternateShellStartup is to run the following commands provided

by Steve Washburn at Active Receiver connection after app is closed at Citrix Discussions.
10. @echo off
11. "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
12. "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenUser
13. start "" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Windows 8.1/2012 R2 might not run the script at logon. Configure the following GPO computer settings to
enable the script (configure these in the Citrix VDA Computer Settings GPO):

Logon Script GPO Settings

Computer Configuration | Policies | Administrative Templates | System | Group Policy

o Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 setting
o Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 setting.
o Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace
depending on the desired result

Internet Explorer Group Policy Preferences

The Internet Explorer Maintenance settings in group policy (User Configuration > Windows Settings >
Internet Explorer Maintenance) have been removed in Internet Explorer 10 and Windows Server 2012.

If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using
Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or
Internet Explorer 10.
If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option.

If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10.
When configuring a setting, notice the red or green lines (and red or green circles). Only green settings are
applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your
As you look through the tabs, youll see a bunch of green items. These green items will be applied and
might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them
back on, press F5.

On the Common tab you can check the box to Apply once and do not reapply.

Internet Explorer Security Zone Configuration

There is a group policy setting at User Config | Policies | Administrative Templates | Windows
Components | Internet Explorer | Internet Control Panel | Security Page | Site to Zone Assignment List
that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their
own sites (the user interface in Internet Explorer is grayed out).

This section details an alternative procedure for administrator-configured zones while allowing users to
add their own Trusted Sites.

Note: Zones cant be configured using a Group Policy Preferences Internet Settings object so instead youll
need to configure registry keys as detailed below.

1. Run Internet Explorer and configure security zones as desired.

2. If you are using Workspace Control in Receiver for Web or need pass-through authentication, make
sure you add StoreFront as a Local Intranet Site.

3. Run Group Policy Management Console on the same machine where you have security zones
4. Edit the Citrix VDA All Users GPO.
5. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Collection
Item. Name it IE Zones or similar.

6. Right-click the collection and click New > Registry Item.

7. Click the button next to Key Path.

8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains. Click the key corresponding to the FQDN youre adding. Then select
the registry value on the bottom that corresponds to the protocol (e.g. * or https). Click Select.
Note: 1 indicates Local Intranet zone.

9. Then click OK. Note: 1 indicates Local Intranet zone.

10. Feel free to rename the Registry Item to reflect the actual zone.

11. Repeat these steps for additional zones.

Internet Explorer Home Page

If you dont have access to Windows 8/2012 group policy editor, configure the default home page using a
registry key.

1. Run Internet Explorer and configure home page as desired.

2. Run Group Policy Management Console on the same machine where you have the home page
3. Edit the Citrix VDA All Users GPO.

4. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Registry

5. Click the button next to Key Path.

6. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. On the bottom,
select Start Page. Then click Select.

7. On the Common tab, you can select Apply once and do not reapply. Then click OK.

Proxy Settings

If you dont have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry
keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings. Use Group Policy Preferences or similar to distribute the registry keys.

To prevent users from changing proxy settings, also configure the following group policy setting.

User Configuration | Policies | Administrative Templates | Windows Components | Internet

Explorer | Internet Control Panel
o Disable the Connections page = enabled

Internet Explorer Performance

Julian Mooren at XenApp & Internet Explorer Improving User Experience details how to enable Tracking
Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set
registry keys, and adds a folder to Citrix Profile Management synchronization.
LoginVSI Web Browsing & Advertising Impact on VDI Performance is a 33 page paper detailing how to
enable Tracking Protection in Internet Explorer and Firefox, plus ad blocking plugin for Chrome.

Office 2013/2016

Office 365 Planning

Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:

Considerations for Outlook Cached Mode

Group Policy settings for Outlook Cached Mode
For Lync Audio/Video various options for delivering the Lync client
Caveats for OneDrive for Business
Licensing shared computer activation

Group Policy Templates

Office GPO settings are tied to a particular version of Office. If you want to copy Office 2013 settings to
Office 2016 settings, see Microsofts Copy-OfficeGPOSettings PowerShell script.

Download the Office 2013 group policy templates or Office 2016 group policy templates.

If you installed the 32-bit version of Office 2013/2016 then youll need the 32-bit (x86) version of the
1. Go to the downloaded Office 2013 group policy templates and run AdminTemplates_32.exe. Or for
Office 2016, run admintemplates_x86_4286-1000_en-us.exe.
2. Check the box next to Click here to accept and click Continue.
3. Specify a folder to place the extracted templates in.

4. Click OK to acknowledge that files extracted successfully.

5. Go to the folder where you extracted the files and in the ADMX folder copy all of the .admx files
and the en-us folder to the clipboard.
6. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the files.
7. If you do not have PolicyDefinitions in your Sysvol then instead go to C:\Windows\PolicyDefinitions
and paste the files.

Group Policy and Tweaks

This section assumes the Group Policy Objects have already been created.

Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under
User Configuration > Policies.

User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | First
o Disable First Run Movie = enabled
o Disable Office First Run on application boot = enabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Global
Options |Customize
o Allow roaming of all user customizations = enabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) |
o Disable Office Animations = enabled
o Do not use hardware graphics acceleration = enabled
o Suppress recommended settings dialog = enabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Privacy
| Trust Center
o Automatically receive small updates to improve reliability = disabled
o Disable Opt-in Wizard on first run = enabled
o Enable Customer Experience Improvement Program = disabled
User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Tools |
Options | General | Service Options | Online Content
o Online Content Options = enabled, Allow Office to connect to the Internet
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Account Settings | Exchange | Cached Exchange Mode
o Use Cached Exchange Mode for new and existing Outlook profiles = disabled
o If you prefer to use Cached Exchange Mode, see Citrixs Implementation Guide and add
Cached Exchange Mode Sync Settings = enabled, time-window of downloaded
Administrative Templates | Microsoft Outlook 2013 | Miscellaneous | PST Settings
| Default location for OST files = enabled, UNC path to user home directories
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Miscellaneous | PST Settings
o Default location for PST files = enabled, users home directory
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Outlook Options | Other | AutoArchive
o AutoArchive Settings = enabled, uncheck box next to Turn on AutoArchive
User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) |
Outlook Options | Preferences | Search Options
o Prevent installation prompts when Windows Desktop Search component is not present =

Office temp file errors

To prevent Office temp file errors:

User Configuration | Preferences | Window Settings | Folders | New Folder

o Action = Create
o Path = %Localappdata%\Microsoft\Windows\INetCache

Outlook and Windows Search

When launching Outlook, you might see the message Please wait while Windows configures Microsoft
Office 64-bit Components.

To fix the Outlook search problem, you can either install Windows Search Service (Windows Feature).

Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components
| Search | Prevent indexing Microsoft Office Outlook.

Office Display Issues

Microsoft hotfix 2786932 Dialog boxes and new windows displayed as blank in Office 2013 RemoteApps
on a client computer that is running Windows 7 or Windows Server 2008 R2

From Thomas Koetzing How to disable Office 2013 shadow border:


From Fixed Issues in XenApp/XenDesktop 7.11 and older: Live scrolling (the synced state of page scrolling
and scrollbar motion) does not work in Excel spreadsheets. The issue occurs because the key and value in
registry location HKEY_CURRENT_USER\Control Panel\Desktop\UserPreferencesMask on the VDA are
overwritten by the wfshell.exe process each time a user logs on to the VDA. To prevent this, create the
following registry key on the VDA and set the value to 1 (same value as next issue).

From Fixed Issues in XenApp/XenDesktop 7.12: Changes you make to Advanced System Settings under
Visual Effects apply to the current VDA session but might not be retained for subsequent sessions. To
make such changes persistent, you must set the following registry key:

o Name: EnableVisualEffect
o Value: 1

Office VL Activation not working

If Office 2016 Volume License is not activating correctly, set the following registry value as detailed

at Microsoft Office cant find your license for this application at Citrix Discussions:

Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CtxUvi
o Value = UviProcessExcludes (REG_SZ) = sppsvc.exe

Adobe Reader

Adobe Reader Group Policy

1. Download the Adobe Reader XI Policy Templates from Reader XI Administrative Template
2. Copy the .admx file and the en-us folder.

3. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files. If this

folder doesnt exist, go to C:\Windows\PolicyDefinitions instead.

4. Click Yes when asked to replace files.

5. Now open a group policy that applies to all Citrix users.
6. Go to User Configuration > Administrative Templates > Adobe Reader > Preferences > General.
7. Open the setting Accept EULA and Enable it.

8. Then open the Display splash screen at launch setting and Disable it.

Disable Repair
In Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation.

Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.

1. In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat

2. Add the DWORD DisableMaintenance and set it to 1.

3. Now the Repair option is grayed out on the Help menu.

Disable Updates

For Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.
o Mode = 0 (disables updates)

In Adobe Reader XI, there is a GUI method of disabling updates:

1. Run Adobe Reader from the Start Menu.

2. Open the Edit menu and click Preferences.
3. On the Updater page, change the selection to Do not download or install updates automatically
and click OK.

Other Optimizations

Rick van Soest Removing The Cloud from Adobe Acrobat Reader DC:

To remove tools, delete them from C:\Program Files (x86)\Adobe\Acrobat Reader

To remove the welcome screen, add the following registry dword value:
HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
o bUsageMeasurement (REG_DWORD) = 0
To remove the add account button, HKLM\Software\Policies\Adobe\Acrobat
o BDisableSharePointFeatures (REG_WORD) = 1
To remove the Check for update button, HKLM\Software\Adobe\Acrobat Reader\DC\Installer
o DisableMaintenance (REG_DWORD) = 1

Citrix Blog Post Optimizing Adobe Reader in XenApp details the following optimizations:
Remove toolbar on right side of screen
Remove links from the Help menu
Disable Adobe ARM
Disable Autosave

Adobe.com Citrix Deployments: Before deployment, the product should be configured as needed. In
particular, you will want to disable features and behaviors that should not be accessible to end users in an
IT-managed environment. For example:

The Updater should be disabled as described in this guide and the Preference Reference.
Accept the EULA on behalf of all users by setting the appropriate registry key.
For multilanguage installations (MUI), set the preferred language for all users via the
SUPPRESSLANGSELECTION property or registry settings described in the Preference Reference.
Deploy enterprise files to the products directories (rather than per-user directories) so they are
available to all users.
There are over 500 documented settings. Refer to the Preference Reference for complete registry
and plist details.

Scrolling performance

If scrolling performance is poor in graphic intensive documents, try the following:

Go toEdit > Preferences > Rendering.

UncheckSmooth line art and Smooth images. Alternatively, you can set these preferences during
pre-deployment configuration:
o HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasGraphics: 0x00000000
o HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasImages: 0x00000000

Distiller performance

In some environments, Distiller performance may suffer if the messages.log file becomes too large
after a number of Distiller operations. Delete this file periodically. It is located at
\Application Data\Adobe\Acrobat\Distiller<version>\messages.log.
Remove unused fonts from the Windows installation.


ShareFile Drive Mapper allows Employee users to connect their account as a mapped drive on the
Windows file system, without performing a full sync of account content. Its fully supported on
XenApp/XenDesktop 7.8 and newer.

ShareFile On-Demand Sync is the older method of connecting to ShareFile files without performing a full

ShareFile Drive Mapper instructions at https://support.citrix.com/article/CTX207791.

1. Download ShareFile Drive Mapper.

2. On a VDA, run ShareFileDriveMapper64_3.7.110.0.msi.

3. Check the box next to I agree to the license terms, and click Install.
4. In the Setup Successful page, click Close.

5. Go to C:\Program Files\Citrix\ShareFile\DriveMapper\PolicyDefinitions, and copy the files and


6. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files and

folder. If this path doesnt exist, then paste the files in C:\Windows\PolicyDefinitions on your
Group Policy editing machines instead.

7. Edit a GPO that applies to all users.

8. Go to User Configuration > Policies > Administrative Templates > ShareFile > Drive Mapper.
9. Drive Mapper is enabled by default. If you only want some users to use Drive Mapper, then you can
configure a GPO to disable Drive Mapper, and then configure a different GPO that re-enables it. The
GPO that enables Drive Mapper would be targeted to an AD group, and the GPO would be higher
priority than the GPO that disables it.
10. Edit the Account setting.

11. Enable the setting, and enter your ShareFile URL. Click OK.

12. The mapped drive letter defaults to S:\. You can change it by editing the ShareFile Data
Location setting. You can even eliminate the drive letter by setting the data location to
%userprofile%\ShareFile\DM or similar.
13. Edit a GPO that applies to the machines that have Drive Mapper installed.

14. Go to Computer Configuration > Policies > Administrative Templates > ShareFile > Drive Mapper.
15. The default Cache Location is %localappdata%\Citrix\DriveMapper3.

16. Default Cache Size is 256 MB.

17. Delete Cache is not needed on non-persistent machines or if roaming profile cache is deleted on
logoff. Make sure the ShareFile cache is excluded from roaming profiles as detailed later.
18. Auto-Update does not apply to Remote Desktop Session Host so youll have to update those
machines manually.

19. Newer versions of Drive Mapper support File Encryption and Personal Cloud Connectors. Both are
enabled by default.

20. Edit your Profile Management GPO.

21. Go to Computer Configuration > Policies > Administrative Templates > Citrix > Profile
Management > File system.
22. Edit the setting Exclusion list directories.

23. Make sure ShareFile is in the list. Note: if this list is empty, you need to fill the list with default
exclusions before you add any new exclusions. Or in Profile Management 5.5 and later, enable
the Enable Default Exclusion List directories setting.

24. Add !ctx_localappdata!\Citrix\DriveMapper3 to the exclusion list, and click OK.

25. If you have on-premises StorageZones Controllers, you can enable Single Sign-on by enabling
Windows Authentication. On the StorageZones Controllers, run IIS Manager.

26. Navigate to Default Web Site > cifs.

27. In the middle, double-click Authentication.
28. Right-click Windows Authentication and Enable it. If you dont see Windows Authentication in your
list, you might have to install it using the Roles and Features wizard.

29. After logging into Citrix and logging into ShareFile Drive Mapper, when you launch File Explorer,
youll see ShareFile Drive Mapper on the left.

On-Demand Sync

This is the older product and Drive Mapper is preferred.

On most Citrix VDA machines, ShareFile Sync should be configured for On-Demand Sync where files are
only downloaded when the user demands them. On-Demand Sync is enabled using group policy.

Citrix Whitepaper Implementing ShareFile On-Demand Sync

ShareFile Sync Install

1. Go to the downloaded ShareFile On-Demand Sync for Windows 2.15. Download the one with the
push install description.

2. Run the downloaded ShareFileSync64_2.15.108.1.exe.

3. In the Please read the Citrix ShareFile Sync License Agreement page, check the box next to I accept
the terms and click Install.

4. In the Completed the Citrix ShareFile Sync Setup Wizard page, click Finish.

ShareFile Sync Group Policy Templates

1. Find the GPO templates at C:\Program
Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions. Copy them to the clipboard.

2. Go to \\corp.local\sysvol\corp.local\Policies and paste the files in the PolicyDefinitions folder. If

you dont have this folder, then paste them in C:\Windows\PolicyDefinitions.
ShareFile Sync Group Policy Settings

From Dan Brinkmann at discussions.citrix.com: There is a known issue with XenDesktop 7.6 when there
are no XD policies applied it deletes the ShareFile key. Also at the same post: Somehow Sharefile will not
use proxy settings when in On-Demand mode.

Edit the Citrix Computer Settings GPO and enable the Group Policy setting shown below. All are located
under Computer Configuration > Policies.
Computer Configuration\Policies\Administrative Templates\ Citrix\Profile Management\File System
o Exclusion list directories = add ShareFile to the list

Computer Configuration\Policies\Administrative Templates\ ShareFile\Enterprise Sync

o On-demandSyncDiskVolume = enabled, C:\

Edit the Citrix VDA All Users Settings GPO and enable the Group Policy setting shown below. All are
located under User Configuration > Policies.

User Configuration | Policies | Administrative Templates | ShareFile | Enterprise Sync

o Account = enabled, enter your account address (e.g. company.sharefile.com)
o Authentication Type = enabled, and configure as appropriate for your environment. If you
use SAML Forms, make sure *.sharefile.com and your gateway.company.com DNS names
are added to Trusted Sites in Internet Explorer.
o LocalSyncFolder = enabled, enter %userprofile%\ShareFile. Network drive is not
o On-demandPersonalFolder = enabled, check Sync personal folder
User Configuration | Policies | Administrative Templates| Windows Components | File Explorer (or
Windows Explorer)
o Turn off the display of thumbnails and only display icons = enabled. This setting prevents
Windows from downloading ShareFile files when retrieving thumbnails.
After logging in to Citrix and running ShareFile Sync, if you go to the ShareFile folder it will look like the files
have been downloaded.

However, if you browse to the same folder from another machine, youll see they havent been
downloaded yet. They will be downloaded when the user demands them.

File Type Association

James Rankin Deploying per-user file type associations (FTAs) on Server 2012 R2, Windows 8.1, Server
2016 and Windows 10 (reloaded again!) provides an overview of the challenges of administratively
configuring FTAs on modern versions of Windows.

James Rankin Deploying per-user file type associations in Windows 8.1 / Server 2012 R2 and beyond:
Microsofts new DISM method of changing File Type Associations is done at the machine-level. Use Group
Policy Preferences to change the machine registry key but on a per-user basis.
Citrix Policy Settings
Last Modified: May 27, 2017 @ 12:20 pm



Citrix Policy Settings GPO Method Overview

Citrix Group Policy Management Plug-in

Computer Settings
User Settings
Citrix Policy Templates
Framehawk Configuration
Graphics Settings Enlightened Data Transport (EDT), Thinwire Plus, H.264, Actively Changing
o Graphics Tools RDAnalyzer, GPUPerf
Security Settings

= Recently Updated

Citrix Policy Settings GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

Citrix Studio also known as FMA policies

Group Policy Object the Citrix Group Policy installer (included with Studio) adds a Citrix Policy
node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include
settings that are native to Microsoft group policies. See the VDA Group Policies articles for more
information on the recommended Microsoft group policy settings for a XenApp/XenDesktop environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are
not portable, meaning that you cant export them from one XenApp/XenDesktop site and import them to

GPOs linked to an Active Directory OU and can apply to VDAs in multiple XenApp/XenDesktop sites/farms.
If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.

CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings
Reference for Citrix XenApp and XenDesktop.

If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as
mentioned at Citrix Discussions:
New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User

Do the same for Computer.

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object:

1. Install the Citrix Policy GPO plug-in. Login to a machine (e.g. Controller) that has Group Policy
Management Console (Windows Feature) installed. If this machine doesnt have Citrix Studio
installed then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the
XenApp/XenDesktop 7.14 media. Make sure all Group Policy consoles are closed first.
2. Citrix sometimes releases updates for this component, so whenever you update your Delivery
Controllers, also update your Group Policy editing machines (machines with Group Policy
Management Console installed), and Studio machines.
3. XenApp/XenDesktop 7.14 comes with Citrix Group Policy Management

Computer Settings

1. Run Group Policy Management Console.

2. Edit a GPO that applies computer settings to the VDA machines.

3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.

4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note:
Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability
template can increase user density by 30%.
5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new
policy that is filtered.

6. Switch to the Settings tab.

7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, well configure
Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
8. Some of the setting detailed in this post require newer versions of XenDesktop.

9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings
do not apply to Virtual Delivery Agent 7.x.
10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop
Session Host) but not necessarily both. Read the Applies to section to verify.

11. Change the Categories drop-down to Auto Client Reconnect.

12. Click Add next to the setting Auto client reconnect logging.
13. Change the Value to Log auto-reconnect events, and click OK.

14. Change the Categories drop-down to End User Monitoring.

15. Click Add next to the setting ICA round trip calculations for idle connections.

16. Change the selection to Enabled, and click OK.

17. Change the Categories drop-down to Local App Access.

18. Click Add next to the setting Allow Local App Access.

19. Change the selection to Allowed, and click OK. Note: Local App Access interferes with Bidirectional
Content Redirection in Receiver 4.7 and newer. See http://www.carlstalhood.com/published-
applications/#laa for more info on Local App Access.

20. Change the Categories drop-down to Printing.

21. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix
Docs for more info.

22. Change the Value to Enabled with fallback to Windows native remote printing. Click OK.
23. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
24. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.

25. Change the setting to Allowed, and click OK. See CTX223927 How to use Director to troubleshoot

application launch errors for details.

26. Click Add next to the setting Enable process monitoring. Note: this setting could
significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU,
Memory Usage and Process Information.

27. Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between
Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
2. Expand User Configuration, expand Policies, and click Citrix Policies.

3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered.
You can also use the Templates tab to create a policy based on a template.

4. On the Settings tab, change the Categories drop-down to Audio.

5. Click Add next to the setting Audio quality.

6. Change the Value to Medium optimized for speech, and click OK.

7. Change the Categories drop-down to Client Sensors.

8. Click Add next to the Allow applications to use the physical location setting.
9. Change the selection to Allowed, and click OK.

10. Change the Categories drop-down to Mobile Experience.

11. Click Add next to the Automatic keyboard display setting.

12. Change the selection to Allowed, and click OK.

13. Click Add next to the Remote the combo box setting.

14. Change the selection to Allowed, and click OK.

15. Change the Category drop-down to Multimedia.

16. Click Add next to the Use GPU for optimizing Windows Media setting.
17. Change the selection to Allowed, and click OK.

18. Change the Categories drop-down to Printing.

19. Click Add next to the setting Auto-create PDF Universal Printer.

20. Change the selection to Enabled, and click OK.

21. Click Add next to the setting Automatic installation of in-box printer drivers.

22. Change the selection to Disabled, and click OK.

23. Click Add next to the setting Direct connections to print servers.
24. Change the selection to Disabled, and click OK.

25. Click Add next to the setting Printer auto-creation event log preference.

26. Change the Value to Log errors only, and click OK.

27. Click Add next to the setting Universal print driver usage.
28. Change the Value to Use universal printing only.

29. Change the Categories drop-down to Session Limits.

30. If you look at the Applies to text for these settings, notice that they apply to virtual desktops
(Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote
Desktop Session Hosts can be configured in a Microsoft GPO.

31. Change the Categories drop-down to Time Zone Control.

32. Click Add next to the setting Use local time of client.

33. Change Value to Use client time zone. Note: you must also configure the Microsoft GPO Remote
Desktop Session Host time zone setting.

34. Change the Categories drop-down to USB Devices.

35. Click Add next to the setting Client USB device redirection.
36. Change the selection to Allowed, and click OK. This is the last generic setting. See the next couple
sections for more settings.

Citrix Policy Templates

1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has
pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller
XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase
user density by 30%.

2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains
additional templates that you can download and import.
3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer
settings are in different parts of the GPO.

4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see whats
contained in the template.
5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

1. Framehawk is disabled by default because it uses more bandwidth and more server resources.
Citrix recommends only enabling it for users on lossy connections with high bandwidth. More
details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk
virtual channel at Citrix Docs.
2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need
the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300)
or newer (e.g. 3.0 included in XenApp 7.14) on the machine where you are editing the policy.
3. If configuring a GPO, youll find the Framehawk settings in User Configuration > Policies > Citrix
Policies. Edit one of the Citrix Policies.
4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

5. Framehawk requires the newest Citrix Receiver (4.3.100 or newer).

6. To use Framehawk with Receiver for iOS 6.0, on StoreFront servers, add Framehawk=On to the
WFClient section of the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica.

7. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or
8. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP

9. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and
double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
10. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and
the VDAs.
1. Also make sure these ports are open on the VDAs Windows Firewall. VDA 7.8 and newer
opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports

Graphics Settings (EDT, H.264, ThinWire Plus)

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT
improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In 7.13,
EDT is officially supported. EDT has several requirements:

VDA 7.13 or newer.

UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if youre
using NetScaler Gateway.

Receiver for Windows must be 4.7 or newer.

Receiver for Mac must be 12.5 or newer.
StoreFront must be 3.9 or newer.
NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features
are not supported with EDT at this time:
o NetScaler SOCKS Proxy
o HDX Insight
o Gateway Multi-stream
o Gateway Double-hop, etc.
o See Configuring NetScaler Gateway to support EDT at Citrix Docs.
Use a Citrix Policy to enable EDT. Its disabled by default. The HDX Adaptive Transport setting is in
the Computer half of a GPO. This policy setting was renamed from the Enlightened Data Transport
setting in 7.12. See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol.
Preferred means it will try to use UDP if it can, and TCP if it cant.

From inside a session, you can run ctxsession -v to verify that its using UDP.
Director will also show if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data
Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro
Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed,
run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable
Hardware Encoding of H.264 streams using Intel Iris Pro

7.11 and newer:

Use video codec for compression can be configured For actively changing regions, which uses
H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower
bandwidth use for the video content combined with sharpness of text in applications they are
working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got
SmarterAgain explains this new setting.
In 7.11 and newer, Use when preferred = Thinwire+ with Selective H264. This is the default
selection, so generally theres no need to change this setting.

Use hardware encoding for video codec is enabled by default.

7.9 and newer:

The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video
codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus.
To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post Use Video Codec for
Compression: to Use or Not to Use? explains this setting.

7.6.300 and newer:

Thinwire Plus is a new graphics codec. Its recommended for devices that cant decode H.264. And
Citrix has found that Thinwire Plus uses less bandwidth than H.264.
Citrix Blog Post Why Should You Care About the New HDX Thinwire describes the new Thinwire Plus
codec in XenApp/XenDesktop 7.6.300 and how to use Citrix Policies to configure it.
Citrix CTX202687 HDX Graphics Modes Which Policies Apply to DCR/Thinwire/H.264 An
Overview for XenDesktop/XenApp 7.6 FP3
Citrix Blog Post Protocol & Resolution Impact on Bandwidth and Scalability describes the various
display codecs, bandwidth/CPU consumption, and recommended Citrix Policy settings.

7.0 7.6:

Bram Wolfs A graphical deep dive into XenDesktop 7

Citrix Blog Post Whats new with HDX display in XenDesktop & XenApp 7.x?

Graphics Tools
Remote Display Analyzer lets you see the current Citrix codec and change it on the fly.
GPUPerf 3.0 free tool that shows Frames per Second and other GPU stats.

From http://discussions.citrix.com/topic/347341-specific-application-freezes-receiver-41-session-window/:
If you experience graphics performance problems in XenDesktop 7.6, consider configuring the following

ICA \ Desktop UI \ Desktop Composition Redirection = Disabled

ICA \ Graphics \ Legacy Graphics Mode = Enabled

Security Settings

To improve security, Citrix recommends these additional Citrix Policy settings.

User \ ICA \ Client clipboard redirection = Prohibit

User \ ICA \ Desktop launches = Disabled
User \ ICA \ Launching of non-published programs = Disabled
User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300
and newer, for HTML5 Client)
User \ ICA \ File Redirection \ Auto connect client drives = Disabled
User \ ICA \ File Redirection \ Client drive redirection = Prohibited
User \ ICA \ File Redirection \ Fixed drives = Disable
User \ ICA \ File Redirection \ Client network drives = Prohibit
User \ ICA \ File Redirection \ Client removable drives = Prohibit
User \ ICA \ Printing \ Client printer redirection = Prohibit
User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
User \ ICA \ Session Limits \ Disconnected session timer = Enabled
User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
User \ ICA \ USB devices \ Client USB device redirection = Disable
User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit
Citrixs Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and
other security settings.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

How to use the toolbar to transfer files

Citrix Policy settings to enable/disable file transfer
VDA registry settings to control file transfer
HTML5Client\Configuration.js settings for client-side configuration
View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the
middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not
apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard
altogether by setting Client clipboard redirection to Prohibit.
Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but
prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to
optimize bandwidth consumption and virtual desktop resource utilization:

User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable

User \ ICA \ Desktop UI \ Menu animation = Disable
User \ ICA \ Desktop UI \ View window contents while dragging = Disable
User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
User \ ICA \ Printing \ Direct connection to print servers = Disable
User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
User \ ICA \ Visual Display \ Target Frames per Second = 15
User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth
scenarios. Please note that the Extra Color Compression Threshold should be configured to an
appropriate value.
User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or Heavyweight
compression in case image quality loss is not acceptable (more CPU intensive)
Enable Windows Media Redirection
Enable Flash acceleration with client side content fetching
Enable Audio over UDP Real-Time Transport. Please note that this configuration requires audio
quality to be set to Medium optimized for speech
Set Progressive compression level to Low or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 Best Practices and
Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.