Citrix Provisioning 1912 – Server Install

Last Modified: Dec 21, 2019 @ 3:27 pm

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including LTSR 1912, LTSR 7.15.21 (aka 7.15 LTSR CU5), and LTSR 7.6.9 (aka 7.6 LTSR CU8).

ūüí° = Recently Updated

Change Log

Planning and Versions

CTX220651 Best Practices for deploying PVS in multi-geo environments: ensure that Provisioning farms do not span data centers with a network latency that can affect communications between the Provisioning Servers and the SQL database

Citrix Provisioning Firewall Rules

The most recent Current Release version of Citrix Provisioning is 1912. 1912 is also a Long-Term Support Release (LTSR).

For LTSR CVAD, deploy the Citrix Provisioning version that matches your CVAD version:

Citrix License Server Version

Make sure the Citrix Licensing server is 11.16.3.0 build 28000 or newer.

Upgrade

If you are upgrading from an older version of Citrix Provisioning, do the following:

  1. In-place upgrade the Citrix License Server.
  2. In-place upgrade the Provisioning Console.
    1. Re-register the Citrix.PVS.snapin.dll snap-in:
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"
    2. If upgrading from 7.15.3000 to 7.15.4000, then manually upgrade the snap-ins. See CTX256773 Powershell SnapIns are not upgraded from PVS 7.15 LTSR CU3 to 7.15 LTSR CU4 after the upgrade is complete
  3. In-place upgrade the Provisioning Server. If you have two or more Provisioning servers, upgrade one, and then the other. If High Availability is configured correctly, then the Target Devices should move to a different Provisioning Server while a Provisioning server is being upgraded.
    1. After the first Provisioning server is upgraded, run the Configuration Wizard. You can generally just click Next through the wizard. At the end, you’ll be prompted to upgrade the database. Then upgrade the remaining Provisioning servers, and run the Config Wizard on each of them too.
  4. Upgrade the Target Device Software inside each vDisk. Don’t do this until the Provisioning servers are upgraded (Target Device Software must be same version or older than the Provisioning Servers).
    1. If your Target Devices are 7.6.1 or newer, you can create a Maintenance version, boot an Updater Target Device, and in-place upgrade the Target Device Software.
    2. If your Target Devices are older, then you must reverse image.

vDisk Storage

Do the following on both Provisioning Servers. The vDisks will be stored locally on both servers. You must synchronize the files on the two servers: either manually (e.g. Robocopy), or automatically (e.g. DFS Replication).

Create D: Drive

  1. In the vSphere Web Client, edit the settings for each of the Provisioning server virtual machines.
  2. On the bottom, use the drop-down list to select New Hard Disk, and click Add.
  3. Expand the New Hard disk by clicking the arrow next to it.
  4. Change the disk size to 500 GB or higher. It needs to be large enough to store the vDisks. Each full vDisk is 40 GB plus a chain of snapshots. Additional space is needed to merge the chain.
  5. Feel free to select Thin provision, if desired. Click OK when done.
  6. Login to the session host. Right-click the Start Button, and click Disk Management.
  7. In the Action menu, click Rescan Disks.
  8. On the bottom right, right-click the CD-ROM partition, and click Change Drive Letters and Paths.

  9. Click Change.
  10. Change the drive letter to E:, and click OK.
  11. Click Yes when asked to continue.
  12. Right-click Disk 1 and click Online.
  13. Right-click Disk 1 and click Initialize Disk.
  14. Click OK to initialize the disk.
  15. Right-click the Unallocated space, and click New Simple Volume.
  16. In the Welcome to the New Simple Volume Wizard page, click Next.
  17. In the Specify Volume Size page, click Next.
  18. In the Assign Drive Letter or Path page, select D: and click Next.
  19. In the Format Partition page, change the Volume label to vDisks and click Next.
  20. In the Completing the New Simple Volume Wizard page, click Finish.
  21. If you see a pop-up asking you to format the disk, click Cancel since Disk Management is already doing that.

vDisk Folders

On the new D: partition, create one folder per Delivery Group. For example, create one called Win10Common, and create another folder called Win10SAP. Each vDisk is composed of several files, so its best to place each vDisk in a separate folder. Each Delivery Group is usually a different vDisk.

Robocopy Script

Here is a sample robocopy statement to copy vDisk files from one Provisioning server to another. It excludes .lok files and excludes the WriteCache folders.

REM Robocopy from PVS01 to PVS02
REM Deletes files from other server if not present on local server
Robocopy D:\vDisks \\pvs02\d$\vDisks *.vhd *.vhdx *.avhd *.avhdx *.pvp /b /mir /xf *.lok /xd WriteCache /xo

Citrix Blog Post vDisk Replicator Utility has a GUI utility script that can replicate vDisks between Provisioning Sites and between Provisioning Farms.

Service Account

Provisioning Services should run as a domain account that is in the local administrators group on both Provisioning servers. This is required for KMS Licensing.

From Considerations: Provisioning Services for Personal vDisk at Citrix Docs: The Provisioning Services Soap Service account must be added to the Administrator node of Citrix Studio and must have the Machine Administrator or higher role. This ensures that the PvD desktops are put into the Preparing state when the Provisioning vDisk is promoted to production.

.NET Framework 3.5 SP1 & 4.5 ‚Äď 2008 R2 Only

Provisioning Server on Windows Server 2008 R2 requires .NET Framework 3.5 SP1 to be installed prior to installing Provisioning Server.

  1. On each Provisioning Server, in Server Manager, right-click Features and click Add Features.
  2. In the Select Features page, check the box next to .NET Framework 3.5.1 and click Next.
  3. In the Confirm Installation Selections page, click Install.
  4. In the Installation Results page, click Close.

.NET Framework 4.0 has bug. Upgrade to 4.5. More information at All the target devices are not selected when using shift select within the PVS console to select a number of target devices.

.NET Framework 4.5.1 can be installed from Windows Update or you can download it from Microsoft.

Provisioning Console Install/Upgrade

The installation and administration of Citrix Provisioning 1912 and older (including LTSR versions 1912, 7.15.21 and 7.6.9) are essentially identical.

If you want to automate the installation and configuration of Citrix Provisioning, see Dennis Span Citrix Provisioning Server unattended installation.

To manually install Provisioning Console, or in-place upgrade the Provisioning Console:

  1. Go to the downloaded Citrix Provisioning, and in the Console folder, run PVS_Console_x64.exe.
  2. Click Install.

    1. If upgrading, and if you get an error about a newer version of Citrix Diagnostics Facility is already installed…
    2. …then you might have to uninstall the existing Citrix Diagnostics Facility installation and try the upgrade again.
  3. If you see the .NET Framework 4.7.1 Setup page:
    1. Check the box next to I have read and accept the license terms, and click Install.
    2. In the Installation Is Complete page, click Finish.
    3. Click Restart Now.
  4. Restart the PVS_Console_x64.exe installer.
  5. Click Install.
  6. In the Welcome to the InstallShield Wizard for Citrix Provisioning Console x64 page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Customer Information page, click Next.
  9. In the Destination Folder page, click Next.
  10. In the Ready to Install the Program page, click Install.
  11. In the InstallShield Wizard Completed page, click Finish.
  12. Click Yes if you are prompted to restart.
  13. If you are upgrading from 7.15.3000 to 7.15.4000, then manually upgrade the snap-ins. See CTX256773 Powershell SnapIns are not upgraded from PVS 7.15 LTSR CU3 to 7.15 LTSR CU4 after the upgrade is complete

After upgrading the Console, re-register the PowerShell snap-in. This is required for the Citrix App Layering Agent.

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"

Provisioning Server – Install/Upgrade

The installation and administration of Citrix Provisioning 1912, 1909, 7.15.21, 7.6.9 and other 7.x versions are essentially identical.

You can in-place upgrade Provisioning Server. The Servers must be upgraded before the vDisks are upgraded. While upgrading one Provisioning Server, all Target Devices are moved to the other Provisioning Server.

To install/upgrade Provisioning server:

  1. If vSphere, make sure the Provisioning server virtual machine Network Adapter Type is VMXNET 3.
  2. Go to the downloaded Provisioning ISO, and in the Server folder, run PVS_Server_x64.exe.
  3. Click Install when asked to install prerequisites.
  4. Note: there’s a long delay before the installation wizard appears.
  5. If you are upgrading, then you might be prompted to uninstall an older version of Provisioning Server before you can upgrade to this version. Then restart installation.

  6. In the Welcome to the Installation Wizard for Citrix Provisioning Server x64 page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In Citrix Provisioning 1811 and newer, you’ll see a¬†Default Firewall Ports page. You can optionally select¬†Automatically open all Citrix Provisioning ports in Windows Firewall. If you later use the Citrix Provisioning Console to change the ports, then the Windows Firewall rules needs to be adjusted manually since the Citrix Provisioning Console won’t do it for you.
  9. In the Customer Information page, select Anyone who users this computer, and click Next.
  10. In the Destination Folder page, click Next.
  11. In the Ready to Install the Program page, click Install.
  12. In the Installation Wizard Completed page, click Finish.

Database Script

By default, the Citrix Provisioning Configuration Wizard will try to create the database using the credentials of the person that is running the Wizard. This isn’t always feasible. An alternative is to create a script that a DBA can run on the SQL server.

  1. Go to C:\Program Files\Citrix\Provisioning Services, and run DBScript.exe.
  2. Change the selection to New database for 2012 or higher.
  3. Enter a path to save the script file.
  4. Fill in the other fields.
  5. Select an Active Directory group containing your Citrix administrators, and click OK.
  6. In SQL Server Management Studio, open the SQL script.

  7. Execute the script to create the database.

  8. The person that runs the Citrix Provisioning Configuration Wizard will need db_owner permission to the new Citrix Provisioning database.
  9. Create a Windows service account that will run the services on the Citrix Provisioning server. This account must have a SQL login on the SQL server containing the Citrix Provisioning database. The Citrix Provisioning Configuration Wizard will grant this account the correct permissions in the database.

Configuration Wizard ‚Äď New Farm

  1. If you used DBScript.exe to pre-create the database, skip to Configuration Wizard – Join Farm.
  2. For SQL AlwaysOn Availability Group, see CTX201203 SQL Server AlwaysOn Configuration for PVS 7.6. In summary: Use the wizard to create the database instance. In SQL, create the Availability Group. Then reconfigure Citrix Provisioning Server to point to the SQL AlwaysOn listener.
  3. The Citrix Provisioning Configuration Wizard launches automatically. If the database wasn’t pre-created, then the person running the wizard must have dbcreator and securityadmin roles on the SQL Server. If true, click Next. If not true, then cancel the wizard and launch it as somebody that does have those roles.

  4. The DHCP Services page appears. DHCP is typically hosted on a different server so select The service that runs on another computer. It is also possible to install DHCP on the Provisioning Servers. Click Next.
  5. In the PXE Services page, if you intend to use Boot Device Manager (BDM or ISO) instead of PXE, then change the selection to The service that runs on another computer, which disables the PXE service.
  6. If your Target Devices and Provisioning Servers are on the same broadcast network, then change the selection to Citrix Provisioning PXE service on this computer.
  7. Click Next.

  8. In the Farm Configuration page, choose Create Farm, and click Next.
  9. In the Database Server page, enter the name of the SQL server. Provisioning 7.11 and newer has a new option for MultiSubnetFailover. Click Next.
  10. In the New Farm page, enter the following:
    • Enter a descriptive Database name. Put the word Citrix in the database name so the DBA knows what it is for.
    • Enter a descriptive Farm name.
    • Enter a descriptive Site name.
    • Enter a descriptive Collection name. All of these names can be changed later.
    • Select the Active Directory group that will have administrator permissions to Citrix Provisioning, and click Next. If you don’t see your group here, select any group you belong to, and you can fix it later in the console.
  11. In the New Store page, browse to one of the vDisk folders, and give the store a name. Then click Next.
  12. In the License Server page, enter the name of your Citrix license server, check the box next to Validate license server communication, and click Next.
  13. In the User account page, notice it defaults to Network service account. This won’t work with KMS licensing so change it to Specified user account. Enter credentials for an account that is a local administrator on all Provisioning servers, and click Next. Note: Provisioning 7.16 and newer support Group Managed Service Accounts.

  14. In the Active Directory Computer Account Password page, check the box, and click Next.
  15. In the Network Communications page, click Next.
  16. In the TFTP Option and Bootstrap Location page, check the box, and click Next.
  17. In the Stream Servers Boot List page, click Advanced.
  18. Check the box next to Verbose mode, click OK, and then click Next.
  19. If Provisioning 7.12 or newer, in the Soap SSL Configuration page, click Next.
  20. If Provisioning 7.11 or newer, in the Problem Report Configuration page, enter your MyCitrix credentials, and click Next.
  21. In the Finish page, click Finish.
  22. If you are upgrading, then you might be asked to upgrade the database. Click Yes.
  23. Click OK if you see the firewall message.
  24. In the Finish page, click Done.

From Running the Configuration Wizard silently at Citrix Docs: Now that you have a configured server, you can run "C:\Program Files\Citrix\Provisioning Services\ConfigWizard.exe" /s to produce an .ans file at "C:\ProgramData\Citrix\Provisioning Services\ConfigWizard.ans". This .ans file can be modified and copied to additional Provisioning servers. "C:\Program Files\Citrix\Provisioning Services\ConfigWizard.exe" /a reads the .ans file and applies the configuration silently.

Configuration Wizard ‚Äď Join Farm

  1. The Configuration Wizard launches automatically.
  2. There are two methods of handling SQL permissions:
    1. The person running the wizard must have db_owner on the database and securityadmin role on the SQL Server. This allows the wizard to add the service account to SQL logins and grant it access to the database.
    2. Or the person running the wizard can be limited to just db_owner permission to the database. The service account must be added manually to SQL logins by a DBA.
  3. The DHCP Services page appears. DHCP is typically hosted on a different server so select The service that runs on another computer. It is also possible to install DHCP on the Provisioning Servers. Click Next.
  4. In the PXE Services page, if you intend to use Boot Device Manager (BDM or ISO) instead of PXE, then change the selection to The service that runs on another computer, which disables the PXE service.
  5. If your Target Devices and Provisioning Servers are on the same broadcast network, then change the selection to Citrix Provisioning PXE service on this computer.
  6. Click Next.

  7. In the Farm Configuration page, click Join existing farm.
  8. In the Database Server page, enter the name of the SQL server, and click Next.
  9. In the Existing Farm page, select the database, and click Next.
  10. In the Site page, select an existing site, and click Next.
  11. If you used the script to create the database, then there probably are no stores defined. Do so now.
  12. Otherwise, in the New Store page, select the existing store, and click Next.
  13. In the License Server page, click Next.
  14. In the User account page, notice it defaults to Network service account. This won’t work with KMS licensing so change it to Specified user account. Enter credentials for an account that is a local administrator on all Provisioning servers, and click Next. Note: Provisioning 7.16 and newer support Group Managed Service Accounts.
  15. In the Active Directory Computer Account Password page, check the box, and click Next.
  16. In the Network Communications page, click Next.
  17. In the TFTP Option and Bootstrap Location page, check the box, and click Next.
  18. In the Stream Servers Boot List page, click Advanced.
  19. Check the box next to Verbose mode, click OK, and then click Next.
  20. If Provisioning 7.12 or newer, in the Soap SSL Configuration page, click Next.
  21. If Provisioning 7.11 or newer, in the Problem Report Configuration page, enter your MyCitrix credentials, and click Next.
  22. In the Finish page, click Finish.
  23. Click OK if you see the firewall message.
  24. In the Finish page, click Done.

Troubleshooting – Networking Services Don’t Work After Reboot

If your PXE service or TFTP service does not work after a reboot of the Provisioning server, do the following:

  1. One option is to set the Citrix PVS PXE Service, Citrix PVS TFTP Service, and Citrix PVS Two-stage boot Service to Automatic (Delayed Start).
  2. The TFTP and Two-stage Boot services can be delayed by setting registry keys. From Carl Fallis at Citrix Discussions:
    • Keys = HKLM\System\CurrentControlSet\services\BNTFTP (and PVSTSB)\Parameters
    • Value = InitTimeoutSec (DWORD). 1 ‚Äď 4 seconds. Default is 1.
    • Value = MaxBindRetry (DWORD). 5 ‚Äď 20 retries. Default is 5.

Disable Firewall

Disable the Windows Firewall to allow communication to all Citrix Provisioning Server ports. Or, see¬†Citrix Provisioning Firewall Rules¬†and manually open all required ports. If you change the ports in the Citrix Provisioning Console, then you’ll need to adjust the Windows Firewall rules accordingly.

  1. In Server Manager, click Tools, and click Windows Firewall with Advanced Security.
  2. Click Windows Firewall Properties.
  3. On the Domain Profile tab, change the Firewall state to Off.

Disable BIOS Boot Menu

The versioning process in Citrix Provisioning will present a boot menu when booting any version except Production.

  1. To avoid this, create the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu on both Provisioning Servers and set it to 1. Note: the location of this key changed in Provisioning Services 7.0 and newer.
  2. Then restart the Citrix PVS Stream Service.

Private Mode vDisk ‚Äď No Servers Available for vDisk

Citrix CTX200233 – Error: “No servers available for disk”: When you set a vDisk to Private Image mode (or new Maintenance version), if the Target Device is not connected to the server that contains the vDisk then you might see a message saying ‚ÄúNo Servers Available for vDisk‚ÄĚ.

  1. To avoid this, create the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipRIMSForPrivate on both Provisioning Servers and set it to 1. Note: the location of this key changed in Provisioning Services 7.0.
  2. Then restart the Citrix PVS Stream Service.

Multi-Homed Provisioning Server

From slide 20 of http://www.slideshare.net/davidmcg/implementing-and-troubleshooting-pvs:, Multi-homed Provisioning server is not recommended but if you insist, and if running Provisioning 6.1 or older, configure the following. Provisioning 7.7 configuration wizard should have asked you for the management NIC.

  • HKLM\Software\Citrix\ProvisioningServices\IPC
    • New Reg_Sz (string) named IPv4Address with the IP of the NIC for IPC
  • HKLM\Software\Citrix\ProvisioningServices\Manager
    • New Reg_Sz (string) named GeneralInetAddr with the IP of the NIC and port
    • e.g. 10.1.1.2:6909

Citrix 133877¬†Timeout Error 4002 in Provisioning Server Console after Clicking “Show Connected Devices: when there are multiple streaming NICs assigned to the Provisioning Server, when Show Connected Devices was clicked in the Provisioning console, the following symptoms might be experienced: Server timeout error 4002, unusual delay of 3 to 4 minutes to list the connected devices, or Provisioning console stops responding. Complete the following to resolve the issue:

  1. On the Provisioning Server machine, under HKLM\software\citrix\provisioningServices\Manager key, create registry DWORD RelayedRequestReplyTimeoutMilliseconds, and set it to 50 ms (Decimal).
  2. Create a DWORD RelayedRequestTryTimes, and set it to 1.
  3. Open the Provisioning Server console and test by selecting the Show Connected Devices command.

Antivirus Exclusions

Citrix’s Recommended Antivirus Exclusions

Endpoint Security and Antivirus Best Practices at Citrix Docs TechZone contains a list of recommended exclusions for Citrix Provisioning.

 

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller, and Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Microsoft’s virus scanning recommendations

(e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

TFTP High Availability

If your Target Devices are not on the same VLAN as the Provisioning Servers, then you will need to load balance TFTP.

NetScaler 10.1 and newer and Citrix ADC have native support for TFTP protocol. Older versions of NetScaler are more difficult to configure.

DHCP Failover

The DHCP infrastructure must be highly available. And session hosts should be configured with DHCP Reservations. With multiple DHCP servers, any reservation should be created on all DHCP servers hosting the same DHCP scope. The easiest way to accomplish this is with the DHCP Failover feature in Windows Server 2012 and newer.

  1. Build two DHCP servers on Windows Server 2012 or newer.
  2. Create a scope for the Provisioning Target Devices.
  3. Right-click the existing scope, and click Configure Failover.
  4. In the Introduction to DHCP Failover page, click Next.
  5. In the Specify the partner server to use for failover page, enter the name of the other DHCP server, and click Next.
  6. In the Create a new failover relationship page, enter a Shared Secret, and click Next.
  7. Click Finish.
  8. Click Close.

Health Check

CTP Sacha Thomet’s PowerShell script to view the health/status of the Provisioning environment. Emails an HTML Report. For Provisioning 7.7 and newer, see https://blog.sachathomet.ch/2015/12/29/happy-new-script-pvs-7-7-healthcheck/. For Provisioning 7.6, http://blog.sachathomet.ch/happy-new-script-pvs-7-7-healthcheck/.

Related Pages

Citrix Provisioning – Create Devices

Last Modified: Dec 21, 2019 @ 7:06 pm

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including LTSR 1912, 1909, LTSR 7.15.21 (aka LTSR 7.15 CU5), and LTSR 7.6.9 (aka LTSR 7.6 CU8).

ūüí° ¬†= Recently Updated

Change Log

Target Device Template – vSphere

The hardware of the additional target devices must match the original virtual machine so the drivers contained in the vDisk continue to function. The easiest way to preserve the hardware configuration is to clone the original virtual machine.

  1. Shut down the original virtual machine.
  2. Edit the Settings of the virtual machine and make sure there is a blank, formatted cache disk.
  3. In the vSphere Client, right-click the original virtual machine, expand Clone, and click Clone to Template. The new machine must be a Template and not a regular virtual machine.
  4. In the Select a name and folder page, enter a name for the template, and click Next.
  5. In the Select a compute resource page, select the cluster and click Next.
  6. In the Select storage page, select a datastore for the template and click Next. Note: if you use the Citrix Provisioning wizards to create Target Devices, the new machines will be created on the same datastore as this template.
  7. In the Ready to complete page, click Finish.

Target Device Template – Hyper-V

If you store the template in the library then you might see the issue described in CTX128750 Hyper-V Synthetic Network Interface Card Reinitializes on New Target Devices. The article recommends cloning a real VM instead of a template VM but this might not work for Citrix Provisioning Citrix Virtual Desktops Setup Wizard.

  1. Edit the Properties of the original virtual machine and make sure there is a blank, formatted cache disk.
  2. Right-click the original virtual machine, expand Create and click Create VM Template.
  3. Click Yes to acknowledge that the source virtual machine will be destroyed.
  4. In the VM Template Identity page, give the template a name and click Next.
  5. In the Configure Hardware page, click Next.
  6. In the Configure Operating System page, select None ‚Äď customization not required, and click Next. There is no need to run SysPrep.
  7. In the Select Library Server page, select a library server, and click Next.
  8. In the Select Path page, click Browse to select a share, and click Next.
  9. In the Summary page, click Create.

Citrix Virtual Desktops (aka XenDesktop) Setup Wizard

The easiest way to create a bunch of Target Devices is to use the Citrix Virtual Desktops Setup Wizard that is built into the Citrix Provisioning Console. This wizard used to be named XenDesktop Setup Wizard.

From Considerations: Citrix Provisioning for Personal vDisk at Citrix Docs:

  • The Citrix Provisioning¬†Soap Service account must be added to the Administrator node of Studio and must have the Machine Administrator or higher role. This ensures that the PvD desktops are put into the Preparing state when the Citrix Provisioning vDisk is promoted to production.
  • The Citrix Provisioning versioning feature must be used to update the personal vDisk. When the version is promoted to production, the Soap Service puts the PvD desktops into the Preparing state.
  • The personal vDisk size should always be larger than the Citrix Provisioning write cache disk (otherwise, Citrix Provisioning might erroneously select the personal vDisk for use as its write cache).
  • After you create a Delivery Group, you can monitor the personal vDisk using the¬†PvD Image Update Monitoring Tool¬†or the¬†Resize and poolstats scripts¬†(personal-vdisk-poolstats.ps1).

If you prefer to script much of this wizard, see:

Do the following to launch the Citrix Virtual Desktops Setup Wizard:

  1. The Citrix Virtual Desktops Setup Wizard uses the Hosting Resources defined in Citrix Studio, so configure Citrix Studio > Configuration > Hosting with destination datastores and networks for the new Target Devices. For maximum control over datastore placement, create a separate Hosting Resource per datastore.

    • If vSphere, XenApp / XenDesktop 7.6 has a bug. To workaround this, in the Hosting Resource, configure the option Use different storage for Personal vDisks. You can select the same storage for both the linked clones and the Personal vDisks. Configure this even if you‚Äôre not using Personal vDisks.
  2. Make sure the Template Target Device is on the same datastore that you want the new Target Devices to be stored on.
  3. If Hyper-V, make sure the VMM Console is installed on the same machine as the Citrix Provisioning Console.
  4. In the Citrix Provisioning Console, right-click the site, and click Citrix Virtual Desktops Setup Wizard.
  5. In the Welcome to Citrix Virtual Desktops page, click Next.
  6. In the Citrix Virtual Desktops Controller page, enter the name of a Delivery Controller, and click Next.
  7. In the Citrix Virtual Desktops Host Resources page, select a hosting resource. This list comes from the Hosting Resources created inside Studio. Click Next.
  8. Use a service account to login to vCenter or SCVMM when prompted. Citrix Provisioning might use these credentials later to power manage the target devices.
  9. If you see a message about no available templates, then you need to move your virtual machine template to this datastore.
  10. In the Template page, select the Target Device template, and click Next.
  11. In the vDisk page, select the Standard Image vDisk and click Next.
  12. In the Catalog page, enter a name for a new catalog, and click Next. Or you can add machines to an existing catalog.
  13. In the Operating System page, make your selection, and click Next.
  14. If you selected Windows Desktop Operating System, then in the User Experience page, select random or static, and click Next.
  15. In the Virtual machines page:
    1. Enter the number of machines you want to create.
    2. Enter the number of vCPUs for each new virtual machine. For RDSH, you usually add between 4 and 8 vCPUs.
    3. Enter the amount of Memory for each new virtual machine.
      1. To accommodate the Citrix Provisioning vDisk memory cache, add 256 MB (virtual desktop) or 4 GB of RAM (Remote Desktop Session Host) to the Memory. See Citrix Blog Post Size Matters: PVS RAM Cache Overflow Sizing for more information.
    4. Specify the size of the cache disk: 20-40 GB for session hosts, or 5-10 GB for virtual desktops.
      1. Any disks attached to the template will be ignored/discarded. To keep the disk in the template, see CTX237313 PVS XDSW retain template disks.
    5. Select BDM disk or PXE boot.
      1. For PXE boot, the Target Devices must be on the same VLAN as the Provisioning servers.
      2. BDM disk burns the boot image into the new virtual machine’s disk. BDM Disk supports target devices on a different subnet than the Provisioning servers. Make sure the Target Device VM template does not have any Boot ISOs configured.
  16. Click Next.
  17. In the Active Directory page, click Next.
  18. In the Active Directory accounts and location page
    1. Select an OU.
    2. Enter a naming pattern for the new machines. Use ## to represent numbering.
  19. Click Next.
  20. In the Summary page, click Finish to start creating the machines. The wizard will power on the machines so it can format the cache disk.
  21. Then click Done.
  22. In Citrix Provisioning Console, if you go to Farm > Sites > mySite > Hosts, you’ll see the Hosting Resource used by the Wizard. If you open the Properties of the Hosting Resource…
  23. On the Credentials tab, you can see the credentials you used when running the wizard. You will probably want to change these to a service account.
  24. In Citrix Studio, you’ll see a new machine catalog.
  25. The Citrix Provisioning Citrix Virtual Desktops Setup Wizard seems to ignore zones (XenApp/XenDesktop 7.7 or newer) so you’ll have to move it to the correct zone manually.
  26. Create a new Delivery Group, or add the machines to an existing Delivery Group.

Target Device Power Operation

If you used the Citrix Virtual Desktops Setup Wizard to create Target Devices, then the Target Devices are linked to a hosting connection, and can be powered on from the Citrix Provisioning Console by right-clicking the device, and clicking Boot.

Target Devices created by the Citrix Virtual Desktops Setup Wizard have a VirtualHostingPoolId, which corresponds to the hosting connection listed under Sites > MySite > Hosts. When powering on the VM, Citrix Provisioning searches for a VM with the same name as the Target Device.

Boot Disk Manager (BDM) Partition Update

During Citrix Provisioning Citrix Virtual Desktops Setup Wizard, you can configure the Target Devices to use a BDM Partition to boot from Citrix Provisioning servers. This partition contains the IP addresses of the Citrix Provisioning servers. Prior to Citrix Provisioning 7.9, it was not possible to change the BDM Partition configuration.

In Citrix Provisioning 7.9 and newer, it is now possible to update the BDM Partition with the latest bootstrap info:

  1. In Citrix Provisioning Console, go to MyFarm > Sites > MySite > Servers, right-click each Citrix Provisioning server, and click Configure Bootstrap. Update the list of Citrix Provisioning servers.
  2. Make sure the Target Devices are powered off.
  3. Go to MyFarm > Sites > MySite > Device Collections, right-click a collection created by the Citrix Virtual Desktops Setup Wizard, expand Target Device, and click Update BDM Partitions.
  4. Click Update Devices.
  5. Click Close when done.

Citrix Studio Catalog of Citrix Provisioning Machines

The easiest method to create Citrix Provisioning Target Device machines (i.e. VDAs) and add them to a Machine Catalog is to run the Citrix Virtual Desktops Setup Wizard.

If you’re not able to use the Citrix Virtual Desktops Setup Wizard for any reason, then you can manually create Citrix Provisioning Target Device machines, or use the Streamed VM Setup Wizard. Once the machines are created in the Citrix Provisioning Console, you need to Export them to a Delivery Controller, or use Citrix Studio to Import them to a Machine Catalog.

In Citrix Provisioning 1906 and newer, to add Target Devices to a Machine Catalog, Citrix recommends that you use the new Export Devices Wizard because it works with both on-premises CVAD and Citrix Cloud. Find the wizard by right-clicking the Site name. See Export Devices Wizard at Citrix Docs. The Export Wizard is very similar to the Citrix Virtual Desktops Setup Wizard.

For Citrix Provisioning 1903 and older, do the following:

  1. In Citrix Studio, create a new Catalog.
  2. On the Introduction page, click Next.
  3. In the Operating System page, make a selection that matches the vDisk, and click Next.
  4. In the Machine Management page, change the Deploy machines using selection to Citrix Provisioning, and click Next.
  5. In the Device Collection page, enter the Provisioning server name, and click Connect.
  6. Select the Citrix Provisioning Device Collection, and click Next.
  7. In the Devices page, review the list of machines that will be added to the catalog, and click Next.
  8. In the Summary page, give the Catalog a name, and click Finish. You can now add these machines to a Delivery Group.
  9. You can later add more machines to the Device Collection in the Citrix Provisioning Console.
  10. To add the new machines to Citrix Studio, right-click the existing Catalog, and click Add Machines.
  11. In the Device Collection page, click Connect.
  12. Select the Device Collection containing new machines, and click Next.
  13. In the Devices page, review the list of new machines, and click Next.
  14. In the Summary page, click Finish. You can now add these new machines to a Delivery Group.

Write Cache Disk

Write Cache Drive Letter

If the Write Cache disk is not mounting with the correct drive letter, see CTX133476 Explaining and Troubleshooting WriteCache Disk Drive Letter Assignment

Write Cache File Name

From Carl Fallis at .vdiskcache at Citrix Discussions. Citrix Provisioning has had three different cache names:

  • .vdiskCache is Legacy Ardence format (5 .x and before not supported anymore, you can delete this if your target software is running latest, this cache was optimized for size)
  • .vdiskdif.vhd is legacy hard drive cache (6.0 and above local hard drive cache, used standard 1mb sector size and is larger than the legacy cache but worked better with storage and was incrementally faster than Legacy Ardence format)
  • vdiskdiff.vhdx is Ram cache with overflow (7.1.4 and above RAM cache with overflow, 2 mb sectors larger than vhd but much faster and more compatible with storage)

Write Cache Filling Up Cache Disk

From Carl Fallis at .vdiskcache filling up drive at Citrix Discussions: The vdisk cache is basically a difference disk and only contains the blocks that are written to the system drive so you cannot mount it or read the file, it is just block data.  What you need to do is use a tool like Process Monitor from Microsoft (used to be sysinternals) and monitor the system drive. Any write to the system drive is redirected by the Citrix Provisioning software to the cache file.  You should make sure that any software that is installed on the target image does not have an auto update feature enabled, redirect all user data to a network share and educate your users to make sure they are not doing something that will fill up the cache like downloading a video to the local system drive.

Be aware that the RAM cache with overflow to hard drive can use more space on your local drive, it is important even in the older cache that you perform regular maintenance on your vdisks some recommendations:

  • Merge to a new base disk when you have created 5 or more versions
  • After every merge to the base disk, mount the new base disk and defrag the disk, this is important to reduce sectors used in the local cache, it is very important with the new RAM cache with overflow to local disk but it can have a very positive impact with the legacy local cache. Refer to http://blogs.citrix.com/2015/01/19/size-matters-pvs-ram-cache-overflow-sizing for more information.

Write Cache Size Monitoring

To view the size of Write Cache in RAM with overflow to disk, look in Task Manager for Nonpaged pool.

Citrix Blog Post Digging into PVS with PoolMon and WPA details how to use Windows Performance Analyzer to view Citrix Provisioning RAM cache and overflow.

Related Topics

Citrix Provisioning – Update vDisk

Last Modified: Dec 21, 2019 @ 7:06 pm

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including LTSR 1912, 1909, LTSR 7.15.21 (aka LTSR 7.15 CU5), and LTSR 7.6.9 (aka LTSR 7.6 CU8).

ūüí° = Recently Updated

Change Log

Updater Device

  1. Create a new Updater Target Device that is only used when you need to update a vDisk. You can create the Updater device manually or you can use the Citrix Virtual Desktops Setup Wizard.
  2. Put the Updater device in a new Device Collection. This is to avoid assigning the device to a Catalog in Studio. Users must not connect to an Updater device while it is powered on.
  3. Set the Updater device to boot from the Maintenance Type. This is used by the Versioning method of updating a vDisk.
  4. When adding the Updater device to Active Directory, be mindful of group policies. Sometimes it is helpful to apply the group policies to the Updater device so they are stored in the vDisk you are updating.
  5. An Updater device can only boot from one vDisk at a time but it can boot from any vDisk. If you need to do updates to multiple vDisks simultaneously, create more Updater devices.
  6. If you are using Enterprise Software Deployment tools (e.g. System Center Configuration Manager) to maintain a vDisk, keep the Updater device constantly booted to a Maintenance version so the ESD tool can push updates to it. This basically requires a separate Updater device for each vDisk.

Update a vDisk ‚Äď Versioning Method

  1. In the Citrix Provisioning Console, right-click a Standard Mode vDisk, and click Versions.
  2. In the vDisk Versions window, click New.
  3. Notice that the Access is set to Maintenance. Click Done.
  4. If you look at the physical location where the vDisks are stored, you’ll see a new .avhdx file.
  5. Go to the properties of an Updater Target Device, and change the Type to Maintenance. You’ll use this Target Device to update the vDisk. Make sure this Target Device you are using for vDisk Updating is not in any Delivery Group so that users don’t accidentally connect to it when it is powered on.
  6. Of course this Target Device will need to be configured to use the vDisk you are updating.
  7. Power on the Updater Target Device.
  8. If you did not configure the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu to 1 on the Provisioning Servers, then you’ll see a boot menu.
  9. Login to your Updater Target Device. The Virtual Disk Status icon by the clock should indicate that the vDisk Mode is now Read/Write.
  10. Make any desired changes.
  11. The Citrix Provisioning Image Optimization tool disables Windows Update. To install Windows Updates, use the following script to enable Windows Update, install updates, then disable Windows Update – http://www.xenappblog.com/2013/prepare-a-provisioning-services-vdisk-for-standard-mode/
  12. Before powering off the target device, run your sealing tasks. Run antivirus sealing tasks.
  13. Citrix Blog Post Sealing Steps After Updating a vDisk contains a list of commands to seal an image for Citrix Provisioning.
  14. Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.
  15. Power off the target device so the vDisk is no longer being used.
  16. Go back to the Versions window for the vDisk.
  17. Highlight the version you just updated, and click Promote.
  18. Best practice is to promote it to Test first. Or you can go directly to Production if you’re confident that your updates won’t cause any problems. Note: if you select Immediate, it won’t take effect until the Target Devices are rebooted. For scheduled promotion, the Target Devices must be rebooted after the scheduled date and time.
  19. The Replication icon should have a warning icon on it indicating that you need to copy the files to the other Provisioning server.
  20. Only copy the .avhdx and .pvp files. Do not copy the .lok file.

  21. Another method of copying the vDisk files is by using Robocopy:
    Robocopy D:\vDisks\ \\pvs2\d$\vDisks *.vhd *.avhd *.pvp *.vhdx *.avhdx /b /mir /xf *.lok /xd WriteCache /xo
  22. Citrix Blog Post The vDisk Replicator Utility is finally finished! ūüí°
  23. Citrix Blog Post vDisk Replicator Utility has a GUI utility script that can replicate vDisks between Citrix Provisioning Sites and between Citrix Provisioning Farms.

  24. Then click the Refresh button, and the warning icon should go away.
  25. Configure a Target Device to boot the Test vDisk Type. Then boot it.
  26. Once testing is complete, promote the vDisk version again.
  27. Immediate means it will take effect only after Target Devices are rebooted, whether immediately or later. Scheduled means the Target Device has to be rebooted after the scheduled date and time before it takes effect; if the Target Device has been rebooted before the scheduled date, then the older version is still in effect. Click OK.
  28. If you need to Revert, you can use the Revert button, or the drop-down on top of the window.

Merge Versions

  1. Citrix recommends no more than five .avhd files in the snapshot chain. To collapse the chain of .avhd files, you can Merge the versions. Don’t Merge until the files on both Provisioning servers are replicated.
  2. You can merge (Merged Updates) multiple .avhdx files into a single new .avhdx file that is linked to the original base file. Or you can merge (Merged Base) the original base, plus all of the .avhdx files into a new base .vhdx file, without any linked .avhdx files.
  3. The Merged Base process creates a whole new .vhdx file that is the same size or larger than the original base. After merging, replicate the merged file to both Provisioning Servers.

  4. Make sure there is no warning icon on the Replication button.
  5. If your merged version is currently in Test mode, then you can promote it to Production.
  6. After merging, you can delete older versions if you don’t need to revert to them.

Citrix CTX207112 Managing Provisioning Services VDisk Versions with VhdUtil Tool: CLI tool that can do the following outside of Citrix Provisioning Console:

  • dump header/footer
  • merge chain
  • rename chain

Expand vDisk VHD

To expand a vDisk file, create a Merged Base. Then use normal VHD expansion tools/methods.

One method is described by Trevor Svienson at How do I expand pvs vdisk with versions? at Citrix Discussions. Steps are: (Commands in fixed width font)

  1. Open cmd or powershell as administrator
  2. diskpart
  3. select vdisk file=“<path to your visk>” (e.g. V:\store\my.vhd)
  4. list vdisk (you should now see your vdisk and the path)
  5. expand vdisk maximum=60000 (This is the size in megabytes of the size you want to extend, so 60000 is 60Gb)
  6. attach vdisk
  7. list disk
  8. list volume (take note of the Volume number of the your vdisk, you should see the old size)
  9. select volume 5 (or whatever volume number from list volume command)
  10. extend
  11. list volume (you should now see the size you want for your disk. This should also be seen in the Citrix Provisioning console)
  12. detach vdisk
  13. exit

Reverse Image – BCDEDIT Method

If you want to upgrade¬†the Citrix Provisioning Target Device Software on a vDisk, and if your current Target Devices Software installation is 7.6 Update 1 or newer then you can simply install the new Target Device Software. No special steps required. However, if your Target Device software is 7.6 or older then you’ll need to Reverse Image as detailed in this section.

If you want to update the NIC driver (e.g. VMware Tools) then you can’t use the normal vDisk versioning process since NIC interruptions will break the connection between Target Device and vDisk. Instead you must reverse image, which essentially disconnects the vDisk from Citrix Provisioning.

The traditional method of reverse imaging is to use Citrix Provisioning Imaging (P2PVS.exe), or similar, to copy a vDisk to a local disk, boot from the local disk, make changes, and then run the Imaging Wizard again to copy the local disk back to a new vDisk. Select Volume to Volume. On the next page, select C: as source, and local disk as Destination. If you don’t see the C: drive as an option, then make sure your vDisk is in read/write mode (Private Image or Maintenance Version).

A faster¬†process is to skip Citrix Provisioning Imaging, and instead boot directly from the vDisk VHD. Windows 7/2008 R2 and newer can boot directly from VHD files. Windows 8/2012 and newer can boot from VHDX files. All you need to do is copy the vDisk VHD/VHDX to a Windows machine’s local C: drive, run bcdedit to configure booting to the VHD/VHDX, reboot into the VHD/VHDX, make your changes, reboot back into the original Windows OS, copy the VHD/VHDX back to Citrix Provisioning and import it. Details below:

Note: For Windows 7 vDisks, Enterprise Edition is required in the bootable VHD.

Alternative methods of performing Reverse Image:

To boot from vDisk VHD (Microsoft TechNet To add a native-boot VHD to an existing Windows 7 boot menu):

  1. In Citrix Provisioning Console, if using versioning, create a merged base.
  2. Copy the merged based vDisk (VHD file) to any Windows 7, Windows 2008 R2, or newer virtual machine. If VHDX, you’ll need Windows 8, Windows 2012, or newer. Note: the C: drive of the virtual machine must be large enough to contain a fully expanded VHDX file.
  3. Run the following command to export the current BCD configuration:
    bcdedit /export c:\bcdbackup

  4. Run the following command to copy the default BCD entry to a new entry. This outputs a GUID that you will need later.
    bcdedit /copy {default} /d "vhd boot (locate)"

  5. Run the following commands to set the new BCD entry to boot from the VHD file. Replace {guid} with the GUID outputted from the previous command. Include the braces.
    bcdedit /set {guid} device vhd=[locate]\MyvDisk.vhd
    bcdedit /set {guid} osdevice vhd=[locate]\MyvDisk.vhd
    

  6. Make sure you are connected to the console of the virtual machine.
  7. Restart the virtual machine.
  8. When the boot menu appears, select the VHD option. Note: if you see a blue screen, then you might have to enlarge your C: drive so the VHD file can be unpacked.
  9. Login to the virtual machine.
  10. Perform updates:
    1. Uninstall the Citrix Provisioning Target Device software.
    2. Upgrade VMware Tools.
    3. Reinstall Citrix Provisioning Target Device software. The Target Device software must be installed after VMware Tools is updated.
  11. When you are done making changes, reboot back into the regular operating system.

  12. Rename the updated VHD file to make it unique.
  13. Copy the updated VHD file to your Citrix Provisioning Store.
  14. Copy an existing .pvp file and paste it with the same name as your newly updated VHD.

  15. In the Citrix Provisioning Console, right-click the store, and click Add or Import Existing vDisk.
  16. Click Search.
  17. It should find the new vDisk. Click Add. Click OK.

  18. You can now assign the newly updated vDisk to your Target Devices.

Automatic Scheduled vDisk Update ‚Äď SCCM

You can use the vDisk Update Management node (and Hosts node) in Citrix Provisioning Console to schedule an updater machine to power on, receive updates from System Center Configuration Manager, and power off. The new vDisk version can then be automatically promoted to Production, or you can leave it in Maintenance or Test mode and promote it manually.

See the following Citrix links for instructions:

Related Topics

Global Server Load Balancing (GSLB) – NetScaler 10.5

Last Modified: Jan 4, 2019 @ 7:55 am

Navigation

This article was written for NetScaler 10.5.

GSLB Planning

GSLB is nothing more than DNS. GSLB is not in the data path. GSLB receives a DNS query and GSLB sends back an IP address, which is exactly how a DNS server works. However, GSLB can do some things that DNS servers can’t do:

  • Don‚Äôt give out an IP address unless it is UP (monitoring)
    • If active IP address is down, give out the passive IP address (active/passive)
  • Give out the IP address that is closest to the user (proximity load balancing)
  • Give out different IPs for internal vs external (DNS View)

GSLB is only useful if you have a single DNS name that could resolve to two or more IP addresses. If there’s only one IP address then use normal DNS instead.

Citrix Blog Post Global Server Load Balancing: Part 1 explains how DNS queries work and how GSLB fits in.

Citrix has a good DNS and GSLB Primer.

When configuring GSLB, don‚Äôt forget to ask ‚Äúwhere is the data?‚ÄĚ. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure ‚Äúhome‚ÄĚ sites for users. More information at Citrix Blog Post¬†XenDesktop, GSLB & DR ‚Äď Everything you think you know is probably wrong!

GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names.

For internal and external GSLB of the same DNS name on the same appliance, you can use DNS Policies and DNS Views to return different IP addresses depending on where users are connecting from. Citrix CTX130163 How to Configure a GSLB Setup for Internal and External Users Using the Same Host Name.

However, GSLB monitoring applies to the entire GSLB Service so it would take down both internal and external GSLB. If you need different GSLB monitoring for internal and external of the same DNS name, try CNAME:

  • External citrix.company.com:
    • Configure NetScaler GSLB for citrix.company.com.
    • On public DNS, delegate citrix.company.com to the NetScaler DMZ ADNS services.
  • Internal citrix.company.com:
    • Configure NetScaler GSLB for citrixinternal.company.com or something like that.
    • On internal DNS, create CNAME for citrix.company.com to citrixinternal.company.com
    • On internal DNS, delegate citrixinternal.company.com to NetScaler internal ADNS services.

Some IP Addresses are needed on each NetScaler pair:

  • ADNS IP: An¬†IP¬†that will listen for ADNS queries. For external, create a public IP for the ADNS IP¬†and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
  • GSLB Site IP / MEP IP: A GSLB Site IP¬†that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP¬†for ADNS can also be used for MEP / GSLB Site.
    • RPC Source IP: RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. It’s less confusing if you use a SNIP as the GSLB Site IP.
    • Public IP: For external GSLB, create public IPs that are NAT‚Äôd to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
    • MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this¬†port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
    • GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT‚Äôd to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
  • DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT‚Äôd to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
  • IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
    • One public IP that is NAT‚Äôd to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
    • One public IP that is NAT‚Äôd to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
    • If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT‚Äôd to additional VIPs.

ADNS

  1. Identify a SNIP that you will use for MEP and ADNS.
  2. Configure a public IP for the SNIP and configure firewall rules.
  3. If you wish to use GSLB configuration sync then management access (SSH) must be enabled on this SNIP.
  4. On the left, expand Traffic Management > Load Balancing, and click Services.
  5. On the right, click Add.
  6. Name the service ADNS or similar.
  7. In the IP Address field, enter an appliance SNIP.
  8. In the Protocol field, select ADNS. Then click OK.
  9. Scroll down and click Done.
  10. On the left of the console, expand System, expand Network, and then click IPs.
  11. On the right, you’ll see the SNIP is now marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
  12. Repeat on the other appliance in the other datacenter.
  13. Your NetScaler appliances are now DNS servers.

Metric Exchange Protocol

  1. Open the firewall rules for Metric Exchange Protocol. You can use the same SNIP and same public IP used for ADNS.
  2. On the left, expand Traffic Management, right-click GSLB, and enable the feature.
  3. Expand GSLB, and click Sites.
  4. On the right, click Add.
  5. Add the local site first. Enter a descriptive name and in the Site Type drop-down, select LOCAL.
  6. In the Site IP Address field, enter an appliance SNIP. This SNIP must be in the default Traffic Domain. The NetScaler listens for GSLB MEP traffic on this IP.
  7. For Internet-routed GSLB MEP, in the Public IP Address field, enter the public IP that is NAT’d to the GSLB Site IP (SNIP). For internal GSLB, there is no need to enter anything in the Public IP field. Click Create.
  8. Go back to System > Network > IPs, and verify that the IP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
  9. If you want to use the GSLB¬†Sync Config feature, then you’ll need to edit the GSLB site IP, and enable Management Access.
  10. Scroll down and enable Management Access. SSH is all you need.
  11. Go to the other appliance and also create the local GSLB site using its GSLB site IP and its public IP that is NAT’d to the GSLB site IP.
  12. In System > Network > IPs on the remote appliance, there should now be a GSLB site IP. This could be a SNIP. If GSLB Sync is desired, enable management access on that IP and ensure SSH is enabled.
  13. Now on each appliance add another GSLB Site, which will be the remote GSLB site.
  14. Enter a descriptive name and select REMOTE as the Site Type.
  15. Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable.
  16. In the Public IP field, enter the public IP that is NAT’d to the GSLB Site IP on the other appliance. For MEP, TCP 3009 must be open from the local GSLB Site IP to the remote public Site IP. For GSLB sync, TCP 22, and TCP 3008 must be open from the local NSIP to the remote public Site IP. Click Create.
  17. Repeat on the other appliance.
  18. MEP will not function yet since the NetScaler appliances are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network, and click RPC.
  19. On the right, edit the new RPC address (the other site’s GSLB Site IP), and click Edit.
  20. On the bottom, check the box next to Secure, and click OK.
  21. Do the same thing on the other appliance.
  22. If you go back to GSLB > Sites, you should see it as active.

GSLB Services

GSLB Services represent the IP addresses that are returned in DNS Responses. DNS Query = DNS name. DNS Response = IP address.

GSLB should be configured identically on both NetScalers. Since you have no control over which NetScaler will receive the DNS query, you must ensure that both NetScalers are giving out the same DNS responses.

Create the same GSLB Services on both NetScalers:.

  1. Start on the appliance in the primary data center. This appliance should already have a traffic Virtual Server (NetScaler Gateway, Load Balancing, or Content Switching) for the DNS name that you are trying to GSLB enable.
  2. On the left, expand Traffic Management > GSLB, and click Services.
  3. On the right, click Add.
  4. The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
  5. Select the LOCAL Site.
  6. On the bottom part, select Virtual Servers, and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
  7. Scroll up and make sure the Service Type is SSL. It’s annoying that NetScaler doesn’t set this drop-down¬†correctly.
  8. The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
  9. Scroll down and click OK.
  10. If the GSLB Service IP is a VIP on the local appliance, then GSLB will simply use the state of the local traffic Virtual Server (Load Balancing, Content Switching, or Gateway). If the GSLB Service IP is a VIP on a remote appliance, then GSLB will use MEP to ask the other appliance for the state of the remote traffic Virtual Server. In both cases, there’s no need to bind a monitor to the GSLB Service.
  11. However, you can also bind monitors directly to the GSLB Service. Here are some reasons for doing so:
    • If the GSLB Service IP is a NetScaler-owned traffic VIP, but the monitors bound the traffic Virtual Server are not the same ones you want to use for GSLB. When you bind monitors to the GSLB Services, the monitors bound to the traffic Virtual Server are ignored.
    • If the GSLB Service IP is in a non-default Traffic Domain, then you will need to attach a monitor since GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
    • If the GSLB Service IP is not hosted on a NetScaler, then only GSLB Service monitors can determine if the Service IP¬†is up or not.
  12. If you intend to do GSLB active/active and if you need site persistence then you can configure your GSLB Services to use Connection Proxy or HTTP Redirect. See Citrix Blog Post Troubleshooting GSLB Persistence with Fiddler for more details.
  13. Click Done.
  14. On the other datacenter NetScaler, create a GSLB Service.
  15. Select the REMOTE site that is hosting the service.
  16. Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, select New Server.
  17. For the Server IP, enter the actual VIP configured on the other appliance. This local NetScaler will use GSLB MEP to communicate with the remote NetScaler to find a traffic Virtual Server with this VIP. The remote NetScaler respond if the remote traffic Virtual Server is up or not. The remote Server IP configured here does not need to be directly reachable by this local appliance. If the Server IP is not owned by either NetScaler, then you will need to bind monitors to your GSLB Service.
  18. In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service. For Public DNS, you enter a Public IP that is usually NAT’d to the traffic VIP. For internal DNS, the Public IP and the Server IP are usually the same.
  19. Scroll up and change the Service Type to match the Virtual Server defined on the other appliance..
  20. Click OK.
  21. Just like the other appliance, you can also configure Site Persistence and GSLB Service Monitors. Click Done when done.
  22. Create more GSLB Services, one for each traffic VIP. GSLB is useless if there’s only one IP address to return. You should have multiple IP addresses (VIPs) through which a web service (e.g. NetScaler Gateway) can be accessed. Each of these VIPs is typically in different datacenters, or on different Internet circuits. The mapping between DNS name and IP addresses is configured in the GSLB vServer, as detailed in the next section.

GSLB Virtual Server

The GSLB Virtual Server is the entity that the DNS name is bound to. GSLB vServer then gives out the IP address of one of the GSLB Services that is bound to it.

Configure the GSLB vServer identically on both appliances:

  1. On the left, expand Traffic Management > GLSB and click Virtual Servers.
  2. On the right, click Add.
  3. Give the GSLB vServer a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
  4. Make sure Service Type is set correctly.
  5. If you intend to bind multiple GSLB Services to this GSLB vServer, then you can optionally check the box for¬†Send all “active” service IPs. By default, GSLB only gives out one IP per DNS query. This checkbox always returns all IPs, but the IPs are ordered based on the GSLB Load Balancing Method and/or GSLB Persistence.
  6. Click OK.
  7. On the right, in the Advanced column, click Service.
  8. On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
  9. Click the arrow next to Click to select.
  10. Check the box next to an existing GSLB Service and click OK. If your GSLB is active/passive then only bind one service.
  11. If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
  12. Click Bind.
  13. On the right, in the Advanced column, click Domains.
  14. On the left, click where it says No GSLB Virtual Server Domain Binding.
  15. Enter the FQDN that GSLB will resolve.
  16. If this GSLB is active/passive, there are two options:
    • Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
    • Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don‚Äôt bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
  17. Click Bind.
  18. If this is active/active GSLB, you can edit the Method section to enable Static Proximity. This assumes the Geo Location database has already been installed on the appliance.
  19. Also for active/active, if you don’t want to use Cookie-based persistence, then you can use the¬†Persistence section to configure¬†Source IP¬†persistence.
  20. Click Done.
  21. If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.

  22. On the left, if you expand Traffic Management > DNS, expand Records, and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.

  23. Create identical GSLB Virtual Servers on the other NetScaler appliance. Both NetScalers must be configured identically.
  24. You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
  25. On the right, click Sychronize configuration on remote sites.
  26. Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.

Some notes regarding GSLB Sync:

  • It’s probably more reliable to do it from the CLI by running¬†sync gslb config and one of the config options (e.g.¬†-preview).
  • GSLB Sync runs as a script on the BSD shell and thus always uses the NSIP as the source IP.
  • GSLB Sync connects to the remote GSLB Site IP on TCP 3008 (if RPC is Secure) and TCP 22.

Test GSLB

  1. To test GSLB, simply point¬†nslookup to the ADNS services and submit a DNS query for one of the DNS names bound to a¬†GSLB vServer. Run the query multiple times to make sure you’re getting the response you expect.
  2. Both NetScaler ADNS services should be giving the same response.
  3. To simulate a failure, disable the traffic Virtual Server.
  4. Then the responses should change. Verify on both ADNS services.

  5. Re-enable the traffic Virtual Server, and the responses should return to normal.


DNS Delegation

If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.

DNS Delegation instructions will vary depending on what product host’s the public DNS zone. This section details Microsoft DNS, but it should be similar in BIND or web-based DNS products.

There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:

  • Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
  • Delegate an entire subzone. For example, delegate the subzone¬†gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com¬†and thus¬†gateway.gslb.corp.com¬†needs to be bound to the GSLB Virtual Server instead of¬†gateway.corp.com. For additional delegations, simply create more CNAME records.

This section covers the first method – delegating an individual DNS record:

  1. Run DNS Manager.
  2. First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
  3. The first Host record is gslb1 (or similar) and should point to the ADNS service (Public IP) on one of the NetScaler appliances.
  4. The second Host record is gslb2 and should point to the ADNS Service (public IP) on the other NetScaler appliance.
  5. If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
  6. Right-click the parent DNS zone and click New Delegation.
  7. In the Welcome to the New Delegation Wizard page, click Next.
  8. In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
  9. In the Name Servers page, click Add.
  10. This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
  11. Then click Add to add the other GSLB ADNS server.
  12. Once both ADNS servers are added to the list, click Next.
  13. In the Completing the New Delegation Wizard page, click Finish.
  14. If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.

That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the GSLB Service IP bound to the Backup GSLB vServer.

Geo Location Database

If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database. Common free databases are:

For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.

For GeoLite Legacy:

  1. Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
  2. Note: GeoLite City is actually two files that must be merged as detailed at Citrix Blog Post¬†GeoLite City as NetScaler location database. GeoLite Country doesn’t need any preparation.
  3. Upload the extracted database (.csv file) to the NetScaler appliance at /var/netscaler/locdb.

To import the Geo database:

  1. In the NetScaler GUI, on the left, expand AppExpert, expand Location, and click Static Database (IPv4).
  2. On the right, click Add.
  3. Browse to the location database file.
  4. In the Location Format field, select geoip-country and click Create.
  5. When you open a GSLB Service, the public IP will be translated to a location.

You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders:

Remote PC

Last Modified: Dec 11, 2019 @ 4:59 am

Navigation

ūüí° = Recently Updated

Change Log

Remote PC Catalog

  1. In Citrix Studio, create a Machine Catalog.
  2. In the Introduction page, click Next.
  3. In the Operating System page, select Remote PC Access, and click Next.
  4. In the Machine Accounts page, click Add OUs.
  5. Browse to an OU containing office PCs. Check the box next to Include subfolders, and click OK.
  6. Then click Next.
  7. Name the catalog Remote PC or similar, and then click Finish.
  8. After the Catalog is created, you can Edit Machine Catalog to add more OUs.

  9. Or explicitly add individual machines to the Catalog.

Remote PC Delivery Group

  1. Create a Delivery Group.
  2. In the Introduction page, click Next.
  3. In the Machines page, highlight the Remote PC catalog, and click Next.
  4. Add users that can access the Remote PCs, and then click Next.
  5. In the¬†Desktop Assignment Rules page, adding an entry here will let users connect to unassigned machines. If you don’t add anything here, then users can only connect to machines to which they’ve been explicitly assigned. Click Next.
  6. In the Summary page, enter a name for the Delivery Group, and then click Finish.
  7. Click Yes when prompted that there are no desktops to deliver.

Multiple Users per PC

Citrix CTX137805 How to Switch Off Remote PC Access Multiple User Assignment in XenDesktop 7.x: By default, when using Remote PC Access in Citrix Virtual Apps and Desktops (CVAD), anybody that logs into the console session of the physical PC is automatically assigned to the Catalog machine in Citrix Studio. This can result in multiple users assigned to the same machine. For IT desktop support staff that routinely log into multiple PCs to support them, the IT staff could see many more machines in StoreFront than they intend.

To stop this, on every Delivery Controller, configure the following registry value so only the first user to log on to the machine after it has registered with the Citrix Broker service gets assigned to the machine. You can still manually assign users to machines using Studio or Director.

  • HKLM\Software\Citrix\DesktopServer\
    • AllowMultipleRemotePCAssignments (DWORD) = 0

Wake On LAN

If you have SCCM configured for Wake On LAN, you can connect Citrix Virtual Apps and Desktops (CVAD) to SCCM to power manage the Remote PC machines.

  1. In Citrix Studio, go to Configuration, right-click Hosting, and click Add Connection and Resources.
  2. In the Connection page, change the selection to Create a new connection.
  3. Change the Connection type to Microsoft Configuration Manager Wake on LAN.
  4. Enter the SCCM server’s FQDN.
  5. Enter SCCM credentials. The SCCM credentials you specify must include collections in the scope, and the Remote Tools Operator role.
  6. Give the Connection a name, and click Next.
  7. In the Summary page, click Finish.
  8. Edit the Remote PC Machine Catalog.
  9. In the Power Management page, change the selection to Yes, and click OK

Install VDA on PC

  1. Windows 10 Compatibility – CTX224843 Windows 10 compatibility with Citrix Virtual Desktops (XenDesktop)

  2. On the PC, install 4.7.1 (or newer).
  3. Disable power saving options (e.g. Hibernate, Sleep, etc.)
  4. If Wake on LAN is desired, configure the PC’s BIOS and NIC to enable Wake on LAN.
    • Make sure SCCM Agent is installed, and Hardware Inventory has run at least once.
  5. Download Standalone¬†Virtual Delivery Agent 7.15 LTSR Cumulative Update 4¬†or Virtual Delivery Agent 1909. It’s in the¬†Components that are on the product ISO but also packaged separately section.
  6. Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.12 and newer have two standalone installers for Desktop OS. The Desktop OS Core Services VDA is designed specifically for Remote PC, and is the smallest installer available.
    Note: the Core Services installer does not include Browser Content Redirection. See CTX240182 for manual BCR installation instructions.


  7. Remote PC is typically installed on many distributed PCs. Use a software deployment tool to install the VDA package using CLI parameters. See Use the standalone VDA installer at Citrix Docs for more information.
  8. For the Core Services VDA 7.12 and newer, use a command line similar to the following:
    VDAWorkstationCoreSetup_1909.exe /quiet /controllers "xdc01.corp.local xdc02.corp.local" /enable_hdx_ports /noreboot
  9. For the larger standalone Virtual Desktop Agent (or VDA’s older than 7.12), use the /remotepc switch. The /components switch lets you exclude¬†Receiver.
    VDAWorkstationSetup_1909.exe /quiet /remotepc /components VDA /controllers "xdc01.corp.local xdc02.corp.local" /enable_framehawk_port /enable_remote_assistance /enable_hdx_ports /enable_real_time_transport /noreboot
  10. CTX256820 When a user connects to his physical VDA using Remote PC Access, the monitor layout order changes. ūüí°
    1. On the Remote PC machine, in regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Graphics
    2. Create a DWORD named  UseSDCForLocalModes and set it to 1.
  11. Vrajesh Subrahari at Remote PC Solution Issue – The virtual machine ‘Unknown’ cannot accept additional sessions at Citrix Discussions recommends disabling Fast Boot. ūüí°
    1. On the Remote PC machine, in regedit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power\.
    2. Set HiberbootEnabled to 0.
  12. After the machine is rebooted, if the machine is in one of the OUs assigned to the Remote PC Catalog, then the machine will be automatically added to the Catalog and the Delivery Group.
  13. When somebody logs into the console of the machine, that user will be automatically assigned to the machine. You can use the Change User link on the right to change or add users. Multiple users can be assigned to one machine.

  14. When the user logs into StoreFront, the user will see the actual machine name.
  15. The name displayed in StoreFront can be changed by running Set-BrokerPrivateDesktop MyMachine -PublishedName MyDisplayName.

Remote PC Maintenance

Assign/Un-assign users ‚Äď There are four methods of assigning users to desktops:

  • Let Remote PC do it automatically. The first user that logs into the physical machine will be assigned to the desktop. If single user mode is not enabled then all other users that log into the machine will also be assigned to the desktop.
  • In Citrix Studio, find the machine, right-click it, and click¬†Change User.
  • In Director, go to machine details and click Manage Users.
  • Use PowerShell:
    asnp citrix.*
    Remove-BrokerUser -Machine 'CORP\WIN1002' -Name 'CORP\user01'
    Add-BrokerUser -Machine 'CORP\WIN1002' -Name 'CORP\user01'

Rename desktop icon ‚Äď For Remote PC, the icon displayed to the user is the actual machine name. This sometimes is not very intuitive. The name displayed to the user can be changed by running a PowerShell command.

asnp citrix.*
Set-BrokerPrivateDesktop CORP\WIN10002 -PublishedName "Users Desktop"

Display last login time for the machines ‚ÄstUse the following PowerShell to display desktops sorted by when they were last used. Adjust the date filter as desired. You can manually remove the older machines or pipe the results to Remove-BrokerMachine.

asnp citrix.*

Get-BrokerDesktop -CatalogName "Remote PC" -filter {LastConnectionTime -le "2015-02-28"} 
-property AssociatedUserNames,MachineName,LastConnectionTime | Sort-Object LastConnectionTime

The above PowerShell command uses the -filter and -property switches. These switches process the filtering on the server-side, which improves performance.

Horizon View Load Balancing – NetScaler 10.5

Last Modified: Jan 4, 2019 @ 7:55 am

Navigation

Use this procedure to load balance Horizon View Connection Servers, Horizon View Security Servers, and/or VMware Access Points.

Overview

A typical Horizon View Installation will have at least six connection servers:

  • Two Internal View Connection Servers – these need to be load balanced on an internal VIP
  • Two DMZ View Security Servers – these need to be load balanced on a DMZ VIP
  • The DMZ View Security Servers are paired with two additional internal View Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

If you are using Access Points instead of Security Servers then you’ll have the following machines. Server pairing is not necessary.

  • Two Internal View Connection Servers – these need to be load balanced on an internal VIP
  • Two DMZ VMware Access Point appliances¬†– these need to be load balanced on a DMZ VIP

This topic is focused on traditional View Security Servers but could be easily adapted for Access Point appliances. The difference is that with Access Points there are no paired servers and thus there’s no need to monitor the paired servers. The VIP ports are identical for both solutions.

Monitors

Users connect to Horizon View Connection Server, Horizon View Security Server, and Access Point appliances on four ports: TCP 443, TCP 8443, TCP 4172, and UDP 4172. Users will initially connect to port 443 and then be redirected to one of the other ports on the same server initially used for the 443 connection. If one of the ports is down, the entire server should be removed from load balancing. To facilitate this, create a monitor for each of the ports (except UDP 4172).

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it View-PCOIP or similar.
  4. Change the Type drop-down to TCP.
  5. In the Destination Port field, enter 4172.
  6. Scroll down and click Create.
  7. On the right, click Add.
  8. Name it View-Blast or similar.
  9. Change the Type drop-down to TCP.
  10. In the Destination Port field, enter 8443.
  11. Scroll down and click Create.
  12. On the right, click Add.
  13. Name it View-SSL or similar.
  14. Change the Type drop-down to HTTP-ECV.
  15. In the Destination Port field, enter 443.
  16. Scroll down and check the box next to Secure.
  17. On the Special Parameters tab, in the Send String section, enter GET /broker/xml/
  18. In the Receive String section, enter clientlaunch-default.
  19. Scroll down and click Create.
  20. View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it. Right-click the existing View-SSL or View-SSLAdv monitor and click Add.

  21. Note: this step does not apply to Access Points. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name.
  22. Note: this step does not apply to Access Points. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired View Connection Server IP.

Servers

Create Server Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the View Connection Server or View Security Server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding View Connection Servers or View Security Servers.

Services

If deploying View Security Servers, create Services Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Services Objects for the Paired Connection Servers.

If deploying Access Points, create Services Objects for the DMZ Access Point appliances and the internal Connection Servers

Each connection server and security server needs separate Service objects. Each Security Server listens on multiple port numbers and thus there will be multiple Services Objects for each Security Server.

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

  • Create services for SSL 443
  • To verify server availability, monitor port TCP 443 on the same server.
  • If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create services and monitors for these ports.

Security Servers and Access Points are more complex:

  • The¬†PCoIP Secure Gateway and HTML Blast Secure Gateway are typically enabled on Security Servers and Access Points but they are not typically enabled on internal Connection Servers.
  • All traffic initially connects on TCP 443. For Security Servers and Access Points, the clients then connect to UDP 4172 or TCP 8443 on the same Security Server. If UDP 4172 or¬†TCP 8443 are down, then you probably want to make sure TCP 443 is also brought down.
  • Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down. This does not apply to Access Points.
  • To accommodate these failure scenarios, bind multiple monitors to the View Security Server or Access Point load balancing Services. If any of the monitors fails then NetScaler will no longer forward traffic to 443 on that particular server.

If you have two View Security Servers or Access Points named VSS01 and VSS02, the configuration is summarized as follows (scroll down for detailed configuration):

  • Service = VSS01, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) on paired View Connection Server VCS01. This monitor is not needed on¬†Access Points.
  • Service = VSS02, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) on paired View Connection Server VCS02.¬†This monitor is not needed on¬†Access Points.
  • Service = VSS01, Protocol = TCP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS02, Protocol = TCP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS01, Protocol = UDP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS02, Protocol = UDP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS01, Protocol = SSL_BRIDGE, Port = 8443
    • Monitor = Blast (8443)
  • Service = VSS02, Protocol = SSL_BRIDGE, Port = 8443
    • Monitor = Blast (8443)

If you are not using HTML Blast then you can skip 8443. If you are not using PCoIP Secure Gateway, then you can skip the 4172 ports.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  2. On the right, click Add.
  3. Give the Service a descriptive name (e.g. svc-VSS01-SSL).
  4. Change the selection to Existing Server and select the View Security Server or internal (non-paired) View Connection Server you created earlier.
  5. Change the Protocol to SSL_BRIDGE and click OK.
  6. On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
  7. Click Add Binding.
  8. Click the arrow next to Click to select.
  9. Select the View-SSL monitor and click OK.
  10. Then click Bind.
  11. If this is a View Security Server, add monitors for PCoIP and HTML Blast. If any of those services fails, then 443 needs to be marked DOWN.

  12. If this is a View Security Server, also add a monitor that has the IP address of the paired View Connection Server. If the paired View Connection Server is down, then stop sending connections to this View Security Server.
  13. The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
  14. Then click Done.
  15. Right-click the first service and click Add.
  16. Change the name to match the second View Server.
  17. Use the Server drop-down to select to the second View Server.
  18. The remaining configuration is identical to the first server. Click OK.
  19. You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.

  20. Add another Service for PCoIP on TCP 4172.
    1. Name = svc-VSS01-PCoIPTCP or similar.
    2. Server = Existing Server, select the first View Server.
    3. Protocol = TCP
    4. Port = 4172.
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
  21. Repeat for the 2nd View Security Server.
  22. Add another Service for PCoIP on UDP 4172.
    1. Name = svc-VSS01-PCoIPUDP or similar.
    2. Existing Server = first View Server
    3. Protocol = UDP
    4. Port = 4172.
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
  23. Repeat for the 2nd View Server.
  24. Add another Service for HTML Blast on SSL_BRIDGE 8443.
    1. Name = svc-VSS01-HTMLBlast or similar.
    2. Existing Server = the first View Server
    3. Protocol =
    4. Port = 8443.
    5. Monitors = View-Blast. You can add the other monitors if desired.
  25. Repeat for the 2nd View Server.
  26. The eight services should look something like this:
  27. Repeat these instructions to add the internal (non-paired) View Connection Servers except that you only need to add services for SSL_BRIDGE 443 and only need monitoring for 443.

Load Balancing Virtual Servers

Create separate load balancers for internal and DMZ.

  • Internal load balances the two non-paired Internal View Connections Servers.
  • DMZ load balances the two View Security Servers¬†or Access Point appliances.

The paired View Connection Servers do not need to be load balanced.

For the internal View Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, tunneling is enabled on the View Security Servers and Access Point appliances so you will need separate load balancers for each port number. Here is a summary of the Virtual Servers:

  • Virtual Server on SSL_BRIDGE 443 ‚Äď bind both View SSL Services.
  • Virtual Server on UDP 4172 ‚Äď bind both View PCoIPUDP Services.
  • Virtual Server on TCP 4172 ‚Äď bind both View PCoIPTCP Services.
  • Virtual Server on SSL_BRIDGE 8443 ‚Äď bind both View Blast Services.

Do the following to create the Virtual Servers:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right click Add.
  3. Name it View-SSL-LB or similar.
  4. Change the Protocol to SSL_BRIDGE.
  5. Specify a new internal VIP. This one VIP will be used for all of the Virtual Servers.
  6. Enter 443 as the Port.
  7. Click OK.
  8. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
  9. Click the arrow next to Click to select.
  10. Select the two View-SSL Services and click OK.
  11. Click Bind.
  12. Click OK.
  13. Then click Done. Persistency will be configured later.
  14. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP UDP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 4172
    3. Services = the PCoIP UDP Services.
  15. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP TCP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = TCP, Port = 4172
    3. Services = the PCoIP TCP Services.
  16. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for HTML Blast SSL_BRIDGE 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = SSL_BRIDGE, Port = 8443
    3. Services = the HTML Blast SSL_BRIDGE Services.
  17. This gives you four Virtual Servers on the same VIP but different protocols and port numbers.

Persistency Group

For Security Servers and Access Point appliances, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

If tunneling is disabled on the internal View Connection Servers then you probably only have one load balancer for those servers and thus you could configure persistence directly on that one load balancer instead of creating a Persistency Group. However, since the View Security Servers have multiple load balancers then you need to bind them together in a Persistency Group.

  1. On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
  2. On the right, click Add.
  3. Give the Persistency Group a name (e.g. View).
  4. Change the Persistence to SOURCEIP.
  5. Enter a timeout that is equal to or greater than the timeout in View Administrator, which defaults to 10 hours (600 minutes).
  6. In the Virtual Server Name section, click Add.
  7. Move all four View Security Server / Access Point Load Balancing Virtual Servers to the right. Click Create.

Horizon View Configuration

  1. On the View Security Servers (or View Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
  2. Make sure the private key is exportable.
  3. Set the Friendly Name to vdm and restart the View Security Server services.
  4. In View Administrator, go to View Configuration > Servers.
  5. On the right, switch to the Security Servers tab.
  6. Highlight a server and click Edit.
  7. Change the URLs to the FQDN that resolves to the load balancing VIP.
  8. Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.

Citrix Policy Settings

Last Modified: Dec 21, 2019 @ 5:13 pm

Navigation

ūüí° = Recently Updated

Change Log

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio ‚Äď also known as FMA policies
  • Group Policy Object ‚Äď the Citrix Group Policy installer (included with Studio)¬†adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more information on the recommended Microsoft group policy settings for a Citrix Virtual Apps and Desktops environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are not portable, meaning that you can’t export them from one Citrix Virtual Apps and Desktops site/farm and import them to another.

GPOs linked to an Active Directory OU can apply to VDAs in multiple Citrix Virtual Apps and Desktops sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.

 

CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings Reference for Citrix XenApp and XenDesktop.

 

If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User 

cd LocalFarmGpo:\Computer

copy * TargetGPO:\Computer

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine:

  1. Login to a machine that has Group Policy Management Console (Windows Feature) installed.
  2. Citrix CTX225741 Citrix GPMC Console 3.0.0 crashing in Win 2K12R2 DC when editing polices says that Visual C++ Redistributable for Visual Studio 2015 should be installed first.
  3. If this machine doesn’t have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the Citrix Virtual Apps and Desktops ISO. Make sure all Group Policy consoles are closed first.
  4. Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR comes with Citrix Group Policy Management 7.24.0.0.

    • XenApp/XenDesktop 7.15 LTSR Cumulative Update 5 comes with Citrix Group Policy Management 3.1.5000.0.
  5. Click Finish to finish the wizard.
  6. Citrix releases quarterly updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines (machines with Group Policy Management Console installed), and Studio machines.

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, we’ll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of Citrix Virtual Apps and Desktops.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Delivery Agent 7.x.
  10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Change the Categories drop-down to Auto Client Reconnect.
  12. Click Add next to the setting Auto client reconnect logging.

  13. Change the Value to Log auto-reconnect events, and click OK.
  14. Change the Categories drop-down to End User Monitoring.
  15. Click Add next to the setting ICA round trip calculations for idle connections.
  16. Change the selection to Enabled, and click OK.
  17. Change the Categories drop-down to Local App Access.
  18. Click Add next to the setting Allow Local App Access.
  19. Change the selection to Allowed, and click OK. Note: Local App Access interferes with Bidirectional Content Redirection in Receiver 4.7 and newer. See https://www.carlstalhood.com/published-applications/#laa for more info on Local App Access.
  20. Change the Categories drop-down to Printing.
  21. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.
  22. Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  23. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  24. Click Add next to the setting Enable monitoring of application failures.
  25. You can optionally change the Value drop-down to Both application errors and faults. Click OK.
  26. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.
  27. Change the setting to Allowed, and click OK. See CTX223927 How to use Director to troubleshoot application launch errors for details.
  28. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.
  29. Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. You can also use the Templates tab to create a policy based on a template.
  4. On the Settings tab, change the Categories drop-down to Audio.
  5. Click Add next to the setting Audio quality.
  6. Change the Value to Medium ‚Äď optimized for speech, and click OK.
  7. Change the Categories drop-down to Client Sensors.
  8. Click Add next to the Allow applications to use the physical location setting.
  9. Change the selection to Allowed, and click OK.
  10. Change the Categories drop-down to Mobile Experience.
  11. Click Add next to the Automatic keyboard display setting.
  12. Change the selection to Allowed, and click OK.
  13. Click Add next to the Remote the combo box setting.
  14. Change the selection to Allowed, and click OK.
  15. Change the Category drop-down to Multimedia.
  16. Click Add next to the Use GPU for optimizing Windows Media setting.
  17. Change the selection to Allowed, and click OK.
  18. Change the Categories drop-down to Printing.
  19. Click Add next to the setting Auto-create PDF Universal Printer.
  20. Change the selection to Enabled, and click OK.

    1. This setting normally only applies to sessions using HTML5 Receiver or HTML5 Workspace app.
    2. In Citrix Virtual Apps and Desktops (CVAD) 1808 or newer, and Workspace app 1808 or newer, the PDF Universal Printer also applies to regular Workspace app connections and is no longer limited to HTML5 connections.
  21. Click Add next to the setting Automatic installation of in-box printer drivers.
  22. Change the selection to Disabled, and click OK.
  23. Click Add next to the setting Direct connections to print servers.
  24. Change the selection to Disabled, and click OK.
  25. Click Add next to the setting Printer auto-creation event log preference.
  26. Change the Value to Log errors only, and click OK.
  27. Click Add next to the setting Universal print driver usage.
  28. Change the Value to Use universal printing only.
  29. Change the Categories drop-down to Session Limits.
  30. If you look at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO.

  31. Change the Categories drop-down to Time Zone Control.
  32. Click Add next to the setting Use local time of client.
  33. Change Value to Use client time zone. Note: you must also configure the Microsoft GPO Remote Desktop Session Host time zone setting.
  34. CVAD 1906 has a new policy for Desktop OS only that can revert to the VDA’s original time zone when the user disconnects or logs off. It’s called Restore Desktop OS time zone on session disconnect or logoff.
  35. Change the Categories drop-down to USB Devices.
  36. Click Add next to the setting Client USB device redirection.
  37. Change the selection to Allowed, and click OK. This is the last generic setting. See the next couple sections for more settings.

Also see:

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

As of Citrix Virtual Apps and Desktops (CVAD) 1811, Framehawk is a deprecated feature.

In CVAD 1903 and newer, Framehawk has been completely removed.

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 7.20 included in Citrix Virtual Apps and Desktops 1811) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit one of the Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

  5. Framehawk requires the newest Citrix Workspace app / Receiver (4.3.100 or newer).



  6. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  7. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  8. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
  9. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

Citrix Blog Post What graphics policies do I need, and when? says you should not change any Citrix Policy Graphics Settings. The only exception is 3D workloads, which should have the Visual Quality user setting set to Build to Lossless.

Citrix Blog Post HDX Graphics Encoder Configuration Overview: a comprehensive overview of all relevant HDX Graphics Encoder settings. This overview should give you a guidance and allow you to configure an optimal HDX policy set based on your own needs. A Visio chart with an overview of all relevant configurations and their possible combinations. Furthermore, almost every setting has a review box. The review boxes contain, where applicable, the policy name, facts & figures, recommendations, and example use cases.

In 1811 and newer, Graphics Status Indicator replaces the Lossless Indicator.

  • Graphics Status Indicator can be enabled in a Citrix policy in the user half in the Category named Graphics.
  • The graphics status indicator should eventually show up in the system tray.

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.13 and  and newer, EDT is officially supported.

EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.

EDT has several requirements:

  • VDA 7.13 or 1808 or newer.
  • UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if you’re using NetScaler Gateway.
  • Receiver for Windows must be 4.7 or newer. Or upgrade to Workspace app.
  • Receiver for Mac must be 12.5 or newer. Or upgrade to Workspace app.
  • StoreFront must be 3.9 or newer.
  • HDX Insight requires NetScaler ADC 12.1 build 49 and newer
  • NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features are not supported with EDT at this time:
  • Use a Citrix Policy to enable EDT. The¬†HDX Adaptive Transport setting is in the Computer half of a GPO. See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol.¬†EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.
  • Preferred means it will try to use UDP if it can, and TCP if it can’t.
  • From inside a session, you can run¬†ctxsession -v to verify that it’s using UDP.
  • Director will also show¬†if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware. 

7.11 and newer:

  • Use video codec for compression¬†can be configured For actively changing regions, which¬†uses H.264 for actively changing regions, and Thinwire Plus for the rest.¬†Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s).¬†Nick Rintalan at CUGC Blog Post¬†Citrix HDX Just Got Smarter…Again¬†explains this new setting.
  • In 7.11 and newer,¬†Use when preferred = Thinwire+ with Selective H264. This is the default selection, so generally there’s no need to change this setting.
  • In 7.18 and newer, Selective H.264 uses H.264 for build to lossless instead of JPEG for build to lossless.
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to¬†Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec.¬†Citrix Blog Post¬†‚ÄúUse Video Codec for Compression‚ÄĚ: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:

Graphics Tools

  • Remote Display Analyzer¬†(RDAnalyzer) lets you see the current Citrix codec and change it on the fly.
  • GPUPerf 3.0¬†– free tool that shows Frames per Second and other GPU stats.

 

From https://discussions.citrix.com/topic/347341-specific-application-freezes-receiver-41-session-window/: If you experience graphics performance problems in XenDesktop 7.6, consider configuring the following settings:

  • ICA \ Desktop UI \ Desktop Composition Redirection = Disabled
  • ICA \ Graphics \ Legacy Graphics Mode = Enabled

Security Settings

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives =¬†Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.

 

XenDesktop 7.17 adds a Session Watermark feature.

Find the settings in the user half of a Citrix Policy under the Session Watermark category.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the ‚ÄúExtra Color Compression Threshold‚ÄĚ should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or ‚ÄúHeavyweight compression‚ÄĚ in case image quality loss is not acceptable (more CPU intensive)
  • Enable ‚ÄúWindows Media Redirection‚ÄĚ
  • Enable ‚ÄúFlash acceleration‚ÄĚ with client side content fetching
  • Enable ‚ÄúAudio over UDP Real-Time Transport‚ÄĚ. Please note that this configuration requires audio quality to be set to ‚ÄúMedium ‚Äď optimized for speech‚ÄĚ
  • Set ‚ÄúProgressive compression level‚ÄĚ to ‚ÄúLow‚ÄĚ or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

Group Policy User Settings for VDAs

Last Modified: Jan 17, 2020 @ 6:47 am

Navigation

ūüí° = Recently Updated

Change Log

User Lockdown

The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings are located at User Configuration > Policies.

This page assumes the GPOs have already been created and Loopback Processing has already been enabled.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Control Panel GPO Settings

  • User Configuration | Policies |¬†Administrative Templates | Control Panel
    • Always open All Control Panel Items when opening Control Panel = enabled
    • Show only specified Control Panel items = enabled, canonical names =
      • Microsoft.RegionAndLanguage
      • Microsoft.NotificationAreaIcons
      • MLCFG32.CPL
      • Microsoft.Personalization
      • Microsoft.Mouse
      • Microsoft.DevicesAndPrinters
      • Microsoft.System (lets users see the computer name)
  • User Configuration | Policies | Administrative Templates | Control Panel | Programs
    • Hide the Programs Control Panel = enabled

Settings Page Visibility

The September 2018 patches for Windows 2016 and Windows 10 add control of Settings Page Visibility in both the Computer half of the GPO (applies to all users), and now in the User half of the GPO (can apply to non-admin users).

  1. Make sure the Windows 10 and Windows 2016 VDAs are patched to at least the September 2018 Cumulative Update.
    • For Windows 2016,¬†winver should show¬†OS Build 14393.2515 or higher.
    • For Windows 10 1803,¬†winver should show OS Build 17134.320 or higher.
  2. Go to your \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and find the file¬†ControlPanel.admx. If it is not dated August 30 or later, then you’ll need to copy the updated version.

    1. On one of these newer VDAs, go to C:\Windows\PolicyDefinitions and copy the file ControlPanel.admx. The September 2018 patch updated this file.
    2. Go to your \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the .admx file. Overwrite the existing file.
    3. On one of these newer VDAs, go to C:\Windows\PolicyDefinitions\en-US and copy the file ControlPanel.adml.
    4. Go to your \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions\en-US and paste the .adml file. Overwrite the existing file.
  3. Edit the Non-Admin Users GPO.
  4. Go to User Configuration | Policies | Administrative Templates | Control Panel.
  5. On the right is Settings Page Visibility.
  6. Winaero How To Hide Settings Pages in Windows 10 describes this new setting. Also see TechNet Hiding pages in Settings with Windows 10 1703. A sample configuration is: showonly:printers;colors. According to Server 2016 & PC Settings/Immersive Control Panel at Citrix Discussions, the maximum length for this field is 255 characters.
  7. When the non-admin user logs into a Windows 10 or Windows Server 2016 VDA that has the September update installed, the Settings pages are restricted based on the GPO configuration. Since this GPO setting is in the user half of the Non-admin users GPO, admins can still see all Settings pages.

Desktop GPO Settings

  • User Configuration | Policies | Administrative Templates | Desktop

If you prevent access to the Properties of the Computer icon then users might not be able to determine the name of the machine they are connected to.

On Windows Server 2016, screen saver idle time does not work. Arjan Mensch developed a tool to lock the screen after a period of idle time. Launch the tool from a Group Policy login script. Download the tool from Enforcing lock screen after idle time Windows Server 2016 RDS Session Host.

Start Menu and Taskbar GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†Start Menu and Taskbar
    • Clear the recent programs list for new users = enabled
    • Do not allow pinning Store app to the taskbar = enabled
    • Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled
      • In Windows 10 1709, if you want to remove the Power Button, in the VDA, set¬†HKLM\Software\Microsoft\PolicyManager\current\device\Start\HidePowerButton (DWORD) = 1. Source =¬†Power Button Windows 10 VDI at Citrix Discussions.
    • Remove common program groups from Start Menu = enabled (only if you have some other means for putting shortcuts back on the user‚Äôs Start Menu/Desktop.¬†Also, enabling this setting¬†might prevent Outlook 2013 desktop alerts. Microsoft¬†3014833)
    • Remove Help menu from Start Menu = enabled (Windows 7 / 2008 R2 only)
    • Remove links and access to Windows Update = enabled
    • Remove Network icon from Start Menu = enabled¬†(Windows 7 / 2008 R2 only)
    • Remove Run menu from Start Menu = enabled (not recommended)
    • Remove the Action Center icon = enabled (not in Windows 10)
    • Remove the networking icon = enabled
    • Remove the People Bar from the taskbar = enabled (Windows 10 1703 and later)
    • Remove the Security and Maintenance icon = enabled (Windows 10)
    • Remove user folder link from Start Menu = enabled (Windows 7 / 2008 R2 only)

If you hide common program groups, then you will need some other method of creating application shortcuts for each user. Group Policy Preferences Shortcuts is the typical method.

Removing the Run menu prevents users from entering UNC paths or drive letters in Internet Explorer.

Start Menu pinned tiles

  • Configure Start Menu pinned tiles as desired
    • Remove Server Manager
    • Remove PowerShell
    • Etc.
  • Use Export-StartLayout to save to an .xml file.
  • Use Import-StartLayout to import to the Default User profile. All new users (new profiles) will get the customized Start Menu layout.

CTP James Rankin Dynamic Start Menu on Server 2016/2019 and Windows 10 using FSLogix App Masking

CTP James Kindon AppMasking The Windows Start Menu using FSLogix

Kasper Johansen The Windows Server 2019 Start Menu Is Playing Nice:

  • Clean up the default Start Menu
  • Use AppLocker to prevent access to Windows Security

CTP James Kindon Windows 10 Start Menu: declutter the default:

  • To eliminate the Start Menu tiles, remove Store apps, and Edge.

CTP James Rankin Management of Start Menu and Tiles on Windows 10 and Server 2016, part #1 contains the following:

  • LayoutModification.xml in Default User Profile
  • Start Screen Layout Group Policy setting
  • Partially-locked layout
  • FSLogix to apply a custom default layout for different user groups on the same device, and allowing users to customize all of it

CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Density contains the following:

  • Lock down a section of the Start Menu
  • Configure Citrix Profile Management to roam the Start Menu
  • Remove Provisioned Apps
  • Tune Windows using OS Optimization Tool
  • Disable Telemetry services

Microsoft Technet Customize Windows 10 Start with Group Policy.

System GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†System
    • Prevent access to registry editing tools = enabled, Disable regedit from running silently = No
    • Prevent access to the command prompt = enabled, Disable command prompt script processing = No

Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.

Explorer GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†Windows Components | File Explorer (Windows 8+) or Windows Explorer (Windows 7)
    • Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only
    • Hides the Manage item on the File Explorer context menu = enabled
    • Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you can‚Äôt use Start Menu‚Äôs search to find programs.
    • Prevent users from adding files to the root of their Users Files folder = enabled
    • Remove ‚ÄúMap Network Drive‚ÄĚ and ‚ÄúDisconnect Network Drive‚ÄĚ = enabled
    • Remove Hardware tab = enabled
    • Remove Security Tab = enabled
    • Turn off caching of thumbnail pictures = enabled

From Citrix Discussions: To hide specific drive letters:

  1. User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive
  2. Choose Action Update => Drive Letter Existing C => Hide this drive
  3. Common Tab: Run in logged-on users’s Security

CTP Dave Brett Secure Local Drive Access On Your EUC Endpoints explains how to block C: drive access from Chrome. ūüí°

Windows Update GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update
    • Remove access to use all Windows Update features = enabled, 0 ‚Äď Do not show any notifications

File Explorer

Hide Favorites, Libraries, Network and redirected local drives

Winhelponline Removing ‚ÄúQuick access‚ÄĚ from Windows 10 File Explorer details the following registry value to remove Quick Access from File Explorer in Windows 10, or Windows Server 2016 and newer. (h/t Sean Bolding) ūüí°

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    • DWORD value HubMode = 1

Terence Luk Hide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these items. Similar instructions are provided by David Wilkinson at Remove Quick Access from File Explorer in Windows Server 2016.



Explorer Notifications

From TenForums How to Hide or Show Sync Provider Notifications within File Explorer in Windows 10: Windows 10 1607 adds notifications inside File Explorer.

To stop these, use Group Policy Preferences to set the following registry value:

  • Key =¬†HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • Value =¬†ShowSyncProviderNotifications (DWORD) = 0

Windows Spotlight

Windows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows (Start Menu, lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration | Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard Hay Windows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating System and Chris Hoffman How to Disable All of Windows 10’s Built-in Advertising.

Explorer Replacement

Instead of locking down Windows File Explorer, you can run a 3rd party Explorer like Tablacus Explorer. The tool is detailed by Marco Hofmann at Tablacus Explorer is an awesome replacement for explorer.exe as a #XenApp published Application!.

Flickering Icons

If you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network share, then desktop icons might flicker. Helge Turk at XenApp 7.12/13, Server 2016 desktop icons flickering at Citrix Discussions resolved it be creating the following Registry Key using Group Policy Preferences:

  • HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}

Chrome

Use Chrome Group Policy to push the Chrome plug-in for Citrix’s Browser Content Redirection feature in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer.

Chrome 77 Audio Issue

No Audio on Google Chrome version 77.x inside ICA session. As a workaround, use Group Policy Preferences to deploy the following registry value: (source = CTX261992 Citrix Virtual Apps and Desktops: No Audio on Google Chrome version 77.x inside ICA session)

If the new Chrome-based Microsoft Edge consumes 100% CPU, then CTP James Kindon Deploying Brave and Microsoft Edge Dev Browsers in Citrix CVAD environments says a similar registry value is needed for the new Edge.

  • Key = HKLM\SYSTEM\CurrentControlSet\services\CtxUvi
    • Value (String) = UviProcessExcludes = chrome.exe;msedge.exe;

GPO ADMX Templates

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Roam Chrome Settings

You can optionally enable Chrome’s roaming profile support. For details, see¬†Use Chrome Browser with Roaming User Profiles at Google Help.

  1. Edit the Citrix All Users GPO.
  2. Go to User Configuration | Policies | Administrative Templates | Google | Google Chrome.
  3. On the right, double-click Enable the creation of roaming copies for Google Chrome profile data and Enable it.

Browser Content Redirection Extension

To force install the Chrome Extension needed for Browser Content Redirection in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer:

  1. Edit the Citrix All Users GPO.
  2. Go to User Configuration | Policies | Administrative Templates | Google | Google Chrome | Extensions.
  3. On the right, double-click Configure the list of force-installed apps and extensions.
  4. Enable the setting and click Show.
  5. In the box, enter the following text and click OK.
    hdppkjifljbdpckfajcmlblbchhledln; https://clients2.google.com/service/update2/crx

  6. When a user opens Chrome from inside a VDA, the Citrix Browser Content Redirection Extension is automatically installed.
  7. Configure the Citrix Policy settings detailed at Browser Content Redirection.
  8. Redirection of websites from Chrome requires Workspace app 1809 or newer on the client device.
  9. When you visit a whitelisted (ACL) website, on the client side, you should see HdxBrowserCef.exe processes. These processes come from Workspace app, and does not use Chrome on the client side.

Internet Explorer / Edge Settings

This section assumes the GPOs have already been created.

Internet Explorer First Run Wizard

When a new user launches Internet Explorer, the first run wizard appears.

To prevent this from occurring, edit the Citrix VDA All Users GPO.

Internet Explorer First Run GPO Settings

  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer
    • Prevent managing SmartScreen Filter = enabled, on
    • Prevent running First Run Wizard = enabled, Go directly to home page
    • Specify default behavior for a new tab page = enabled, Home page
    • Turn on Suggested Sites = disabled
  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Compatibility View
    • Include updated Web site lists from Microsoft ¬†= enabled
  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page
    • Turn on Enhanced Protected Mode ¬†= disabled

Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should be disabled.

Users might see a message that Protected mode is turned off for the Local intranet zone.

To prevent this message, do the following:

  1. Edit the Citrix VDA All Users GPO.
  2. Go to User Configuration > Preferences > Windows Settings > Registry.
  3. Create a new Registry Item.
  4. Set the Hive to: HKEY_CURRENT_USER
  5. Set the Key Path to: Software\Microsoft\Internet Explorer\Main
  6. Set the Value name to: NoProtectedModeBanner
  7. Set the Value type to: REG_DWORD
  8. Set the Value data to: 1
  9. Click OK.

IE 11 in Windows 10 1703 and newer has a new button to open Edge.

  • To hide this button, edit¬†a Group Policy that applies to users, go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Settings | Advanced Settings | Browsing, and enable the setting¬†Hide the button (next to the New Tab button) that opens Microsoft Edge. Source =¬†Ren√© Bigler on Twitter.

4SysOps Disable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607: registry keys and PowerShell script to disable it.

Published Internet Explorer Settings – Runonce

If a user launches Internet Explorer as a published application, then Internet Explorer¬†might not be fully configured and thus some websites won’t work. By default, Windows runs per-user configuration (ActiveSetup) of Internet Explorer only when the user connects to a full desktop, which doesn’t happen when only launching published apps. To override this behavior so it works with published IE even¬†if the user never connects to a full desktop, do the following:

  1. Edit the Citrix VDA All Users GPO.
  2. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
  3. Double-click Logon.
  4. Click Add.
  5. In the Script Name field, enter runonce.exe.
  6. In the Script Parameters field, enter /AlternateShellStartup. Click OK.
  7. Note: running runonce.exe /AlternateShellStartup might cause black borders around windows in published applications.
  8. Runonce.exe /AlternateShellStartup also causes the items in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to be executed when a published app is launched. Consider deleting the items (e.g. VMware Tools icon), or they might keep sessions open after users close their apps. Also see CTX891671 Graceful Logoff from a Published Application Renders the Session in Active State.
  9. An alternative to runonce.exe /AlternateShellStartup is to run the following commands provided by Steve Washburn at Active Receiver connection after app is closed at Citrix Discussions.
    @echo off
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenUser
    start "" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    exit

 

Windows 8.1/2012 R2 might not run the script at logon. Configure the following GPO computer settings to enable the script (configure these in the Citrix VDA Computer Settings GPO):

Logon Script GPO Settings

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

Internet Explorer Group Policy Preferences

The Internet Explorer Maintenance settings in group policy (User Configuration > Windows Settings > Internet Explorer Maintenance) have been removed in Internet Explorer 10 and Windows Server 2012.

If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or Internet Explorer 10.

If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option.

If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10. When configuring a setting, notice the red or green lines (and red or green circles). Only green settings are applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your keyboard.

As you look through the tabs, you’ll see a bunch of green items. These green items will be applied and might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them back on, press F5.

On the Common tab you can check the box to Apply once and do not reapply.

Internet Explorer Security Zone Configuration

There is a group policy setting at User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page |  Site to Zone Assignment List that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their own sites (the user interface in Internet Explorer is grayed out).

This section details an alternative procedure for administrator-configured zones while allowing users to add their own Trusted Sites.

Note: Zones can’t be configured using a Group Policy Preferences Internet Settings object so instead you’ll need to configure registry keys as detailed below.

  1. Run Internet Explorer and configure security zones as desired.
  2. If you are using Workspace Control in Receiver for Web or need pass-through authentication, make sure you add StoreFront as a Local Intranet Site.
  3. Run Group Policy Management Console on the same machine where you have security zones configured.
  4. Edit the Citrix VDA All Users GPO.
  5. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Collection Item. Name it IE Zones or similar.
  6. Right-click the collection and click New > Registry Item.
  7. Click the … button next to Key Path.
  8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Click the key corresponding to the FQDN you’re adding. Then select the registry value on the bottom that corresponds to the protocol (e.g. * or https). Click Select. Note: 1 indicates Local Intranet zone.
  9. Then click OK. Note: 1 indicates Local Intranet zone.
  10. Feel free to rename the Registry Item to reflect the actual zone.
  11. Repeat these steps for additional zones.

Internet Explorer Home Page

If you don’t have access to Windows 8/2012 group policy editor, configure the default home page using a registry key.

  1. Run Internet Explorer and configure home page as desired.
  2. Run Group Policy Management Console on the same machine where you have the home page configured.
  3. Edit the Citrix VDA All Users GPO.
  4. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Registry Item.
  5. Click the … button next to Key Path.
  6. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. On the bottom, select Start Page. Then click Select.
  7. On the Common tab, you can select Apply once and do not reapply. Then click OK.

Proxy Settings

If you don’t have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. Use Group Policy Preferences or similar to distribute the registry keys.

To prevent users from changing proxy settings, also configure the following group policy setting.

  • User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel
    • Disable the Connections page = enabled

Internet Explorer Performance

Julian Mooren at XenApp & Internet Explorer ‚Äď Improving User Experience details how to enable Tracking Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set registry keys, and adds a folder to Citrix Profile Management synchronization.

LoginVSI Web Browsing & Advertising Impact on VDI Performance is a 33 page paper detailing how to enable Tracking Protection in Internet Explorer and Firefox, plus ad blocking plugin for Chrome.

Office 365 / 2019 / 2016 / 2013

Office 365 Planning

Office 365 ProPlus is supported on Windows Server 2019.

Microsoft FSLogix can roam Office cache files (e.g. Outlook .ost file) and Search Index. FSLogix is free for most customers.

CTP Marius Sandbu Guide to Deploying Office 365 in RDSH and VDI Enviroment contains:

  • Common best-practices and guidelines
  • Identity Federation and sync
  • Licensing and Roaming
  • Deployment and managing updates
  • Vendors and Office 365 Optimization
  • Skype for Business
  • Teams
  • Outlook
  • OneDrive
  • Group Policy
  • Troubleshooting and general tips for tuning
  • Remote display protocols and when to use when.
  • Server 2019 and Office 365
  • Office 2019 / Office 365 ProPlus

Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:

  • Considerations for Outlook Cached Mode
  • Group Policy settings for Outlook Cached Mode
  • For Lync Audio/Video ‚Äď various options for delivering the Lync client
  • Caveats for OneDrive for Business
  • Licensing ‚Äď shared computer activation

VMware Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 contains:

  • Requirements for Using Nonpersistent VDI and RDS with Office 365 ProPlus
  • Using the Office 2016 Deployment Tool to download and install Office
  • Enabling Shared Computer Activation on Nonpersistent VDI and RDS
  • Considerations for Deploying Office 365 ProPlus to a Horizon Environment – OneDrive, Outlook
  • Office Group Policy Settings

Office 2019

Office 2019 is a Perpetual version of Office, which means no new features until Office 2022 is released.

  • By contrast, Office 365 ProPlus receives new features periodically (every few weeks).

Office 2019 requires volume licenses. See Microsoft Office 2019 Volume License Pack for KMS server or Active Directory activation.

There is no MSI installer for Office 2019. Instead, you use Office Deployment Tool to download and install the Click-to-run version of Office 2019 Volume License. See Deploy Office 2019 (for IT Pros).

The Office 2019 icons/shortcuts do not say 2019 on the end. There’s no year designation.

File > Account shows the version info. As does Apps and Features.

Office Group Policy Templates

Download the Office 365 / 2019 / 2016 group policy templates or Office 2013 group policy templates.

Microsoft is changing the default Office 365 edition to x64.

If you installed the 32-bit version of Office 365 / 2019 / 2016 / 2013, then you’ll need the 32-bit (x86) version of the templates.

Office 2016, Office 2019, Office 365

Office 2013

  1. Go to the downloaded Office 365 / 2019 / 2016 group policy templates and run admintemplates_x64_4936-1000_en-us.exe.
    Note: Office 2016, Office 2019, and Office 365 use the same group policy templates.

    • Or for Office 2013, run¬†admintemplates_x86-4997-1000-en-us.exe.
  2. Check the box next to Click here to accept and click Continue.
  3. Specify a folder to place the extracted templates in.
  4. Click OK to acknowledge that files extracted successfully.
  5. Go to the folder where you extracted the files, and open the ADMX folder.
  6. Copy all of the .admx files, and the en-us folder, to the clipboard.
  7. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the files.

    • If you do not have PolicyDefinitions in your Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files.

Group Policy and Tweaks

This section assumes the Group Policy Objects have already been created.

Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under User Configuration > Policies.

Office 2013 group policy settings are different than the group policy settings for Office 2016 and Office 2019. If you want to copy Office 2013 settings to Office 365 / 2019 / 2016 settings, see Microsoft’s Copy-OfficeGPOSettings¬†PowerShell¬†script.

Office 365, Office 2019, and Office 2016 are all version 16.0, thus the same GPO settings work for all three versions. In Group Policy Editor, the GPO settings are under the Office 2016 folders.

  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 (or 2013) | First Run
    • Disable First Run Movie = enabled
    • Disable Office First Run on application boot = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 (or 2013) | Global Options |Customize
    • Allow roaming of all user customizations = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 (or 2013) | Miscellaneous
    • Block signing into office = enabled, Org ID only ¬†Source = Microsoft Answers
    • Disable Office Animations = enabled
    • Do not use hardware graphics acceleration = enabled
    • Suppress recommended settings dialog = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 (or 2013) | Privacy | Trust Center
    • Automatically receive small updates to improve reliability = disabled
    • Disable Opt-in Wizard on first run = enabled
    • Enable Customer Experience Improvement Program = disabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 (or 2013) | Tools | Options | General | Service Options‚Ķ | Online Content
    • Online Content Options = enabled,¬†Allow Office to connect to the Internet
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 (or 2013) | Account Settings | Exchange | Cached Exchange Mode
    • Use Cached Exchange Mode for new and existing Outlook profiles = disabled
    • If you prefer to use Cached Exchange Mode, set the above setting to enabled, and add below:¬†Source =¬†Citrix’s Office 365 Implementation Guide
      • Cached Exchange Mode Sync Settings = enabled, time-window of downloaded content
      • Administrative Templates | Microsoft Outlook 2013 | Miscellaneous | PST Settings |¬†Default location for OST files = enabled, UNC path to user home directories
      • Or install FSLogix
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 (or 2013) | Miscellaneous | PST Settings
    • Default location for PST files = enabled, user‚Äôs home directory
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 (or 2013) | Outlook Options | Other | AutoArchive
    • AutoArchive Settings = enabled, uncheck box next to Turn on AutoArchive
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 (or 2013) | Outlook Options | Preferences | Search Options
    • Prevent installation prompts when Windows Desktop Search component is not present = enabled
  • Computer Config | Policies | Administrative Templates | Windows Components | Search |
    • Prevent indexing Microsoft Office Outlook = enabled (see below)

Office Click-to-Run Accept EULA Window

To get rid of the Accept Office License Agreement button/window…

Use Group Policy Preferences to set the following registry values:

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Registration
    • AcceptAllEulas (DWORD) = 1
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Registration
    • AcceptAllEulas (DWORD) = 1

Office temp file errors

To prevent Office temp file errors:

  • User Configuration | Preferences | Window Settings | Folders |¬†New Folder
    • Action = Create
    • Path =¬†%Localappdata%\Microsoft\Windows\INetCache

Outlook and Windows Search

When launching Outlook, you might see the message “Please wait while Windows configures Microsoft Office 64-bit Components”.

To fix the Outlook search problem, you can either install Windows Search Service (Windows Feature).

Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components | Search | Prevent indexing Microsoft Office Outlook.

Office Display Issues

Microsoft hotfix 2786932 – Dialog boxes and new windows displayed as blank in Office 2013 RemoteApps on a client computer that is running Windows 7 or Windows Server 2008 R2

From CTX221195 How to disable Office 2013 shadow border:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI\MSO_BORDEREFFECT_WINDOW_CLASS]
"ClassName"="MSO_BORDEREFFECT_WINDOW_CLASS"
"Type"=dword:00001000

 

From Fixed Issues in XenApp/XenDesktop 7.11 and older: Live scrolling (the synced state of page scrolling and scrollbar motion) does not work in Excel spreadsheets. The issue occurs because the key and value in registry location HKEY_CURRENT_USER\Control Panel\Desktop\UserPreferencesMask on the VDA are overwritten by the wfshell.exe process each time a user logs on to the VDA. To prevent this, create the following registry key on the VDA and set the value to 1 (same value as next issue).

From Fixed Issues in XenApp/XenDesktop 7.12: Changes you make to “Advanced System Settings” under “Visual Effects” apply to the current VDA session but might not be retained for subsequent sessions. To make such changes persistent, you must set the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix
    • Name: EnableVisualEffect
    • Type: REG_DWORD
    • Value: 1

Office VL Activation not working

If Office 2016 Volume License is not activating correctly, set the following registry value as detailed at¬†Microsoft Office can’t find your license for this application at Citrix Discussions:

  • Key =¬†HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CtxUvi
    • Value =¬†UviProcessExcludes (REG_SZ) = sppsvc.exe

Adobe Reader

Adobe Reader Group Policy

  1. Download the Adobe Reader XI Policy Templates from Reader XI Administrative Template
  2. Copy the .admx file and the en-us folder.
  3. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files. If this folder doesn’t exist, go to C:\Windows\PolicyDefinitions instead.
  4. Click Yes when asked to replace files.
  5. Now open a group policy that applies to all Citrix users.
  6. Go to User Configuration > Administrative Templates > Adobe Reader > Preferences > General.
  7. Open the setting Accept EULA and Enable it.
  8. Then open the Display splash screen at launch setting and Disable it.

Disable Repair

In Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation.

Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.

  1. In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\Installer.
  2. Add the DWORD DisableMaintenance and set it to 1.
  3. Now the Repair option is grayed out on the Help menu.

Disable Updates

For Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe ARM\Legacy\Reader\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
    • Mode = 0 (disables updates)

 

In Adobe Reader XI, there is a GUI method of disabling updates:

  1. Run Adobe Reader from the Start Menu.
  2. Open the Edit menu and click Preferences.
  3. On the Updater page, change the selection to Do not download or install updates automatically and click OK.

Other Optimizations

Rick van Soest Removing ‚ÄúThe Cloud‚ÄĚ from Adobe Acrobat Reader DC:

  • To remove tools, delete them from C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU
  • To remove the welcome screen, add the following registry dword value: HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
    • bUsageMeasurement (REG_DWORD) = 0
  • To remove the ‚Äúadd account‚ÄĚ button, HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint
    • BDisableSharePointFeatures (REG_WORD) = 1
  • To remove the ‚ÄúCheck for update‚ÄĚ button, HKLM\Software\Adobe\Acrobat Reader\DC\Installer
    • DisableMaintenance (REG_DWORD) = 1

 

Adobe.com – Citrix Deployments: Before deployment, the product should be configured as needed. In particular, you will want to disable features and behaviors that should not be accessible to end users in an IT-managed environment. For example:

  • The Updater should be disabled as described in this guide and the¬†Preference Reference.
  • Accept the EULA on behalf of all users by setting the appropriate registry key.
  • For multilanguage installations (MUI), set the preferred language for all users via the SUPPRESSLANGSELECTION property or registry settings described in the¬†Preference Reference.
  • Deploy enterprise files to the product‚Äôs directories (rather than per-user directories) so they are available to all users.
  • There are over 500 documented settings. Refer to the¬†Preference Reference¬†for complete registry and plist details.

 

Scrolling performance

If scrolling performance is poor in graphic intensive documents, try the following:

  • Go toEdit > Preferences > Rendering.
  • UncheckSmooth line¬†art and¬†Smooth images. Alternatively, you can set these preferences during pre-deployment configuration:
    • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasGraphics: 0x00000000
    • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasImages: 0x00000000

 

Distiller performance

  • In some environments, Distiller performance may suffer if the messages.log file becomes too large after a number of Distiller operations. Delete this file periodically. It is located at \Application¬†Data\Adobe\Acrobat\Distiller<version>\messages.log.
  • Remove unused fonts from the Windows installation.

Citrix Files

Citrix Files allows you to access your files in ShareFile directly through a mapped drive providing a native Windows Explorer experience. Citrix FIles replaces ShareFile Drive Mapper.

Citrix Files instructions:

To install Citrix Files:

  1. If Citrix ShareFile Drive Mapper is installed, uninstall it. Also see CTX238202 Upgrading from ShareFile Drive Mapper to Citrix Files for Windows.
  2. In VDA 1808 and newer, Citrix Files is bundled with the VDA installer.
  3. Or, download Citrix Files. The downloaded version might be newer than the version included with the VDA installer.
  4. On a VDA, run CitrixFilesForWindows-v.exe.
  5. Check the box next to I agree to the license terms, and click Install.
  6. In the Setup Successful page, click Close.

Session Lingering:

  • Citrix recommends editing your Delivery Group and enabling Application Lingering for a couple minutes so Citrix Files has time to upload files.

To configure Citrix Files:

  1. Go to C:\Program Files\Citrix\Citrix Files\PolicyDefinitions, and copy the file and folder.
  2. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files and folder. If this path doesn’t exist, then paste the files in C:\Windows\PolicyDefinitions on your Group Policy editing machines instead.
  3. Edit a GPO that applies to all users.

    1. Go to User Configuration > Policies > Administrative Templates > Citrix Files.
    2. Citrix Files is enabled by default. If you only want some users to use Citrix Files, then you can configure a GPO to disable Citrix Files, and then configure a different GPO that re-enables it. The GPO that enables Citrix Files would be targeted to an AD group, and the GPO would be higher priority than the GPO that disables it. The setting to disable and enable Citrix Files is called Enable Application.
    3. Edit the Account setting.
    4. Enable the setting, and enter your ShareFile URL. Click OK.
    5. The Mount Point settings let you map different parts of Citrix Files to different drive letters.
  4. Edit a GPO that applies to the computers that have Citrix Files installed.

    1. Go to Computer Configuration > Policies > Administrative Templates > Citrix Files.
    2. The default Cache Location is AppData\Local\Citrix\Citrix Files\PartCache.
    3. Default Cache Size is 256 MB.
    4. Delete Cache on Exit is not needed on non-persistent machines, and not needed if the roaming profile cache is deleted on logoff. Make sure the Citrix Files cache is excluded from roaming profiles as detailed later.
    5. Auto Check-out of Office files can be enabled here.
    6. Auto-Update does not apply to Remote Desktop Session Host, so you’ll have to update those machines manually.
    7. Offline Access is enabled (allowed) by default.
    8. Personal Cloud Connectors (e.g. OneDrive) and On-Premises Connectors can be enabled from here.
  5. Edit your Citrix Profile Management GPO.
    1. Go to Computer Configuration > Policies > Administrative Templates > Citrix > Profile Management > File system.
    2. Edit the setting Exclusion list ‚Äď directories.
    3. Add AppData\Local\Citrix\Citrix Files\ to the list.
  6. If you have on-premises StorageZones Controllers, you can enable Single Sign-on by enabling Windows Authentication. On the StorageZones Controllers, run IIS Manager.

    1. Navigate to Default Web Site > cifs.
    2. In the middle, double-click Authentication.
    3. Right-click Windows Authentication and Enable it. If you don’t see Windows Authentication in your list, you might have to install it using the¬†Roles and Features wizard.
  7. After logging into Citrix and logging into Citrix Files, when you launch File Explorer, you’ll see¬†Citrix Files on the left.
  8. If the Login Window doesn’t appear, the look for the icon in the system tray.

File Type Association

For the official Microsoft method of handling file type associations in Windows 10 and Windows Server 2016, see¬†Windows 10 ‚Äď How to configure file associations for IT Pros? at TechNet Blogs. This article details DISM, XML, and Group Policy.

Christoph Kolbicz at SetUserFTA: UserChoice Hash defeated ‚Äď Set File Type Associations per User or Group on Windows 10 and 2016 developed a tool to set specific File Type Associations. No DISM or XML needed.

Also see the following:

Next Steps

Group Policy Computer Settings for VDAs

Last Modified: Jan 12, 2020 @ 12:44 pm

Navigation

ūüí° = Recently Updated

Change Log

Create Group Policy Objects

  1. Within Active Directory Users and Computers (dsa.msc), create a parent Organizational Unit (OU) to hold all VDA computer objects.
  2. Then create sub-OUs, one for each Delivery Group. The VDA computer objects for each Delivery Group should be placed in these sub-OUs. Notes:
    • The only objects that belong in these VDA OUs are the VDA computer accounts.
      • There’s no need to put any user accounts in these VDA OUs since Group Policy Loopback Processing mode will handle user settings.
      • The computer objects for the Citrix brokering infrastructure machines (Controllers, StoreFront, Director, etc.) should go in normal server OUs, and not in the VDA OUs.
    • Separate VDA sub-OUs for each Delivery Group lets you apply different GPO settings to each Delivery Group.
    • Grant Citrix Admins the permission to add computer objects to the VDA OUs.
    • Grant Citrix Admins the permission to link GPOs to the VDA OUs.
    • Master images should be placed in the VDA OUs so the VDA GPO Computer Settings can be burned into the master image. This avoids timing issues when non-persistent machines reboot and GPO settings haven’t applied yet.
  3. Move the VDAs from the Computers container to one of the Delivery Group OUs.
  4. Within Group Policy Management Console (gpmc.msc), create a Group Policy Object (GPO) called Citrix VDA Computer Settings, and link it to one of the Citrix OUs. This particular GPO usually applies to all Delivery Groups, and thus should be linked to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.

  5. On the left, click the new VDA Computer Settings GPO to highlight it.
  6. On the right, switch to the Details tab.
  7. Change the GPO Status drop-down to User configuration settings disabled. This GPO will only contain computer settings.

  8. Create and link two new Citrix-specific GPOs (in addition to the Citrix VDA Computer Settings GPO).
  9. One of the GPOs is called Citrix VDA All Users (including admins), and the other is called Citrix VDA Non-Admin Users (lockdown).


  10. Modify the Details page of both of these GPOs, and set GPO Status to Computer configuration settings disabled. These GPOs will only contain user settings.

  11. On the left, click the Citrix VDA Non-Admin Users GPO to highlight it.
  12. To delegate administration of this GPO to Citrix Admins:
    1. On the right, switch to the Delegation tab, and click Add.
    2. Find your Citrix Admins group, and click OK.
    3. In the Add Group or User window, change the Permissions to Edit settings, and click OK.
  13. To prevent the user lockdown GPO from applying to administrators:
    1. On the Delegation tab, click Advanced.
    2. On the top half, click the Citrix Admins group to highlight it.
    3. Scroll down to reveal the Apply Group Policy row, and then place a check mark in the Deny column.
    4. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins.
    5. Click OK to close the Security Settings window.
    6. Click Yes when asked to continue.
  14. To delegate the other two GPOs, add the Citrix Admins group with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

Windows 1909 Group Policy Templates

  1. Download the Administrative Templates (.admx) for Windows 10 November 2019 Update (1909). ūüí°
  2. Run the downloaded Administrative Templates (.admx) for Windows 10 November 2019 Update.msi file.
  3. In the Welcome to the Administrative Templates (.admx) for Windows 10 November 2019 Update Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, record the¬†Location field since you’ll need to go there later.
  6. Click Next.
  7. In the Ready to install Administrative Templates (.admx) for Windows 10 November page, click Next.
  8. In the Completed the Administrative Templates (.admx) for Windows 10 November 2019 Update Setup Wizard page, click Close.
  9. In File Explorer, go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909).
  10. Open the PolicyDefinitions folder.
  11. Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files and folders to the clipboard.
  12. Go to your domain’s sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the files in the PolicyDefinitions folder. If you don’t have this folder, then you can create it. Or copy the files to C:\Windows\PolicyDefinitions as detailed next.

    • If prompted, replace the existing files.
  13. If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files. Overwrite the existing files.

See Group Policy Settings Reference Spreadsheet Windows 1809 for a spreadsheet containing all GPO settings in Windows.

The spreadsheet can be filtered to only show the newest settings.

Microsoft FSLogix

Microsoft FSLogix

If you need to roam the user’s Outlook .OST file (Outlook Cached Mode), Outlook Search Index, OneDrive cache, OneNote data, SharePoint data, Skype data, and/or Teams data, then download, install, and configure Microsoft FSLogix. FSLogix has more Office roaming features than Citrix Profile Management. A common architecture is to enable FSLogix Office Container for the Office cache files and use Citrix Profile Management for all other roaming profile files and registry keys.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

G0-EUC tested FSLogix Profile Container (not Office Container) and found that it reduces capacity by 27%. (source = The impact of managing user profiles with FSLogix)

Do the following to install Microsoft FSLogix on the VDA machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine. Here is some info on group policy configuration:

  1. The FSLogix .zip file contains fslogix.admx and fslogix.adml files for configuration of FSLogix through Group Policy. Copy these files to your PolicyDefinitions folder. The .adml file goes in the en-US folder.

  2. Find the settings in Group Policy Editor at Computer Configuration | Policies | Administrative Templates | FSLogix | Office 365 Containers. The Office 365 Containers node controls Office 365 Containers only. The Profile Containers node lets you configure the entire profile and not just Office 365. You can also configure both as detailed at FAQ: How to use Office 365 Containers and Profile Containers together.
  3. You’ll need a file share with appropriate permissions to store the Office containers.
  4. Set Virtual disk type to VHDX.
  5. The .vhdx files are thin provisioned and can grow up to the maximum Size in MBs, which defaults to 30 GB. It’s difficult to change this value later, so make sure it’s large enough for your Office users.
  6. Under Container and Directory Naming enable the setting Swap directory name components.
  7. Back in the Office 365 Containers node, review each of the Include settings and enable whichever data you want to include in the Office Container. More details at Configure Office Container at Microsoft Docs.
  8. Enable Store search database in Office 365 container.
    1. If RDSH VDAs, then select Multi-user search. If Virtual Desktop VDAs, then select Single-user search. This means you’ll probably need different FSLogix GPOs for Multi-user VDAs vs Single-user VDAs.
    2. In Group Policy Editor, move up to the¬†FSLogix¬†node. On the right, enable the setting¬†Enable search roaming¬†and set it to¬†Multi-user¬†or¬†Single-user. You have to enable two different Search Roaming settings. See¬†FSLogix Containers ‚Äď Search Index Considerations and Troubleshooting.

    3. Make sure the Windows Search service is set to Automatic and Running.
    4. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.
  9. Back in the Office 365 Containers node, enable the Enabled setting.

Other FSLogix Configurations and Links

Full Profile Container (not just Office):

OneDrive ADMX Template

Microsoft is previewing a per-machine installation of the OneDrive sync client. The per-machine install is strongly recommended over the normal per-user install of OneDrive.

To enable Files-on-demand, you’ll need the OneDrive ADMX Template.

  1. Go to a Windows 10 1709 or newer machine that has OneDrive installed.
  2. Go to %localappdata%\Microsoft\OneDrive. Double-click the latest version. Then open the adm folder.
  3. Right-click the OneDrive.admx file and copy it.
  4. If your domain has PolicyDefinitions in SYSVOL (\\corp.local\sysvol\corp.local\Policies\PolicyDefinitions), paste the .admx file there.

    • If you don‚Äôt have SysVol PolicyDefinitions, then go to¬†C:\Windows\PolicyDefinitions¬†and paste the .admx file.
  5. Go back to the OneDrive files and copy OneDrive.adml.
  6. If your domain has a PolicyDefinitions central store in SYSVOL, paste the .adml file to the en-us folder in PolicyDefinitions in SYSVOL. en-US is a subfolder of the PolicyDefinitions folder.

    • If you don‚Äôt have SysVol PolicyDefinitions,, then go to¬†C:\Windows\PolicyDefinitions\en-US¬†and paste the .adml file. en-US is a subfolder of the¬†PolicyDefinitions¬†folder.

Group Policy Computer Settings

Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Idle Time to Lock Session

  • Security Options – Computer Configuration | Policies |¬†Windows Settings| Security Settings | Local Policies | Security Options
    • Interactive logon: Machine inactivity limit – Windows 8/2012 and newer – published desktops only – seconds of idle time before session locks

Control Panel

Network

OneDrive Files-on-demand

For Windows 10 1709 and newer. Make sure the OneDrive .admx file is installed first.

  • OneDrive – Computer Configuration | Policies | Administrative Templates | OneDrive
    • Enable OneDrive Files On-Demand¬†= enabled

Verbose Messages

  • System – Computer Configuration | Policies | Administrative Templates | System
    • Display highly detailed status messages = enabled. Windows 10. Shows what’s happening during logon.

Group Policy Settings

  • Group Policy – Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.

Logon Settings

To get rid of the Windows 10 “we’re happy you’re here” message:

  • Logon – Computer Configuration | Policies | Administrative Templates | System |¬†Logon
    • Show first sign-in animation =¬†disabled

DelayedDesktopSwitchTimeout. Create a Group Policy Preferences Registry Item (Computer Configuration | Preferences | Windows Settings | Registry) to set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DelayedDesktopSwitchTimeout (REG_DWORD) = 2. On Windows 10, this might cause the desktop to appear sooner. (Source = VMware Communities)

Sven Huisman Windows 10 in non-persistent VDI ‚Äď Login speed ‚Äď part 1 has some additional group policy settings to speed up Windows 10 logon. Scroll down to the Group Policy section.

Power Settings

The following are more applicable to virtual desktops than session hosts:

  • Hard Disk Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
    • Turn Off the hard disk (plugged in) = enabled, 0 seconds
  • Sleep Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
    • Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
    • Specify the system sleep timeout (plugged in) = enabled, 0 seconds
    • Turn off hybrid sleep (plugged in) = enabled, 0 seconds
  • Video and Display Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
    • Turn off the display (plugged in) = enabled, 0 seconds

Remote Assistance Settings

Configure the following so you can shadow users using Director:

  • Remote Assistance – Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
    • Configure Solicited Remote Assistance = disabled
    • Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance

User Profiles Settings

  • User Profiles – Computer Configuration | Policies | Administrative Templates | System | User Profiles
    • Add the Administrators security group to roaming user profiles = enabled
    • Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
    • Do not check for user ownership of Roaming Profile Folders = enabled
    • Set maximum wait time for the network if a user has a roaming user profile or remote home directory = enabled, 0 seconds

Cloud Content

  • Cloud Content – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†Cloud Content ¬† (Windows 10 1511 and newer)

File Explorer Settings

Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100 РWindows 8 and newer

  • File Explorer – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†File Explorer
    • Allow the use of remote paths in file shortcut icons = enabled

Event Viewer Settings

If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.

  • Application – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
    • Control the location of the log file = enabled, D:\EventLogs\Application.evtx
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
    • Control the location of the log file = enabled, D:\EventLogs\Security.evtx
  • System – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
    • Control the location of the log file = enabled, D:\EventLogs\System.evtx
  • Folder – Computer Configuration | Preferences | Folder
    • Action = update
    • Path = D:\EventLogs

Microsoft Account – Windows 10 (1703 and newer)

  • Microsoft account –¬†Computer Configuration | Policies | Administrative Templates | Windows Components | Microsoft account
    • Block all consumer Microsoft account user authentication = Enabled

OneDrive¬†Settings ‚Äď Windows¬†10

  • OneDrive – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†OneDrive
    • Prevent the usage of OneDrive for file storage = enabled

Remote Desktop Services Settings

  • Connections – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
  • Device and Resource Redirection – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
    • Allow time zone redirection = enabled
    • Do not allow smart card device redirection = enabled
  • Licensing – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
    • Set the Remote Desktop license mode = enabled, Per User
    • Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers (e.g. the XenDesktop Controllers)
  • Remote Session Environment –¬†Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host |¬†Remote Session Environment
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
    • Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
  • Session Time Limits – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
    • Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
    • Set time limit for disconnected sessions = enabled, 3 hours or similar

Search Settings ‚Äď Windows 8.1 / 2012 R2, Windows 10

  • Search – Computer Configuration | Policies | Administrative Templates | Windows Components | Search
    • Allow Cortana = disabled (Windows 10)
    • Don‚Äôt search the web or display web results in search = enabled
    • Additional search settings can be found here

Store Settings ‚Äď Windows 8.1 / 2012 R2, Windows 10

Windows Update Settings

  • Windows Update – Computer Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update
    • Allow non-administrators to receive update notifications = disabled
  • Windows Update for Business – Computer Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update | Windows Update for Business
    • Select when Preview Builds and Feature Updates are received¬†= Enabled, Semi-Annual Channel, 365 day deferral

Additional Settings

Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at Microsoft Technet Manage connections from Windows operating system components to Microsoft services.

James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana, disable services, block DNS domains.

After modifying the GPO, use Group Policy Management Console to update the VDA machines.

Or run the command gpupdate /force. Or wait 90 minutes.

Citrix Receiver

If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, use receiver.admx to enable pass-through authentication.

  1. See the instructions at https://www.carlstalhood.com/receiver-for-windows/#admx to copy the receiver.admx file to PolicyDefinitions.
  2. Edit the Citrix Computer Settings GPO.
  3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
  4. Enable the setting.
  5. Check the top two boxes and click OK.

Next Steps

Group Policy Objects – VDA User Settings

Catalogs, Delivery Groups, Zones

Last Modified: Sep 22, 2019 @ 9:43 am

Navigation

ūüí° = Recently Updated

Change Log

 Persistent vs Non-persistent

VDA design – One of the tasks of a Citrix Architect is VDA design. There are many considerations, including the following:

  • Machine type – single user (virtual desktop), or multi-user (Remote Desktop Session Host). RDSH is more hardware efficient.
  • Machine operating system – Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016
  • Machine persistence – persistent, non-persistent
  • Number of new machines – concurrent vs named-users
  • Machine provisioning¬†– full clones, Machine Creation Services (MCS), Citrix Provisioning
  • Hardware for the new machines – hypervisor clusters, storage
  • How the machines are updated – SCCM, MCS, Citrix Provisioning etc.
  • Application integration – locally installed, App-V, Layering, Virtual Apps or XenApp published, leave on local endpoint machine, cloud apps, etc.
  • User Profiles – roaming, mandatory, home directories
  • Group Policies – session lockdown, automation
  • Disaster Recovery – replication. VDAs running in a warm site. DR for profiles and home directories too.

Desktop Management in a Citrix environment – Some environments try to use Citrix to improve desktop management. Here are some desktop management aspects of Citrix that aren’t possible with distributed physical desktops:

  • Datacenter network speeds – The VDAs have high speed connectivity to the desktop management tools, which eliminates WAN bandwidth as a desktop management consideration. For example, you can use Microsoft App-V to stream apps to VDAs. And SCCM deployments have much greater success rates than PCs that are frequently offline.
  • Non-persistence – Non-persistent VDAs revert at every reboot. To update non-persistent VDAs, simply update your master image, and push it out.
  • Layering – The VDA VMs can be composed of multiple layers that are combined during machine boot, or when the user logs in. Citrix App Layering is an example of this technology. A single layer can be shared by multiple VDAs. The layers are updated once, and all machines using the layer receive the updated layer at next boot/login.
  • See the Reddit thread¬†Citrix at scale.

Non-persistent VDAs – Probably the easiest of these desktop-management technologies is non-persistence. That’s because you install your applications once into a master image, and you can easily create a pool of identical machines based on that master image. Whenever an update is needed, you install the update once into your master image and push it out.

However, there are several drawbacks to non-persistence:

  • Multiple Master Images – it’s extremely rare for there to only be one master image. You’ll probably have a number of master images, each with different application sets. The more master images you have, the more effort is required to maintain them.
    • Same apps in multiple images – Some apps are common to multiple images. For example, Office and Adobe Reader. How do you update these common apps identically on multiple master images?
    • Multi-datacenter – how do you perform the same master image updates in multiple datacenters? Replicate the master images? Perform the same change multiple times?
    • Automation – You’ll need new automation for managing the multiple master images and updating Catalogs. Automation complicates the simple management you were hoping to achieve.
  • Master Images must be designed – Which apps go on which master image? Do you install the same app on multiple master images?
    • How do you know which apps a user needs? – Most Citrix admins, and even desktop teams, don’t know every app that a user needs. You can use tools like Liquidware Labs or Lakeside Software to discover app usage, but it’s a very complicated process to find commonality across multiple users.
    • How are One-off apps handled? – If you have an app used by only a small number of users, do you add it to one of your master images? Do you create a new master image? Do you publish it from Virtual Apps or XenApp (double hop)? Do you stream it using App-V? Layering is another option.
    • Application Licensing – for licensed apps, do you install the licensed app into the master image and try to hide it from non-licensed users? Or do you create a new master image for the licensed users?
    • Patching multiple images – when a new OS patch needs to be deployed, you have to update every master image running that OS version. Thus Citrix admins usually try to limit the number of master images, which makes image design more complicated.
    • How do you manage an app that is installed on multiple master images? – Layering might help with this.
  • Who manages the master images? – Citrix admins? Desktop team? It’s unlikely that traditional desktop management will ever be completely removed from an enterprise environment, which means that master image management is an additional task that was not performed before.¬†Does the Citrix admin team have the staff to take on this responsibility? Would the desktop management team be willing to perform this new process?
    • Politically feasible? – Large enterprises usually have mature desktop management practices. Would this new process interfere with existing desktop management requirements?
    • Responsibility – if the Citrix admins are not maintaining the master images, and if a Catalog update causes user problems, who is responsible?
    • Compliance – template machines usually go through a security and licensing compliance process. If the Citrix team is managing the master images, who checks them for compliance?
    • RDSH Apps are complicated – who is responsible for integrating apps into Remote Desktop Session Host (Virtual Apps or XenApp)? Does the desktop team have the skills to perform the additional RDSH testing?
  • Change Control – Longer Deployment Times – Any change to a master image would affect every machine/user using that image, thus dev/QA testing is recommended for every change, which slows down app update deployment. And once a change is made to the master, it doesn’t take effect until the user’s VDA is rebooted.
  • Roaming Profiles – some apps (e.g. Office) save user settings in user profiles. Since the machines are non-persistent, the profiles would be lost on every reboot unless roaming profiles are implemented. This adds a dependency on roaming profile configuration, and the roaming profile file share.
    • How is the Outlook OST file handled? – With Cloud Hosted Exchange, for best performance, Outlook needs to run in Cached Exchange mode, which creates a large OST file in the user’s profile.
      • OST files are large (multiple gigabytes).¬†One option is to use group policy to minimize the size of the OST file.
      • How is the large OST file roamed? If you leave the OST in the default location, then the OST is copied back and forth every time the user logs on and logs off. You usually want to put the OST file on a file share, or in a mounted VHDX file that is stored on a file share.
      • Search indexes are rebuilt every time the user starts a new session. This takes time and performance.
      • Citrix Profile Management 7.18 has an Outlook OST and Search roaming capability.
      • Another option is to purchase a 3rd party OST handling product like FSLogix.
  • IT Applications (e.g. antivirus) on non-persistent machines – Many IT apps (antivirus, asset mgmt, security, etc.) have special instructions to work on non-persistent machines. Search the vendor’s knowledgebase for “VDI”, “non-persistent”, “Citrix”, etc.
    • Antivirus in particular has a huge impact on VDA performance. The special antivirus instructions for non-persistent VDAs are in addition to normal antivirus configuration.
  • Local Host Cache does not easily support non-persistent virtual desktops – if the Citrix Virtual Apps and Desktops (CVAD)¬†SQL database is down, and if users need to connect to non-persistent random desktops, then¬†Local Host Cache won’t help you. It’s not possible to connect to non-persistent virtual desktops until the Citrix Virtual Apps and Desktops (CVAD) SQL database connection is recovered.

Application Integration Technologies – Additional technologies can be used to overcome some of the drawbacks of non-persistent machines:

  • Microsoft App-V – this technology can dynamically stream apps to a non-persistent image. Different users get different apps. And the apps run in isolated bubbles. However:
    • App-V is an additional infrastructure that must be built and maintained.
    • App-V requires additional skills for the people packaging the apps, and the people troubleshooting the apps.
    • Since the apps are isolated, app interaction is configured manually.
    • Because of application isolation, not every app can run in App-V. Maybe 60-80% of apps might work. How do you handle apps that don’t work?
  • Layering – each application is a different layer (VHD file). The layering tool combines multiple layers into a single unified image. Layers are updated in one place, and all images using the layer are updated, which solves the issue of a single app in multiple images. Layering does not use application isolation, so almost 100% of apps should work with layering. Layers can be mounted dynamically based on who’s logging in. There’s also a persistent user layer that lets users install apps, or admins can install one-off apps. Citrix has an App Layering feature. Notes:
    • Citrix App Layering is a separate infrastructure that¬†must be built and maintained.
    • Somebody has to create the layers. This is an additional task on top of normal desktop management packaging duties.
    • It takes time to update a layer and publish it to multiple images.
      • Citrix App Layering captures the OS Layer. So OS patches are handled by¬†Citrix App Layering. It takes time to push an OS security update to every image based on the same OS Layer.
      • Other Layering products don’t capture the OS Layer. As a result, they can’t achieve 100% app compatibility like Citrix App Layering can.
    • With Layers, it’s very easy to remove a layer from an image. There’s no need to completely rebuild an image because one app is corrupted.
    • Citrix’s App Layering does not have a supported API, so you can’t automate it.

Persistent virtual desktops РAnother method of building VDAs is by creating full clone virtual desktops that are persistent. Each virtual desktop is managed separately using traditional desktop management tools. If your storage is an All Flash Array with inline deduplication and compression, then full-clone, persistent virtual desktops probably take no more disk space than non-persistent linked clones. Here are some advantages of full-clone, persistent virtual desktops as opposed to non-persistent VDAs:

  • Skills and Processes – No new skills to learn. No new desktop management processes. Use existing desktop management tools (e.g. SCCM). The existing desktop management team can manage the persistent virtual desktops, which reduces the workload of the Citrix admins. Just treat the persistent virtual desktops like that are more PCs.
    • The persistent virtual desktops are usually powered on and in the datacenter, thus improving the success rate of package deployment.
    • However, pushing a package to many desktops at once can result in a “patch storm”, which reduces performance while the patches are being installed.
  • One-off applications – If a user needs a one-off application, simply install it on the user’s persistent desktop. The application can be user-installed, SCCM self-service installed, or administrator installed.
  • User Profile – Outlook’s OST file is no longer a concern since the user’s profile persists on the user’s virtual desktop. It’s not necessary to implement roaming profiles when using persistent virtual desktops. If you want a process to move a user profile from one persistent virtual desktop to another, how do you do it on physical desktops today?
  • API integration – a self-service portal can use VMware PowerCLI and Citrix’s PowerShell SDK to automatically create a new persistent virtual desktop for a user. Chargeback can also be implemented.
  • Offline Citrix Virtual Apps and Desktops (CVAD) SQL Database – if the Citrix Virtual Apps and Desktops (CVAD) SQL database is not reachable, then Citrix Local Host Cache can still broker sessions to persistent virtual desktops that have already been assigned to users. This is not possible with non-persistent virtual desktops.

Concurrent vs Named User – one advantage of non-persistent virtual desktops is that you only need enough virtual desktops to handle the concurrent user load. With persistent virtual desktops, you need a separate machine for each named user, whether that user is using it or not.

Disaster Recovery – for non-persistent VDAs, one option is to replicate the master images to the DR site, and then create a Catalog of machines either before the disaster, or after. If before the disaster, the VDAs will already be running and ready for connections; however, the master images must be maintained separately in each datacenter.

Persistent virtual desktops have several disaster recovery options:

  • Immediately after the disaster, instruct the persistent users to connect to a pool of non-persistent machines.
  • In the DR site, create new persistent virtual desktops for the users. Users would then need to use SCCM or similar to reinstall their apps. Scripts can be used to backup the user’s profile and restore it on the DR desktops. This method is probably closest to how recovery is performed on physical desktops.
  • The persistent virtual desktops can be replicated and recovered in the DR site. When the machines are added to Citrix Studio in DR, each recovered machine needs to be assigned to specific users. This process is usually scripted, or automated using a tool like¬†XenDesktop Farm Migration Utility.

Zones

Caveats –¬†Zones let you stretch a single Citrix Virtual Apps and Desktops (CVAD) site/farm across multiple datacenters. However, note these caveats:

  • Studio – If all Delivery Controllers in the Primary Zone are down, then you can’t manage the farm/site. This is true even if SQL is up, and Delivery Controllers are available in Satellite Zones. It’s possible to designate an existing zone as the Primary Zone by running¬†Set-ConfigSite¬†-PrimaryZone <Zone>, where¬†<Zone> can be name, UID, or a Zone object.
  • Version/Upgrade – All Delivery Controllers in the site/farm must be the same version. During an upgrade, you must upgrade every Delivery Controller in every zone.
  • Offline database – In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.11 and older, there is no offline database option similar to XenApp 6.5’s Local Host Cache. If the database is down, then Connection Leasing is used. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.12 and newer, there’s Local Host Cache. However, the LHC in 7.12 and newer has limitations: no non-persistent desktops (dirty desktops are an option in 7.14 and newer), maximum of 5,000 VDAs per zone (10,000 per zone, 40K per site, in 7.14 and newer),¬†has issues if Controller is rebooted, etc. Review the Docs article for details.
  • Complexity – Zones do not reduce the number of servers that need to be built. And they increase complexity when configuring items in Citrix Studio.
  • Zone Preference – to choose a VDA in a particular zone, your load balancer needs to include a special HTTP header (X-Citrix-ZonePreference) that indicates the zone name. This requires StoreFront 3.7, and Citrix Virtual Apps and Desktops (CVAD) or XenApp/XenDesktop 7.11 and newer.

The alternative to zones is to build a separate site/farm in each datacenter, and use StoreFront to aggregate the published icons. Here are benefits of multiple sites/farms as compared to zones:

  • Isolation – Each datacenter is isolated. If one datacenter is down, it does not affect any other datacenter.
  • Versioning – Isolation lets you upgrade one datacenter before upgrading other datacenters. For example, you can test upgrades in a DR site before upgrading production.
  • SQL High Availability – since each datacenter is a separate farm/site with separate databases, there is no need to stretch SQL across datacenters.
  • Home Sites – StoreFront can prioritize different farms/sites for different user groups. No special HTTP header required.

Citrix Consulting recommends separate Citrix Virtual Apps and Desktops (CVAD) sites/farms in each datacenter instead of using zones. See Citrix Blog Post¬†XenApp 7.15 LTSR ‚Äď Now Target Platform for Epic Hyperspace!.

Here are some general design suggestions for Citrix Virtual Apps and Desktops (CVAD) in multiple datacenters:

  • For multiple central datacenters, build a separate Citrix Virtual Apps and Desktops (CVAD) site/farm in each datacenter. Use StoreFront to aggregate the icons from all farms. Use NetScaler GSLB to distribute users to StoreFront. This provides maximum flexibility with minimal dependencies across datacenters.
  • For branch office datacenters, zones with Local Host Cache (7.12 and newer) is an option. Or each branch office can be a separate farm.

Create Zones – This section details how to create zones and put resources in those zones. In 7.9 and older, there’s no way to select a zone when connecting. In 7.11 and newer, NetScaler and StoreFront can now specify¬†a zone and VDAs from that zone will be chosen. See Zone Preference for details.

Citrix Links:

There is no SQL in Satellite zones. Instead, Controllers in Satellite zones connect to SQL in Primary zone. Here are tested requirements for remote SQL connectivity. You can also set HKLM\Software\Citrix\DesktopServer\ThrottledRequestAddressMaxConcurrentTransactions to throttle launches at the Satellite zone.

From Mayunk Jain: “I guess we can summarize the guidance from this post as follows: the best practice guidance has been to recommend a datacenter for each continental area. A typical intra-continental latency is about 45ms. As these numbers show, in those conditions the system can handle 10,000 session launch requests in just under 20 minutes, at a concurrency rate of 36 requests.”

If Satellite zone loses connectivity to SQL, then the Connection Leasing feature kicks in. See Citrix Docs Connection leasing and CTX205169 FAQ: Connection Leasing in XenApp/XenDesktop 7.6 for information on Connection Leasing limitations (e.g. no pooled virtual desktops, 2 week-old leases, etc.).

The following items can be moved into a satellite zone:

  • Controllers ‚Äď always leave two Controllers in the Primary zone. Add one or two Controllers to the Satellite zone.
  • Hosting Connections ‚Äď e.g. for vCenter in the satellite zone.
  • Catalogs ‚Äď any VDAs in satellite catalogs automatically register with Controllers in the same zone.
  • NetScaler Gateway ‚Äď requires StoreFront that understands zones (not available yet). StoreFront should be in satellite zone.

Do the following to create a zone and move items into the zone:

  1. In Citrix Studio 7.7 or newer, expand the Configuration node, and click Zones.
  2. If you upgraded from an older XenApp/XenDesktop and don’t see zones, then run the following commands:
    cd 'C:\Program Files\Citrix\XenDesktopPoshSdk\Module\Citrix.XenDesktop.Admin.V1\Citrix.XenDesktop.Admin\StudioRoleConfig'
    
    Import-AdminRoleConfiguration ‚ÄďPath .\RoleConfigSigned.xml
    
  3. Right-click Zones, and click Create Zone.
  4. Give the zone a name. Note: Citrix supports a maximum of 10 zones.
  5. You can select objects for moving into the zone now, or just click Save.
  6. Select multiple objects, right-click them, and click Move Item.
  7. Select the new Satellite zone and click Yes.
  8. To assign users to the new zone, create a Delivery Group that contains machines from a Catalog that’s in the new zone. Zone Preference requires StoreFront 3.7 and Citrix Virtual Apps and Desktops (CVAD) or XenApp/XenDesktop 7.11 and newer.
  9. If your farm has multiple zones, when creating a hosting connection, you’ll be prompted to select a zone.
  10. If your farm has multiple zones, when creating a Manual catalog, you’ll be prompted to select a zone.
  11. MCS catalogs are put in a zone based on the zone assigned to the Hosting Connection.
  12. The Citrix Provisioning Citrix Virtual Desktops Setup Wizard ignores zones so you’ll have to move the Citrix Provisioning Machine Catalog manually.
  13. New Controllers are always added to the Primary zone. Move it manually.

Zone Preference

Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.11 and newer have Zone Preference, which means NetScaler ADC (11.0 build 65 and newer) and StoreFront (3.7 and newer) can request Delivery Controller to provide a VDA in a specific zone.

Citrix Blog Post Zone Preference Internals details three methods of zone preference: Application Zone, User Zone, and NetScaler Zone.


To configure zone preference:

  1. Create separate Catalogs in separate zones, and add the machines to a single Delivery Group.
  2. You can add users to one zone by right-clicking the zone, and clicking Add Users to Zone. If there are no available VDAs in that preferred zone, then VDAs are chosen from any other zone.
  3. Note: a user can only belong to one home zone.
  4. You can delete users from a zone, or move users to a different zone.
  5. If you edit the Delivery Group, on the¬†Users page, you can specify that¬†Sessions must launch in a user’s home zone. If there are no VDAs in the user’s home zone, then the launch fails.
  6. For published apps, on the Zone¬†page,¬†you can configure it to ignore the user’s home zone.
  7. You can also configure a¬†published app with a preferred zone, and force it to only use VDAs in that zone. If you don’t check the box, and if no VDAs are available in the preferred¬†zone, then VDAs can be selected from any other zone.
  8. Or you can Add Applications to Zone, which allows you to add multiple Applications at once.

  9. NetScaler can specify the desired zone by inserting the X-Citrix-ZonePreference header into the HTTP request to the StoreFront 3.7 server. This header can contain up to 3 zones. The first Zone in the header is the preferred Zone, and the next 2 are randomised such as EMEA,US,APAC or EMEA,APAC,US. StoreFront 3.7 will then forward the zone names to Delivery Controller 7.11, which will select a VDA in the desired zone. This functionality can be combined with GSLB as detailed in the 29 page document Global Server Load Balancing (GSLB) Powered Zone Preference. Note: only StoreFront 3.7 and newer will send the zone name to the Delivery Controller.
  10. Delivery Controller entries in StoreFront can be split into different entries for different zones. Create a separate Delivery Controller entry for each zone, and associate a zone name with each. StoreFront uses the X-Citrix-ZonePreference header to select the Delivery Controller entry so the XML request is sent to the Controllers in the same zone. HDX Optimal Gateways can also be associated to zoned Delivery Controller entries. See The difference between a farm and a zone when defining optimal gateway mappings for a store at Citrix Docs.
  11. Citrix Blog Post¬†Zone Preference Internals indicates that there’s a preference order to zone selection.¬†The preference order can be changed.
    1. Application’s Zone
    2. User’s Home Zone
    3. The Zone specified by NetScaler in the X-Citrix-ZonePreference HTTP header sent to StoreFront.

Machine Creation Services (MCS)

CTP Aaron Parker Machine Creation Services Capacity Sizing on Hyper-V details storage sizing for the following:

MCS – Full Clones

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.11 and newer, for dedicated (persistent) Desktop OS (aka Single session OS) Catalogs, MCS can create Full Clones instead of Linked Clones. Linked Clones can’t be moved, but Full Clones are regular virtual machines that can be moved without impacting MCS.

  • Full Clones is only an option for Desktop OS (aka Single session OS). It’s not an option for Server OS (aka Multi-session OS ).

In XenApp/XenDesktop 7.9 and earlier, persistent Linked Clones are created by selecting¬†Yes, create a dedicated virtual machine in the Create Catalog wizard. Please, never do this in 7.9 or earlier, since you can’t move the machines once they’re created.

A much better option in 7.9 and earlier is to use vCenter to create Full Clones of a template Virtual Machine. Then when creating a Catalog, select Another service or technology (Manual Catalog) to add the VMs that have already been built.

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.11 and newer, you can use MCS to create Full Clones. Full Clones are a full copy of a template (master) virtual machine. The Full Clone can then be moved to a different datastore (including Storage vMotion), different cluster, or even different vCenter. You can’t do that with Linked Clones.

For Full Clones, simply prepare a Master Image like normal. There are no special requirements. There’s no need to create Customization Specifications in vCenter since¬†Sysprep is not used. Instead, MCS uses its identity technology to change the identity of the Full Clone. That means every Full Clone has two disks: one for the actual VM, and one for identity (machine name, machine password, etc).

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.11 and newer, during the Create Catalog wizard, if you select Yes, create a dedicated virtual machine

After you select the master image, there’s a new option for¬†Use full copy for better data recovery and migration support. This is the option you want. The¬†Use fast clone option is the older, not recommended, option.

During creation of a Full Clones Catalog, MCS still creates the master snapshot replica and ImagePrep machine, just like any other linked clone Catalog. The snapshot replica is then copied to create the Full Clones.

When you add machines to the MCS Full Clone Catalog, it uses the Master Image snapshot selected when you initially ran the Create Catalog Wizard. There is no function in Citrix Studio to change the Master Image. Instead, use the PowerShell commands detailed at CTX129205 How to Update Master Image for Dedicated and Pooled Machine Types using PowerShell SDK Console.

Since these are Full Clones, once they are created, you can do things like Storage vMotion.

During Disaster Recovery, restore the Full Clone virtual machine (both disks). You might have to remove any Custom Attributes on the machine, especially the XdConfig attribute.

Inside the virtual machines, you might have to change the ListOfDDCs registry value to point to your DR Delivery Controllers. One method is to use Group Policy Preferences Registry.

In the Create Catalog wizard, select Another Service or technology.

And use the Add VMs button to add the Full Clone machines. The remaining Catalog and Delivery Group steps are performed normally.

MCS – Machine Naming

Once a Catalog is created, you can run the following commands to specify the starting count:

Get-AcctIdentityPool
Set-AcctIdentityPool -IdentityPoolName "NAME" -StartCount VALUE

MCS – Storage Optimization Memory Caching (Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.9 and newer)

Memory caching (aka MCSIO, aka Storage Optimization) in MCS is very similar to Memory caching in Citrix Provisioning. All writes are cached to memory instead of written to disk. With memory caching, some benchmarks show 95% reduction in IOPS.

In CVAD 1903 and newer, MCS now uses the exact same Memory Caching driver as Citrix Provisioning. If you want to use the MCSIO feature, upgrade to CVAD 1903 or newer. Older versions of CVAD, including 7.15, have performance problems.

Here are some notes:

  • You configure a size for the memory cache. If the memory cache is full, it overflows to a cache disk.
  • Whatever memory is allocated to the MCS memory cache is no longer available for normal Windows operations, so make sure you increase the amount of memory assigned to each virtual machine.
  • The overflow disk (temporary data disk) can be stored on shared storage, or on storage local to each hypervisor host. Since memory caching dramatically reduces IOPS, there shouldn’t be any problem placing these overflow disks on shared storage. If you put the overflow disks on hypervisor local disks then you won’t be able to vMotion the machines.
  • In CVAD 1811 and older, the overflow disk is uninitialized and unformatted. Don’t touch it. Don’t format it.
  • In CVAD 1903 and newer, the overflow disk is formatted, and you can put logs (e.g. Event Logs) and other persistent files on it just like you do in Citrix Provisioning. See Andy McCullough MCSIO Reborn!

Memory caching requirements:

  • Citrix Virtual Apps and Desktops (CVAD) or XenApp/XenDesktop 7.9, VDA 7.9, and newer.
    • Recommendation versions are CVAD 1903 and newer.
  • Random Catalogs¬†only (no dedicated Catalogs)

When installing the VDA software, on the Features page, make sure you select the MCS IO option. VDA 1903 and newer are the recommended versions.

Studio needs to be configured to place the temporary overflow disks on a datastore. You can configure this datastore when creating a new Hosting Resource, or you can edit an existing Hosting Resource.

To create a new Hosting Resource:

  1. In Studio, go to Configuration > Hosting, and click the link to Add Connection and Resources.
  2. In the Storage Management page, select shared storage.
  3. You can optionally select¬†Optimize temporary data on local storage, but this might prevent vMotion. The temporary data disk¬†is only accessed if the memory cache is full, so placing the temporary disks on shared storage shouldn’t be a concern.
  4. Select a shared datastore for each type of disk.

Or you can edit an existing Hosting Resource:

  1. In Studio, go to Configuration > Hosting, right-click an existing resource, and click Edit Storage.
  2. On the Temporary Storage page, select a shared datastore for the temporary overflow disks.

Memory caching is enabled when creating a new Catalog. You can’t enable it on existing Catalogs. Also, no AppDisks.

  1. For virtual desktops, in the Desktop Experience page, select random.
  2. Master Image VDA must be 7.9 or newer.
  3. In the Virtual Machines page
    • CVAD 1903 and newer require you to specify a Disk cache size first. It needs to be large enough for memory write cache overflow, pagefile, and logs.
    • Then allocate some memory to the cache. For virtual desktops, 256 MB is typical. For RDSH, 4096 MB is typical. More memory = less IOPS.
  4. Whatever you enter for cache memory, also add it to the Total memory on each machine. Any memory allocated to the cache is no longer available for applications so you should increase the total memory to account for this.
  5. Once the machines are created, add them to a Delivery Group like normal.
  6. In CVAD 1903 and newer, the Write Cache Disk is formatted and has a drive letter, just like Citrix Provisioning.
  7. In CVAD 1811 and older, the temporary overflow disk is not initialized or formatted. From Martin Rowan at discussions.citrix.com: “Don’t format it, the raw disk is what MCS caching uses.”

MCS – Image Prep

From Citrix Discussions: When a Machine Creation Services catalog is created or updated, a snapshot of the master image is copied to each LUN. This Replica is then powered on and a few tasks are performed like KMS rearm and Personal vDisk enabling.

 

From Citrix Blog Post Machine Creation Service: Image Preparation Overview and Fault-Finding and CTX217456 Updating a Catalog Fails During Image Preparation: if you are creating a new Catalog, here are some PowerShell commands to control what Image Prep does: (run asnp citrix.* first). These commands do not affect existing Catalogs.

  • Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value EnableDHCP
  • Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value OsRearm
  • Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value OfficeRearm
  • Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value "OsRearm,OfficeRearm"
  • Set-ProvServiceConfigurationData -Name ImageManagementPrep_DoImagePreparation -Value $false

If you are troubleshooting an existing Catalog, here are some PowerShell commands to control what Image Prep does: (run asnp citrix.* first)

  • Get-ProvScheme –¬†Make a note of the “ProvisioningSchemeUid” associated with the catalog.
  • Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps -Value EnableDHCP
  • Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps -Value OsRearm
  • Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps -Value OfficeRearm
  • Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_DoImagePreparation -Value $false

If multiple excluded steps, separate them by commas: -Value "OsRearm,OfficeRearm"

To remove the excluded steps, run Remove-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps or Remove-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_Excluded_Steps.

 

A common issue with Image Prep is Rearm. Instead of the commands shown above, you can set the following registry key on the master VDA to disable rearm. See Unable to create new catalog at Citrix Discussions.

  • HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/SoftwareProtectionPlatform
    • SkipRearm (DWORD) = 1

Mark DePalma at XA 7.6 Deployment Failure Error : Image Preparation Office Rearm Count Exceeded at Citrix Discussions had to increase the services timeout to fix the rearm issue:

  • HKLM\SYSTEM\CurrentControlSet\Control
    • ServicesPipeTimeout (DWORD) = 180000

 

From Mark Syms at Citrix Discussions: You can add one (or both) of the following MultiSZ registry values

  • HKLM\Software\Citrix\MachineIdentityServiceAgent\ImagePreparation\Before
  • HKLM\Software\Citrix\MachineIdentityServiceAgent\ImagePreparation\After

The values are expected to be an executable or script (PoSh or bat), returning 0 on success

 

Citrix CTX140734 Error: ‚ÄúPreparation of the Master VM Image failed‚ÄĚ when Creating MCS Catalog in XenApp or XenDesktop: To troubleshoot image prep failures, do the following:

  1. In PowerShell on a Controller, for a new Catalog, run:
    asnp citrix.*
    
    Set-ProvServiceConfigurationData -Name ImageManagementPrep_NoAutoShutdown -Value $True
    
  2. For an existing Catalog, run the following:
    asnp citrix.*
    Get-ProvScheme
    Set-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_NoAutoShutdown -Value $True
  3. On the master image, set the DWORD registry value HKLM\Software\Citrix\MachineIdentityServiceAgent\LOGGING to 1
  4. If you now attempt catalog creation, an extra VM will be started; log into this VM (via the hypervisor console, it has no network access) and see if anything is obviously wrong (e.g. it’s bluescreened or something like that!). If it hasn’t there should be two log files called “image-prep.log” and “PvsVmAgentLog.txt” created in c:\ – scan these for any errors.
  5. When you’ve finished doing all this debugging, remember to run one of the following:
    Remove-ProvServiceConfigurationData -Name ImageManagementPrep_NoAutoShutdown
    Remove-ProvSchemeMetadata -ProvisioningSchemeUid xxxxxxx -Name ImageManagementPrep_NoAutoShutdown

MCS – Base Disk Deletion

Citrix CTX223133 How to change the disk deletion interval to delete unused base disks on the VM storage. Every 6 hours, Citrix Virtual Apps and Desktops (CVAD) runs a task to delete unused base disks.

The Disk Reaper interval is configured using PowerShell. The default values are shown below:

Set-ProvServiceConfigurationData -Name DiskReaper_retryInterval -Value 0:6:0 | Out-Null
Set-ProvServiceConfigurationData -Name DiskReader_heartbeatInterval -Value 0:1:0 | Out-Null

If the unused base disks are not deleting, then see MCS РDeleting basedisk from VM Storage at Citrix Discussions for troubleshooting steps.

MCS – Static (Dedicated) Catalog Master Image

If you create a Machine Catalog of Dedicated Machines (aka Static Catalog), then it’s not possible to update the Master Image using Citrix Studio.

You might want to change the Master Image so that machines added to this Static Catalog are cloned from a new Master Image instead of the Master Image that was originally selected with the Catalog was created.

Official instructions are at CTX129205 How to Update Master Image for Dedicated and Pooled Machine Types using PowerShell SDK Console.

If vSphere, Chaitanya at Machine Catalog Update Tool at knowcitrix.com created a GUI for these Citrix and vSphere PowerShell commands.

Controller – Name Caching

George Spiers in Active Directory user computer name caching in XenDesktop explains how the Broker Service in Delivery Controller caches Active Directory user and computer names. The cache can be updated by running Update-BrokerNameCache -Machines or Update-BrokerNameCache -Users. Also see Update-BrokerNameCache at Citrix SDK documentation.

Delivery Group License Type (7.14 and newer)

Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.14 and newer supports multiple license types (e.g. XenApp Concurrent and XenDesktop User/Device) within a Single farm/site. However, a farm/site only supports a single Edition (i.e. Enterprise or Platinum, but not both). The license model and product are configured at the Delivery Group. See CTX223926, and Multi-type licensing at Citrix Docs.

To configure license model and product, run the following PowerShell commands (run asnp citrix.* first):

Set-BrokerDesktopGroup ‚ÄďName "DeliveryGroupName" ‚ÄďLicenseModel LicenseModel
Set-BrokerDesktopGroup ‚ÄďName "DeliveryGroupName" ‚ÄďProductCode ProductCode

LicenseModel can be UserDevice, or Concurrent. ProductCode can be XDT (Citrix Virtual Apps and Desktops [CVAD] or XenDesktop) or MPS (Citrix Virtual Apps [CVA] or XenApp).

Delivery Groups in 7.8 and newer

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.8 and newer, when creating a Delivery Group, there are new options for publishing applications and publishing desktops.

On the Applications page of the Create Delivery Group wizard, From start menu reads icons from a machine in the Delivery Group and lets you select them. Manually lets you enter file path and other details manually. These are the same as in prior releases.

Existing is the new option. This lets you easily publish applications across multiple Delivery Groups.

You can also go to the Applications node, edit an existing application, change to the Groups tab, and publish the existing app across additional Delivery Groups.

Once multiple Delivery Groups are selected, you can prioritize them by clicking the Edit Priority button.

On the Desktops page of the Create Delivery Group wizard, you can now publish multiple desktops from a single Delivery Group. Each desktop can be named differently. And you can restrict access to the published desktop.

There doesn’t seem to be any way to publish a Desktop across multiple Delivery Groups.

To publish apps and desktops across a subset of machines in a Delivery Group, see Tags.

Maximum Desktop Instances in Site/Farm

Citrix Virtual Apps and Desktops (CVAD) 1808 and newer lets you restrict the maximum instances of a published desktop in the Site. This feature is configured using PowerShell.

asnp citrix.*
Get-BrokerEntitlementPolicyRule | Select-Object Name,PublishedName
Set-BrokerEntitlementPolicyRule -Name RDSH16_1 -MaxPerEntitlementInstances 1

If too many instances are launched, the user sees Cannot start desktop in StoreFront.

And StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services shows session-limit-reached.

To revert to unlimited instances of the published desktop, set MaxPerEntitlementInstances to 0.

Tags (Citrix Virtual Apps and Desktops [CVAD] and XenApp/XenDesktop 7.12 and newer)

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.12 and newer, you can assign tags to machines. Then you can publish apps and/or desktops to only those machines that have the tag. This means you can publish icons from a subset of the machines in the Delivery Group, just like you could in XenApp 6.5.

Tags also allow different machines to have different restart schedules.

  1. In Citrix Studio, find the machines you want to tag (e.g. double-click a Delivery Group). You can right-click one machine, or select multiple machines and right-click them. Then click Manage Tags.
  2. Click Create.
  3. Give the tag a name, and click OK. This tag could be assigned to multiple machines.
  4. After the tag is created, check the box next to the tag to assign it to these machines. Then click Save.
  5. Edit a Delivery Group that has published desktops. On the Desktops page, edit one of the desktops.
  6. You can use the Restrict launches to machines with tag checkbox and drop-down to filter the machines the desktop launches from. This allows you to create a new published desktop for every machine in the Delivery Group. In that case, each machine would have a different tag. Create a separate published desktop for each machine, and select one of the tags.
  7. A common request is to create a published desktop for each Citrix Virtual Apps (CVA) server. See Citrix Blog Post How to Assign Desktops to Specific Servers in XenApp 7 for a script that can automate this configuration.
  8. When you create an Application Group, on the¬†Delivery Groups page, there’s an optional checkbox to¬†Restrict launches to machines with tag. Any apps in this app group only launch on machines that have the selected tag assigned. This lets you have common apps across all machines in the Delivery Group, plus one-off apps that might be on only a small number of machines in the Delivery Group. In that case, you’ll have one app group with no tag restrictions for the common apps. And a different app group with tag restriction for the one-off apps.

RDSH Scheduled Restart

If you create a Scheduled Restart inside Citrix Studio, it applies to every machine in the Delivery Group. Alternatively, you can use the 7.12 tags feature to allow different machines to have different restart schedules.

  1. Once an RDSH Delivery Group is created, you can right-click it, and click Edit Delivery Group.
  2. On the User Settings page, make sure the Time zone is configured correctly. Scheduled restarts use this time zone. (Source = CTX234892 Scheduled Restart Happen At Incorrect Time For A Specific Delivery Group)
  3. In Citrix Virtual Apps and Desktops (CVAD) 1811 and newer, you can create multiple Restart Schedules from the GUI. First, tag your machines. Then create a restart schedule for each tag.

  4. The Restart Schedule page lets you schedule a restart of the session hosts.
  5. Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.7 and newer lets you send multiple notifications.
  6. Restart after database outage – If a site database outage occurs before a scheduled restart begins for machines (VDAs) in a Delivery Group, the restarts begin when the outage ends. This can have unintended results. To help avoid this situation, you can use the MaxDelayMins parameter for the New-BrokerRebootScheduleV2 and Set-BrokerRebootScheduleV2 cmdlets in CVAD 1909 and newer. See Scheduled restarts delayed due to database outage at Citrix Docs. ūüí°
  7. Maintenance mode and restarts – VDAs in Maintenance Mode will not restart automatically. To overcome this limitation, Matthias Schlimm at Reboot Schedule – VM’s in Maintenance Mode … do it at CUGC provides a script that reboots maintenance mode VDAs.
  8. If all the user sessions on the VDA are not logged off within 10 minutes, and if machine is not shutdown gracefully, then the Delivery Controller sends a force shutdown of the VDA, and machine does not power on. The following Delivery Controller registry values can be tweaked. Source = Citrix CTX239537 Server VDA’s Remain ShutDown And Do Not Turn On Automatically After Scheduled Reboot
    • HKLM\Software\Citrix\DesktopServer\SiteServices\MaxShutdownTimeSecs
    • HKLM\Software\Citrix\DesktopServer\RebootSchedule\MaxShutdownDelayMin¬†

Or use a reboot script/tool:

Multiple Sessions

From Configure session roaming at Citrix Docs: By default, users can only have one session. On XenApp 7.6 (experimental support) and Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.7+ (full support), you can configure SessionReconnection setting available via PowerShell.  On any Server OS delivery group, run:

Set-BrokerEntitlementPolicyRule <Published Desktop Name> -SessionReconnection <Value>

For <Published Desktop Name>, run Get-BrokerEntitlementPolicyRule and look for the Name field.

<Value> can be:

  • Always – This is the default and matches the behavior of a VDI session. Sessions always roam, regardless of client device.
  • DisconnectedOnly – This reverts back to the XenApp 6.x and earlier behavior. Sessions may be roamed between client devices by first disconnecting them (or using Workspace Control) to explicitly roam them. However, active sessions are not stolen from another client device, and a new session is launched instead.
  • SameEndpointOnly – This matches the behavior of the “ReconnectSame” registry setting in XenApp 6.x. Each user will get a unique session for each client device they use, and roaming between clients is completely disabled.

For app sessions, use:

Set-BrokerAppEntitlementPolicyRule <App Entitlement Rule Name> -SessionReconnection <Value>

For <App Entitlement Rule Name>, run Get-BrokerAppEntitlementPolicyRule and look for the Name field.

Static Catalog – Export/Import Machine Assignments

It is sometimes useful (e.g. DR) to export machine assignments from one Catalog/Delivery Group and import to another.

From¬†Adil Dean at Exporting Dededicated VDI machine names and user names from catalog in Xendesktop 7.x at Citrix Discussions:¬†Hopefully this is what you are after, it turns out you don’t actually need PowerShell as the functionality is built into the tool.

  1. In Studio, click Delivery Groups on the lefthand menu
  2. Right click Edit delivery group
  3. Select Machine allocation tab on the left
  4. Click Export list
  5. Select a file name > Click Save
  6. Create the new machine catalog
  7. Right click the delivery group > Click Edit
  8. Select Machine allocation tab on the left
  9. Click Import list..
  10. Select the list you exported in step 4
  11. Click Apply

Your clients will now have users re-assigned to machines.

Shane O’Neill produced an export utility that can be scheduled to run periodically. See¬†XenDesktop Farm Migration Utility Update ‚Äď Version 1.2.

Monitor the Number of Free Desktops

Sacha Thomet wrote a script at victim of a good reputation ‚Äď Low free pooled XenDesktops that polls Director to determine the number of free desktops in a Delivery Group. If lower than the threshold, an email is sent.

List Desktops Not Used for x Days

CTP Kees Baggerman has a script at Making sure your Citrix Desktops are utilized with Powershell v2 that does the following:

  • Grab all the desktops that haven‚Äôt been used within x amount of days
  • Notify the user
  • Set the desktop to maintenance mode
  • Uses the Office 365 SMTP servers for notifications

Related Topics