Citrix Policy Settings

Last Modified: Nov 3, 2021 @ 6:22 pm


💡 = Recently Updated

Change Log

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio – also known as FMA policies
  • Group Policy Object – the Citrix Group Policy installer (included with Studio) adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more information on the recommended Microsoft group policy settings for a Citrix Virtual Apps and Desktops environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are not portable, meaning that you can’t export them from one Citrix Virtual Apps and Desktops site/farm and import them to another.

GPOs linked to an Active Directory OU can apply to VDAs in multiple Citrix Virtual Apps and Desktops sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.


CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings Reference for Citrix XenApp and XenDesktop.


If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User 

cd LocalFarmGpo:\Computer

copy * TargetGPO:\Computer

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine:

  1. Login to a machine that has the Group Policy Management Console (GPMC) Windows Feature installed.
  2. Citrix CTX225741 Citrix GPMC Console 3.0.0 crashing in Win 2K12R2 DC when editing polices says that Visual C++ Redistributable for Visual Studio 2015 should be installed first.
  3. If this machine doesn’t have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the Citrix Virtual Apps and Desktops ISO. Make sure all Group Policy consoles are closed first.
  4. Citrix Virtual Apps and Desktops (CVAD) 2109 comes with Citrix Group Policy Management

    • Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU4 comes with Citrix Group Policy Management 7.24.4000.0.
    • XenApp/XenDesktop 7.15 LTSR Cumulative Update 8 comes with Citrix Group Policy Management 3.1.8000.0.
  5. Click Finish to finish the wizard.
  6. Citrix releases quarterly updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines (machines with Group Policy Management Console installed).

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, we’ll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of Citrix Virtual Apps and Desktops.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Delivery Agent 7.x.
  10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Change the Categories drop-down to ICA.
  12. Scroll down and add the setting Virtual channel allow list.

    • In VDA 2109 and newer, the setting Virtual channel allow list is enabled by default, which means that non-Citrix virtual channels, like Zoom and WebEx, won’t work. One option is to disable this setting. Another option is to find the name of the third-party virtual channel and add it to this list as detailed in Citrix Docs. See Citrix Blog Post Virtual channel allow list now enabled by default for a list of virtual channels to add. 💡
  13. Change the Categories drop-down to Auto Client Reconnect.
  14. Click Add next to the setting Auto client reconnect logging.

    • Change the Value to Log auto-reconnect events, and click OK.
  15. Change the Categories drop-down to End User Monitoring.
  16. Click Add next to the setting ICA round trip calculations for idle connections.

    • Change the selection to Enabled, and click OK.
  17. Change the Categories drop-down to Local App Access.
  18. Click Add next to the setting Allow Local App Access.

  19. Change the Categories drop-down to Printing.
  20. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.

    • Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  21. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  22. Click Add next to the setting Enable monitoring of application failures.

    • You can optionally change the Value drop-down to Both application errors and faults. Click OK.
  23. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.

  24. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

    • Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. You can also use the Templates tab to create a policy based on a template.
  4. In CVAD 2012 and newer, in the Search Box, enter Drag and Drop and click Add Value.

    • Drag and Drop is enabled by default. Decide if this is acceptable to your security policies.
  5. In CVAD 2012 and newer, in the Search Box, enter WIA and click Add Value.

    • WIA Redirection is disabled by default. You can enable it if you have applications that use Windows Image Acquisition.
  6. On the Settings tab, change the Categories drop-down to Audio.
  7. Click Add next to the setting Audio quality.

    • Workspace app 2109 and newer connecting to CVAD 2109 and newer support Adaptive Audio and no longer need this Audio quality setting.
    • For all older versions of Citrix, change the Value of Audio quality to Medium – optimized for speech, and click OK.
  8. Change the Categories drop-down to Client Sensors.
  9. Click Add next to the Allow applications to use the physical location setting.

    • Change the selection to Allowed, and click OK.
  10. Change the Categories drop-down to Mobile Experience.
  11. Click Add next to the Automatic keyboard display setting.

    • Change the selection to Allowed, and click OK. Note: this setting might break SAP.
  12. Click Add next to the Remote the combo box setting. Note: this setting might break SAP.

    • Change the selection to Allowed, and click OK.
  13. Change the Category drop-down to Multimedia.
  14. Click Add next to the Use GPU for optimizing Windows Media setting.

    • Change the selection to Allowed, and click OK.
  15. Change the Categories drop-down to Printing.
  16. Click Add next to the setting Auto-create PDF Universal Printer.

    • Change the selection to Enabled, and click OK.
    • This setting normally only applies to sessions using HTML5 Receiver or HTML5 Workspace app.
    • In Citrix Virtual Apps and Desktops (CVAD) 1808 or newer, and Workspace app 1808 or newer, the PDF Universal Printer also applies to regular Workspace app connections and is no longer limited to HTML5 connections.
  17. Click Add next to the setting Automatic installation of in-box printer drivers.

    • Change the selection to Disabled, and click OK.
  18. Click Add next to the setting Direct connections to print servers.

    • Change the selection to Disabled, and click OK.
  19. Click Add next to the setting Printer auto-creation event log preference.

    • Change the Value to Log errors only, and click OK.
  20. Click Add next to the setting Universal print driver usage.

    • Change the Value to Use universal printing only.
  21. Change the Categories drop-down to Session Limits.
  22. If you look at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO.

  23. Change the Categories drop-down to Time Zone Control.
  24. Click Add next to the setting Use local time of client.

  25. CVAD 1906 has a new policy for Desktop OS only that can revert to the VDA’s original time zone when the user disconnects or logs off. It’s called Restore Desktop OS time zone on session disconnect or logoff.
  26. Change the Categories drop-down to USB Devices.
  27. Click Add next to the setting Client USB device redirection.

    • If your security policies allow it then change the selection to Allowed, and click OK. This is the last generic setting. See the next couple sections for more settings.

Also see:

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

As of Citrix Virtual Apps and Desktops (CVAD) 1811, Framehawk is a deprecated feature.

In CVAD 1903 and newer, Framehawk has been completely removed.

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 7.20 included in Citrix Virtual Apps and Desktops 1811) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit one of the Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

  5. Framehawk requires the newest Citrix Workspace app / Receiver (4.3.100 or newer).

  6. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  7. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  8. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
  9. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

Citrix Blog Post What graphics policies do I need, and when? says you should not change any Citrix Policy Graphics Settings. The only exception is 3D workloads, which should have the Visual Quality user setting set to Build to Lossless.

Citrix Blog Post HDX Graphics Encoder Configuration Overview: a comprehensive overview of all relevant HDX Graphics Encoder settings. This overview should give you a guidance and allow you to configure an optimal HDX policy set based on your own needs. A Visio chart with an overview of all relevant configurations and their possible combinations. Furthermore, almost every setting has a review box. The review boxes contain, where applicable, the policy name, facts & figures, recommendations, and example use cases.

In 1811 and newer, Graphics Status Indicator replaces the Lossless Indicator.

  • Graphics Status Indicator can be enabled in a Citrix policy in the user half in the Category named Graphics.
  • The graphics status indicator should eventually show up in the system tray.

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.13 and  and newer, EDT is officially supported.

EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.

EDT has several requirements:

  • VDA 7.13 or 1808 or newer.
  • UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if you’re using NetScaler Gateway.
  • Receiver for Windows must be 4.7 or newer. Or upgrade to Workspace app.
  • Receiver for Mac must be 12.5 or newer. Or upgrade to Workspace app.
  • StoreFront must be 3.9 or newer.
  • HDX Insight requires NetScaler ADC 12.1 build 49 and newer
  • NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features are not supported with EDT at this time:
  • Use a Citrix Policy to enable EDT. The HDX Adaptive Transport setting is in the Computer half of a GPO. See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol. EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.
  • Preferred means it will try to use UDP if it can, and TCP if it can’t.
  • EDT MTU Discovery prevents EDT packet fragmentation that might result in performance degradation or failure to establish a session. This feature requires the following:
    • Citrix Workspace app 1911 for Windows or newer
    • Citrix ADC or newer
    • Citrix ADC or newer
    • On the VDA 1912 and newer, set Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icaw
      • Value (DWORD) = MtuDiscovery = 1
  • From inside a session, you can run ctxsession -v to verify that it’s using UDP and see the detected MTU.
  • Director will also show if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware

7.11 and newer:

  • Use video codec for compression can be configured For actively changing regions, which uses H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got Smarter…Again explains this new setting.
  • In 7.11 and newer, Use when preferred = Thinwire+ with Selective H264. This is the default selection, so generally there’s no need to change this setting.
  • In 7.18 and newer, Selective H.264 uses H.264 for build to lossless instead of JPEG for build to lossless.
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post “Use Video Codec for Compression”: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:

Graphics Tools

Security Settings

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Drag and Drop = Disabled (CVAD 2012 and newer)
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives = Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.


XenDesktop 7.17 adds a Session Watermark feature.

Find the settings in the user half of a Citrix Policy under the Session Watermark category.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the “Extra Color Compression Threshold” should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or “Heavyweight compression” in case image quality loss is not acceptable (more CPU intensive)
  • Enable “Windows Media Redirection
  • Enable “Flash acceleration” with client side content fetching
  • Enable “Audio over UDP Real-Time Transport”. Please note that this configuration requires audio quality to be set to “Medium – optimized for speech”
  • Set “Progressive compression level” to “Low” or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

195 thoughts on “Citrix Policy Settings”

  1. Hi Carl

    I have a 450 w10 private machines delivery group within which some machines should have more restricted policies in terms of resource mapping (no client drives, no clipboard redirection, etc).

    I tagged these machines with a specific tag and linked a new policy to this tag. I moved this policy to the top priority level.

    The settings were not applied, as I thought they would be, only to sessions started on these tagged machines, but instead to every session, whatever the delivery group or user used (the evidence was easy to spot as I also setup session watermarking in this new policy).

    Is there a known bug in CVAD 1912 LTSR CU1 related to Citrix policies or did I miserably fail to properly understand how tag assigned policies work ?

    Thanks for your help, have a great day

    Kind regards


  2. whats the difference between setting clipboard redirection to prohibited and enabling restrict clipboard client or session ? Thanks

  3. Hello! I know this might be a necro-post, but on our network, we have a mix of Citrix and Windows. If a user uses Citrix, and log out, their roaming profile gets written over with Citrix policies. When they decide to use a workstation, the user may receive the dreaded “Group Policy Service Failed. Access Denied”. After looking at it, it seems that the user’s roaming profile (.V6) is trying to go to the Citrix Profile Share that I’ve created for only Citrix. Is there a way to work this out?

    1. Are you using Microsoft roaming profiles for both? If so, in Active Directory Users & Computers, edit a user. There’s a tab for Remote Desktop Services Profile that only applies when a user logs into Remote Desktop Session Host (aka XenApp).

      Another option is to use GPOs to set different values for “Set roaming profile path for all users logging onto this computer”.

  4. Hello,
    I have a black flash problem that appears every 15 min when the user launches an application : environnent (VDA 7.1912 CU1 + Windows server 2016)
    Do you have a suggestion for this problem please ?

  5. How do you set up Outlook auto discovery via Citrix policies? We are using folder redirection. we need users to be able to set up their Outlook profile via auto discover and for their settings to be saved for the next time they log on to the vdi.

    1. In GPO you can set the following:

      User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Account Settings | Exchange
      Automatically configure profile based on Active Directory Primary SMTP address = enabled

  6. Fresh installation of 1912 LTSR CU2 seems to be automatically installing Citrix Group Policy Management Plug-in. Didn’t notice this in earlier cumulative updates or versions.

    XenDesktop Installation.log

    02:50:43.5385 : XenDesktopSetup:VerifyCDRoot: Found MediaID file at ‘E:\x64’
    02:50:43.5385 : XenDesktopSetup:VerifyCDRoot: Found MediaID file at ‘E:\x64’
    02:50:43.5385 : XenDesktopSetup:Media found, Continuing.
    02:50:43.5385 : XenDesktopSetup:Component: Citrix Policy SDK, MSI full path: E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    02:50:43.5385 : XenDesktopSetup:Component: Citrix Policy SDK, MSI full path: E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    02:50:43.5385 : XenDesktopSetup:Component: Citrix Policy SDK, MSI full path: E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    02:50:43.5385 : XenDesktopSetup:About to install MSI File ‘E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi’ using params ‘INSTALLDIR=”C:\Program Files\Citrix” ARPSYSTEMCOMPONENT=”1″ MSIFASTINSTALL=”1″ MSIRMSHUTDOWN=”2″ METAINSTALLER=”1″‘ log file is ‘C:\Users\adm-nigup\AppData\Local\Temp\Citrix\XenDesktop Installer\MSI Log Files\CitrixGroupPolicyManagement_x641354332738.txt’
    02:50:43.5385 : XenDesktopSetup:Starting synchronous process ‘msiexec’ with args ‘/i “E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi” /lv “C:\Users\nigupta\AppData\Local\Temp\Citrix\XenDesktop Installer\MSI Log Files\CitrixGroupPolicyManagement_x641354332738.txt” /quiet INSTALLDIR=”C:\Program Files\Citrix” ARPSYSTEMCOMPONENT=”1″ MSIFASTINSTALL=”1″ MSIRMSHUTDOWN=”2″ METAINSTALLER=”1″ CLOUD=False REBOOT=ReallySuppress’
    02:50:54.2305 : XenDesktopSetup:Process completed with error code 0x00000000
    02:50:54.2305 : XenDesktopSetup:Installation of MSI File ‘E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi’ succeeded

  7. Are there any scanners that work with MacOS and also work through Citrix Apps/Desktops? My scanners work when connecting to apps via a windows machine but not on my mac. I can see the device listed in my devices but the VDA does not detect the device.

  8. Thanks you very mucho for your quick answer Carl 🙂
    I would also like to ask you if it is ok to use both methods (Citrix Studio and Windows GPO)
    for Citrix Policies or if it is recommended to use only one method.
    Many thanks again,

  9. Hi Carl,

    According to Citrix documentation, mixing Windows and Citrix policies in the same GPO is not supported.

    So, can’t we use the same policy “Citrix VDA Computer Settings” for Computer settings and Citrix settings? Same for “Citrix VDA All Users (including admins” policy.

    Many thanks!!

    1. I’m not aware of any reason why it won’t work. Ultimately, both just create configuration files. Then the client machine reads those files and performs actions based on the contents of those files.

      I have not see the “not supported” message but you’re welcome to create new GPOs to honor it.

    2. We “honor” the Citrix way when it comes to using GPO for Citrix Policies. We decided to keep them separate . To help us easily identify them quickly, we added the words “Citrix Policy ONLY” in addition to the GPO specific naming convention

  10. HI Carl,

    Need your help we have windows and citrix environment on citrix servers i dont able to apply any policy if i change on group policy in DC after doing gpupdate / force on DC server and citrix servers nothing is changing there i dont why group policy not apply on citrix OU i tried above step didnt work for me can please me i am only getting problem citrix server OU . please need your help Thank You.

    1. Try standard group policy troubleshooting like running “gpresult /h gpo.html” and then view the report.

      1. Try this nothing is work, we are not getting why the policy is not apply on citrix OU is something user permission problem or some configuration problem how to rectify this problem. Pls help
        Thank you

      2. Hi Carl,

        I have run this command on client pc report is generated now what should I check in this pls help me.

        Waiting for your reply
        Thank you

      3. Windows update can’t check for update because setting on this pc are controlled by your system administrator

        Above is the error when were I click for windows update above message come.

  11. Hi Carl,
    Thanks as always for your work. Wanted to know, is there a way to determine what delivery group/app/shared desktop a user will see based on their endpoint. This is internally for load-balanced storefront servers so for a user that is not going through the vpn gateway. Essentially if a user comes from a specific set of end-points (by name or IP or some other attribute) can I direct them to only see a specific delivery group using Citrix policies?

  12. Hi Carl,

    We are just starting to use 1912 LTSR and have enabled the graphics tool indicator policy. What we see is that the “switch to pixel perfect” is enabled, and after 2-3 hours it is unticked. Any suggestions?

  13. Hi Carl, we are currently running 4.9 LTSR receiver and going to move to 1912 LTSR Workspace. Are we able to able to replace the Receiver ADMX Templates in Group Policy with the Workspace ADMX Tempaltes and retain the receiver settings that have been set.

    So if we replaced the templates (as they are named the same) it would retain group policy settings for 4.9 LTSR and we would see additional settings fot 1912 LTSR?

    Thanks in advance.

    1. Yep. The templates just show the “available” settings. The “configured” settings are usually not modified when you change a template. If you remove the template, the “configured” settings then appear as “extra registry settings” indicating that doing anything with the template doesn’t change what’s already configured.

  14. Hi Carl,

    We have 3 Mbps bandwith between head office and branches and Scanner performance is so slow with twain driver. fro example : one side b/w 25 sec and both sides b/w . 35 sec. Do you think that it is normal with this bandwith or is there any improvement method to fast scanning with limitted bandwith?

  15. Hi Carl; magnificent work as always.
    On the cusp of migrating from 715 CU4 > 1912 and have come across a strange behaviour when connecting to the 7.15 CU4 site with a desktop or server vda running 1912 VDA from a client with Workspace. We have run with FMA policies for many years and include a policy which allows clipboard redirection (text) only but not file (“Allow File transfer between desktop and client” is prohibited). However, when using WS(1911) connecting to a 715CU4 site and then to a desktop or server vda running VDA 1912 the user can transfer files between the local client and Citrix session! If you connect to the same desktop or server vda from a local client running Citrix Receiver, then the policy prohibits file transfer as expected! Head scratching all around! Has Workspace and/or 1912 LTSR introduced additional policies or a separate layer to FMA when applying policies? When looking at Director, it would appear the policies apply and if you remove the user from the policy allowing clipboard redirection, then both clipboard and file redirection is prohibited when connecting from WS to 1912 vda! Any pointers or ideas greatly appreciated.
    TIA, Paul!

    1. Transpires, policies introduced in 7.6 don’t appear to be relevant until you connect to VDAs running 19xx via Workspace!
      19xx VDA (with Workspace) require “Restrict client clipboard write” and “Restrict session clipboard write” with the appropriate CF_ formats to enforce the restriction but allow text/etc. Interesting!

  16. Hi Carl

    A wee heads up that the Citrix HDX “mobile experience” settings when enabled can cause some weird GUI issues with Oracle client 10.x/11.x such as entire menu’s and menu options disappearing. I ran into this on a XA 6.5 to 7.15 LTSR migration and simply disabling the setting(s) resolves the issue.

  17. Hi Carl. I am receiving this error when I tried to choose a delivery group from my Citrix policy within the GPO. Failed to connect to back-end server ‘localhost´,

      1. I had the same problem as Jefersomn until I entered the controller address. Do you know if there is a way to prepopulate that field?

  18. Hello Carl, Can you please assist in printer driver issues for end users. sometime they get citrix universal printer and most of them getting citrix xps universal driver in their session. Citrix xps is working for duplex but citrix universal is getting failed after first page(first page getting printed but second one has message” illegal error”. Citrix policy under xenapp is configured to create auto create client printers only with generic drivers(universal printer in case of generic driver unavailable). its strange to see, its getting auto resolve for few users without any changes in policy. Can we fine tune such inconsistency behavior. is there any tools to find out where is the issue and how to resolve it..there is no consistency in driver version.. multiple drivers version working successfully. around 7 to 8 percent users are affected some time. Kindly assist in this.

  19. Seeing a weird issue where my GPMC show/hide buttons have disappeared when Citrix Policy Management is installed. Any thoughts? Just started happening. Notice it in my legacy XA6 farm too but that may have been that way a while.

  20. Hi Carl,

    Thanks again for the tremendous work you achieve every day for the Citrix community !

    I have a question regarding the session timers policies.

    I have several delivery groups with Windows 10 private machines and other groups with pooled machines.

    The private machines are used by support teams working on a 24×7 basis, they must be as much available as possible, therefore the disconnected session timer interval is set to 3 days.
    The Citrix policy is assigned to the users groups granting access to the private delivery groups (priority 2).

    The pooled machines are used by a wider range of people for usual office work and must be updated as soon as a new PVS version has been validated. For these machines, the disconnected session timer interval is set to 9 hours via the Default user policy assigned to the whole domain users (priority 15).

    Given these settings are user based, if a user is a member of a private machine group but uses a pooled machine, he will get the 3 days timer.

    How could I configure the policies in order for a user to get the 9 hours timer while using a pooled machine whatever the groups is a member of ?

    Kind regards

    Yvan Scigala

    1. In your Citrix Policy on the Filters page, you can add a Delivery Group filter. Then move the policy higher in the priority list.

      1. Hi Carl, sorry I did not see your reply. As you mentioned, I solved this by assigning the long timer policy to delivery groups and high priority, whereas the shorter timer policy (default user policy) is assigned to domain users. Thanks again and, with a “bit” of delay, I wish you a fantastic 2020 🙂

  21. Hi Carl, what permissions are required in Active Directory for a Citrix Admin to utilize Citrix GPO management? I have all permissions on the specific GPO exist Delete and Rename. I also cannot create new GPOs either but can only EDIT this one.
    We are still trying to figure out why Citrix Policies are not applying on the VDAs in an ICA session using a GPO but apply correctly when using database based policies. We even opened a case with Citrix and they can’t seem to figure it out. We have same permissions to the GPO but it is still not working. If the Active Directory Admin wants to view the policy settings we have set, they are telling me the policy is empty.. but when I look at it, it has the Citrix Policies in there. I think that is because I have the Citrix Group Policy plugin and they do not. But that shouldn’t matter correct? If I am a Citrix admin using Group Policy editor on my local endpoint running GPEditor with the Citrix Policy plugin, it should apply the policies correctly right? Even the Unfiltered policy settings are not getting applied in the ICA session. Should I be running any GPO modifications from the Delivery Controllers only?
    This is for version 7.15.3000

    1. Did you modify the filtering of the GPO to only include users? If so, did you also add Authenticated Users (or Domain Computers) to the Delegation tab and give it Read permission? This is required for Loopback.

      Yes, only machines with the Citrix Group Policy Management plug-in can view the Citrix Policies but that shouldn’t effect whether the policies apply or not.

      On the VDA machine, there’s a Group Policy Client Side Extension that processes the Citrix Policy GPOs.

      1. Yes. Under the Scope tab, it just has Authenticated Users. Under the Delegation Tab, it has Authentication Users with READ permission only.

  22. Hi Carl, Do you know why StoreFront must be 3.9 or newer for EDT? Can EDT be enabled on a Win7 OS with a 7.15LTSR VDA and 7.8 Controller? NetScaler is on 12.0-56.20

    1. I think StoreFront 3.9 and newer adds the lines to the .ica file that enables EDT on the client side.

  23. Hi carl, we have recently upgraded VDAs server OS from Windows 2008 R2 to Windows 2012 R2 , post upgradation we have observed that during logon the black screen appears for 60-120 seconds to get the actual desktop screen with all icons, secondly users have reported slow performanace and screen freeze while working.The VDA are on VMware ESXi infra with 32 GB RAM and 8vcpu and we have close to around 700+ server OS VDAs which got upgraded to windows 2012 OS. Do we need to apply specific policies or settings for windows 2012 OS VDAs ?

    Currently we tried following

    1.Change display drivers from VMWare SVGA to Micrsoft Basic Display drivers

    2.enabled Legacy Graphic display mode via citrix policies

    3.Removed Desktop Experience feature from windows 2012 OS

    But no luck..

    Earlier on windows 2008 R2 VDA per VDA use to handle 25-30 Users with 7000 load index , but incase of windows 2012 only with 12-15 users the load index runs between 8500-9500.

    Not sure if its due to switching the OS to windows 2012 .

    We are running on 7.15 LTSR edition.

    Need to know your views on the above mentioned scenario..

    Thanks !

    1. Newer OS, especially published desktop, uses more resources than older OS.

      What roaming profile method are you using? Is first logon faster than second logon?

      1. We are using microsoft folder redirection and roaming profile.We have set Appdata on SAN storage and redirected My desktop ,documents ,favorites to NAS storage.The logon time is almost same for first logon and second logon.

        We tried isolating by setting you roaming profile via WEM 4.7 using CPM,as read some articles stating WEM can filter out few of the logon steps,but no luck.

        The VDAs are streamed via PVS to VMWare ESXi hosted VMs.

        One observation is we dont get long blackscreen on desktops streamed directly to the baremetal HP servers.

        Is ther any optimization settings for VMs hosted on ESXi ?

        Thanks !

  24. Hi,

    Regarding setting “Automatic installation of in-box printer drivers” to disabled – is this still required since “VDA support for policy setting “Automatic installation of in-box printer drivers” has been deprecated in version 7.16, as per the article below?

    The Alternative columns reads:
    None. Policy setting supported with VDAs on earlier OSs only (Windows 7, Windows Server 2012 R2 and earlier).

    Does that mean that in e.g. Windows 2016 based VDA, the drivers are not automatically installed?


    1. There’s probably no harm in setting it. The vast majority of my customers are 7.15 so I’m guessing it still applies to them.

  25. I’m currently dealing with one the most confounding Citrix issues I’ve seen in years. This is for XA65 (I know, I know, I’m getting my corp off of it).

    I manage all of my Citrix policies in GPO. When users log on, I can see the user Citrix policies being written to the subkeys and values below HKLM\Software\Policies\Citrix\[SESSION_ID]\User. At some point during the session, however, the User key and all its subkeys disappear, leaving only the Events and Evidence keys.

    Any ideas? Have you seen this or something similar to it before? This is wreaking havoc in my environment and I haven’t managed to get to root cause despite several weeks of testing & troubleshooting.

    1. Hi Carl, we are not setting up new citrix xenapp 7.15 in our company, we the application servers are running windows 2016, we want to setup company logo when user logs into published desktop, but can’t find a location to set this up, do you have any suggestion for this?

Leave a Reply