Citrix Policy Settings

Last Modified: Dec 22, 2023 @ 4:52 am

Navigation

💡 = Recently Updated

Change Log

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio – also known as FMA policies
  • Group Policy Object – the Citrix Group Policy installer (included with Studio) adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more information on the recommended Microsoft group policy settings for a Citrix Virtual Apps and Desktops environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are not portable, meaning that you can’t export them from one Citrix Virtual Apps and Desktops site/farm and import them to another.

GPOs linked to an Active Directory OU can apply to VDAs in multiple Citrix Virtual Apps and Desktops sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.

 

CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings Reference for Citrix XenApp and XenDesktop.

 

If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User 

cd LocalFarmGpo:\Computer

copy * TargetGPO:\Computer

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine. This plug-in adds the Citrix Policies node to the Group Policy Editor.

Do the following to install the plug-in.

  1. Login to a machine that has the Group Policy Management Console (GPMC) Windows Feature installed.
  2. If this machine doesn’t have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the Citrix Virtual Apps and Desktops ISO. Make sure all Group Policy consoles are closed first.

  3. Citrix Virtual Apps and Desktops (CVAD) 2311 comes with Citrix Group Policy Management 7.40.0.30.

    1. Citrix Virtual Apps and Desktops (CVAD) 2203 LTSR CU4 comes with Citrix Group Policy Management 7.33.4000.2.
    2. Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU8 comes with Citrix Group Policy Management 7.24.8000.0.
    3. XenApp/XenDesktop 7.15 LTSR Cumulative Update 9 comes with Citrix Group Policy Management 3.1.9000.0.
  4. Click Finish to finish the wizard.
  5. Citrix releases quarterly updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines (machines with Group Policy Management Console installed).
  6. Citrix Policies let you use Delivery Groups as a filter. To see the list of Delivery Groups, install the Broker SDK plug-in.

    1. On the CVAD ISO, go to \x64\Citrix Desktop Delivery Controller and run Broker_PowerShellSnapIn_x64.
    2. Check the box next to I accept and click Install.
    3. Close the Group Policy Editor and re-open it. Now you can see the list of Delivery Groups.

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, we’ll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of Citrix Virtual Apps and Desktops.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Delivery Agent 7.x.
  10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Change the Categories drop-down to ICA.
  12. Scroll down and add the setting Virtual channel allow list.

    • In VDA 2109 and newer, the setting Virtual channel allow list is enabled by default, which means that non-Citrix virtual channels, like Zoom and WebEx, won’t work. One option is to disable this setting. Another option is to find the name of the third-party virtual channel and add it to this list as detailed in Citrix Docs. See Citrix Blog Post Virtual channel allow list now enabled by default for a list of virtual channels to add.
    • CVAD 2206 and newer let you enter wildcards in the Virtual channel allow list setting. See Citrix Docs.
  13. CVAD 2311 and newer support HDX Direct for both internal and external connections. HDX Direct automatically installs self-signed certificates on the VDAs. Workspace apps then connect directly to the VDAs without going through ICA Proxy (NetScaler Gateway). For external users, the connections use STUN to traverse NAT. Use Citrix Policy to enable HDX Direct and set the mode to Internal and external. See HDX Direct at Citrix Docs.
  14. Change the Categories drop-down to Auto Client Reconnect.
  15. Click Add next to the setting Auto client reconnect logging.

    • Change the Value to Log auto-reconnect events, and click OK.
  16. Change the Categories drop-down to End User Monitoring.
  17. Click Add next to the setting ICA round trip calculations for idle connections.

    • Change the selection to Enabled, and click OK.
  18. Change the Categories drop-down to Local App Access.
  19. Click Add next to the setting Allow Local App Access.

  20. Change the Categories drop-down to Printing.
  21. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.

    • Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  22. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  23. Click Add next to the setting Enable monitoring of application failures.

    • You can optionally change the Value drop-down to Both application errors and faults. Click OK.
  24. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.

  25. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

    • Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. You can also use the Templates tab to create a policy based on a template.
  4. In CVAD 2012 and newer, in the Search Box, enter Drag and Drop and click Add Value.

    • Drag and Drop is enabled by default. Decide if this is acceptable to your security policies.
  5. In CVAD 2012 and newer, in the Search Box, enter WIA and click Add Value.

    • WIA Redirection is disabled by default. You can enable it if you have applications that use Windows Image Acquisition.
  6. On the Settings tab, change the Categories drop-down to Audio.
  7. Click Add next to the setting Audio quality.

    • Workspace app 2109 and newer connecting to CVAD 2109 and newer support Adaptive Audio and no longer need this Audio quality setting.
    • For all older versions of Citrix, change the Value of Audio quality to Medium – optimized for speech, and click OK.
  8. Change the Categories drop-down to Client Sensors.
  9. Click Add next to the Allow applications to use the physical location setting.

    • Change the selection to Allowed, and click OK.
  10. Change the Categories drop-down to Graphics.
  11. CVAD 2112 and newer allow users to Screen sharing with each other. This setting requires Graphic status indicator to be enabled. 💡
  12. Change the Categories drop-down to Mobile Experience.
  13. Click Add next to the Automatic keyboard display setting.

    • Change the selection to Allowed, and click OK. Note: this setting might break SAP.
  14. Click Add next to the Remote the combo box setting. Note: this setting might break SAP.

    • Change the selection to Allowed, and click OK.
  15. Change the Category drop-down to Multimedia.
  16. Click Add next to the Use GPU for optimizing Windows Media setting.

    • Change the selection to Allowed, and click OK.
  17. Change the Categories drop-down to Printing.
  18. Click Add next to the setting Auto-create PDF Universal Printer.

    • Change the selection to Enabled and click OK.
    • This setting normally only applies to sessions using HTML5 Receiver or HTML5 Workspace app.
    • In Citrix Virtual Apps and Desktops (CVAD) 1808 or newer, and Workspace app 1808 or newer, the PDF Universal Printer also applies to regular Workspace app connections and is no longer limited to HTML5 connections.
  19. Click Add next to the setting Automatic installation of in-box printer drivers.

    • Change the selection to Disabled, and click OK.
  20. Click Add next to the setting Direct connections to print servers.

    • Change the selection to Disabled, and click OK.
  21. Click Add next to the setting Printer auto-creation event log preference.

    • Change the Value to Log errors only and click OK.
  22. Click Add next to the setting Universal print driver usage.

    • Change the Value to Use universal printing only.
  23. Workspace app for Mac version 2203 and newer along with VDA 2112 and newer supports PDF printing instead of Postscript printing. With PDF, it’s no longer necessary to install the HP Color LaserJet 2800 Series PS driver on the VDA. Citrix Policy setting Universal driver preference must be adjusted to enable PDF printing as higher priority than PS (postscript) printing. See Citrix Docs for more details.
  24. CVAD 2206 and newer let you set RDSH timers in the user half of a Citrix Policy under the Server Limits category. Citrix Docs says: Timer settings for multi-session machines configured using Citrix policies are expected to override timer settings configured through Microsoft Group Policies. To avoid unexpected behavior, we recommend you configure timer settings using one of the two methods.
  25. Change the Categories drop-down to Session Limits.
  26. If you look at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO or in the Server Limits section in CVAD 2206 and newer,

  27. Change the Categories drop-down to Time Zone Control.
  28. Click Add next to the setting Use local time of client.

  29. CVAD 1906 has a new policy for Desktop OS only that can revert to the VDA’s original time zone when the user disconnects or logs off. It’s called Restore Desktop OS time zone on session disconnect or logoff.
  30. Change the Categories drop-down to USB Devices.
  31. Click Add next to the setting Client USB device redirection.

    • If your security policies allow it then change the selection to Allowed, and click OK. This is the last generic setting. See the next couple sections for more settings.

Also see:

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

As of Citrix Virtual Apps and Desktops (CVAD) 1811, Framehawk is a deprecated feature.

In CVAD 1903 and newer, Framehawk has been completely removed.

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 7.20 included in Citrix Virtual Apps and Desktops 1811) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit one of the Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

  5. Framehawk requires the newest Citrix Workspace app / Receiver (4.3.100 or newer).



  6. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  7. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  8. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
  9. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

Citrix Blog Post What graphics policies do I need, and when? says you should not change any Citrix Policy Graphics Settings. The only exception is 3D workloads, which should have the Visual Quality user setting set to Build to Lossless.

Citrix Blog Post HDX Graphics Encoder Configuration Overview: a comprehensive overview of all relevant HDX Graphics Encoder settings. This overview should give you a guidance and allow you to configure an optimal HDX policy set based on your own needs. A Visio chart with an overview of all relevant configurations and their possible combinations. Furthermore, almost every setting has a review box. The review boxes contain, where applicable, the policy name, facts & figures, recommendations, and example use cases.

In 1811 and newer, Graphics Status Indicator replaces the Lossless Indicator.

  • Graphics Status Indicator can be enabled in a Citrix policy in the user half in the Category named Graphics.
  • The graphics status indicator should eventually show up in the system tray.

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.13 and  and newer, EDT is officially supported.

EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.

EDT has several requirements:

  • VDA 7.13 or 1808 or newer.
  • UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if you’re using NetScaler Gateway.
  • Receiver for Windows must be 4.7 or newer. Or upgrade to Workspace app.
  • Receiver for Mac must be 12.5 or newer. Or upgrade to Workspace app.
  • StoreFront must be 3.9 or newer.
  • HDX Insight requires NetScaler ADC 12.1 build 49 and newer
  • NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features are not supported with EDT at this time:
  • Use a Citrix Policy to enable EDT. The HDX Adaptive Transport setting is in the Computer half of a GPO. See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol. EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.
  • Preferred means it will try to use UDP if it can, and TCP if it can’t.
  • EDT MTU Discovery prevents EDT packet fragmentation that might result in performance degradation or failure to establish a session. This feature requires the following:
    • Citrix Workspace app 1911 for Windows or newer
    • Citrix ADC 13.0.52.24 or newer
    • Citrix ADC 12.1.56.22 or newer
    • On VDA 2203 and newer, MtuDiscovery should be enabled by default. In older VDAs, configure it at Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icaw
      • Value (DWORD) = MtuDiscovery = 1
  • From inside a session, you can run ctxsession -v to verify that it’s using UDP and see the detected MTU.
  • Director will also show if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware

7.11 and newer:

  • Use video codec for compression can be configured For actively changing regions, which uses H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got Smarter…Again explains this new setting.
  • In 7.11 and newer, Use when preferred = Thinwire+ with Selective H264. This is the default selection, so generally there’s no need to change this setting.
  • In 7.18 and newer, Selective H.264 uses H.264 for build to lossless instead of JPEG for build to lossless.
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post “Use Video Codec for Compression”: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:

Graphics Tools

Security Settings

CTP Dave Bretty Making Your Citrix Policy Secure – By Default.

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Drag and Drop = Disabled (CVAD 2012 and newer)
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives = Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.

 

XenDesktop 7.17 adds a Session Watermark feature.

Find the settings in the user half of a Citrix Policy under the Session Watermark category.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the “Extra Color Compression Threshold” should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or “Heavyweight compression” in case image quality loss is not acceptable (more CPU intensive)
  • Enable “Windows Media Redirection
  • Enable “Flash acceleration” with client side content fetching
  • Enable “Audio over UDP Real-Time Transport”. Please note that this configuration requires audio quality to be set to “Medium – optimized for speech”
  • Set “Progressive compression level” to “Low” or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

233 thoughts on “Citrix Policy Settings”

      1. Yeah but no real mention about Windows 10. You done some for Legacy OS which is great, anything for Windows 10? This link just is more related for 3D CAD Desktops which is good to know but just wondered if you had any general optimization policies.

  1. Question:

    I have made a Policy with session time out of 30 Minutes and applied to the delivery Group but in the same Policy a denied for some user Groups. Does that work ? I think the Policy does not reconize the denied groups

    1. What kind of VDA? If RDSH, you use Group Policy to set RDSH timeouts.

      Do you have another policy that sets timeouts?

      1. Hi Carl

        We have VDA 7.15LTSR and use SharedRemoteDesktops on W2016. This Plattform is for students at highschool. i made the Policy for session time Outs in the Citrix Studiio. All Students should be disconnected after 30 Minutes of inactivity. But i also need a Special rule for some teachers , they should have a time Limit of 4 Hours.

  2. Hi any information on Desktop Site Appliance?

    If I were to create a separate “Interrnal” Store for Thin Clients, can this be done any time during production? I would like to do this to hide desktop viewer and disable workspace control for Kiosked Web interfcace

  3. Hi Carl, Any specific Session Limit Settings for ICA-TCP connecting via Published Applications (XenApp 7.15)

  4. Hi There,
    this is Xenapp 7.6 specific scenario, user is launching published application using Citirx plugin/ browser option post application launched user is trying to print from published application when print option popups with list of printer which is having user redirected printers plus super long list of session printers so is there any way to restrict the printer list limited to users redirected printers only?

  5. Hi Carl, For published applications and Desktops, is there a way to limit the the client drive mapping policy to allow users to copy files to their client machines but not to upload files to the published server environment ? Many thanks

  6. Hi Carl,

    We have been unable to get HDX Flash redirection to work successfully. The following settings have been implemented:

    Windows 10 VDI:
    Computer Configuration
    HDX MediaStream Flash Redirection – Client
    Enable HDX MediaStream Flash Redirection on the user device – Enabled

    Enable server-side content fetching – Enabled
    Server-side content fetching state Enabled (temporary caching)

    Enable synchronization of the client-side HTTP cookies with the server-side – Enabled

    Windows 7 EndPoint Running Receiver 4.4.40000
    Enable HDX MediaStream Flash Redirection on the user device – Enabled
    Server-side content fetching state Enabled (Persistent caching)

    Citrix Policies:

    HDX Flash Redirection:
    Setting Value
    Flash acceleration Enabled
    Flash default behavior Enable Flash acceleration
    Flash backwards compatibility Enabled
    Flash event logging Enabled
    Flash latency threshold 300 milliseconds
    Flash intelligent fallback Enabled

    Flash is installed on the endpoint.

    Is there anything further required ? Within Citrix Director Flash redirection is coming up as Inactive. Flash Sites are being accessed via IE 11.608.15063.0.

  7. hi Carl, We have a password enforced screensaver policy set as a GPO which takes affect 15mins. This appears to take effect for RDP sessions but not ICA. We are using Windows 10 machines running on 7.15. For ICA connections is there anything further we need to do ? Many thanks.

  8. Hi Carl,

    great article!

    I have two questions regarding policies:
    1) Is there an easy way to migrate policies from Studio to GPMC?
    2) Will adaptive Transport over EDT replace Audio over UDP?

    Best regards,
    Volker 🙂

  9. Hi Carl,

    we have one application which is used for signature verification now user are able to copy and past in email. But client required users will not take screenshot and copy paste on particular application in xenapp 7.5 and copy past and screenshot facility will work on all application
    kindly suggest.

    1. Screenshot is from the client? You can configure Citrix Policy to block client clipboard. But it’s not really possible to completely prevent screenshots. They could always use a phone to take a picture.

      Or do you mean screenshot in the remote session? Maybe you can run a program that takes over the PrtScr key.

  10. Hi Carl,

    Good day,

    Just want to know if we use Citrix Policy, if we can able to achieve that when user upload file using HTML 5 they can able to see only one folder but per user profile and not a centralized work space that ever users can able to see.Thanks

  11. Hi Carl

    In “Citrix Policy GPO plug-in”, in wanting to use “filter” for “Delivery Group”, there is Field “Controller”.

    Is this required or one could do without it. If required, how can multiple controller be added? What delimiter is to be use, comma, semi-colon or dash? Or do I have to create entries for each controller, eventhough is for same Delivery Group.

    Thanks.

    1. I think the idea is that the GPO Plug-in can connect to a Controller to enumerate the Delivery Groups.

  12. Hi Carl,

    Thanks in advance for any help you can provide….

    I am so close to getting framehawk to work and this guide is the last portion.

    I enabled dtls on my gateway vserver, unbound and rebound my cert chain, and rebooted the netscaler.

    I have enabled Framehawk display channel

    I gpupdate /force and reboot my controller/broker/license server combo and sql database servers

    I do not see “HDX Adaptive Transport” or “Enlightened Data Transport” Citrix GPO option to change… has it it been re-renamed? I installed the latest version of VPX Express and XenDesktop/XenApp as of a week ago in a test environment, so I am running the latest of everything, and my infrastructure is fully functional aside from Framehawk.

    Thank you!

    1. What version of XenDesktop?

      Does the policy editing machine have the latest Citrix GPO Management Plugin installed?

      Framehawk and EDT are two different things.

    2. I also forgot to metion that I have installed remote display analyzer to confirm Framehawk is not active, only Thinwire. 443 tcp and udp are pointing to my gateway vserver on external FW and all ports for Framehawk are open from DMZ through internal FW.

      1. Framehawk is a different Citrix Policy Setting. Did you enable Framehawk? Or did you enable Adaptive Transport?

        Depending on your Gateway version, there might be limitations with AppFlow.

  13. In using “Citrix Policy GPO plug-in”, where under “filter” could the policy be set to apply to all objects.
    In creating policy through “Studio”, there is the option “All objects in the site” under “Assign policy to”

  14. hi Carl, In your view could there be a potential issue with Policies being applied in Citrix Studio that are referenced in another policy with a different setting that is lower in priority ? For example the Legacy Graphics Mode Policy which is set to disabled for a specific delivery group following by it being enabled in another policy which is assigned to all delivery groups. Should the one in the higher set policy simply take priority and the lesser one ignored ? Thanks

    1. It’s based on policy priority. You typically want the more specific policy to be higher than the generic policy.

    2. Hi carl, good afternoon.

      I would like your opinion … I have difficulties of configurations for use of the video policies for use of xendesktop in thinclients. I say because I do not know how to make policies according to the client’s device. In our environment computers, notebooks and cell phones have good video performance. However the ncomputing (zero) thinclients that we present have a certain freeze on the screen mainly where we have flash to be loaded can suggest me something of how to solve this dilemma.

      1. Can the devices be identified by client IP (subnet) or user AD group?

        If not, then you might have to implement NetScaler Gateway with User-Agent expressions (or EPA scans) on Session Polices and then use SmartAccess (Access Control) filters on your policies.

    3. I noticed that after upgrading from XenApp 7.13 to 7.14 that any modifications to a GPO that has GPPs will break if Citrix Policy is modified via Group Policy Mgmt console. I had to recreate the policy from scratch. If no GPPs are set then it’s not an issue. Anyone else see this?

  15. Hi Carl,

    Bloomberg KeyBoards

    2 Wires – KVM wire and normal Cable to connect to Thin Client

    We have two policies

    a. We disable Client USB Device Redirection and Client USB Plug and Play Device Redirection – The goal is to disable mass storage devices. However, it blocks Bloomberg KVM wire – when I disable this policy it works (well under StoreFront with Desktop Viewer)

    b. I have the Bloomberg studio policy with USB Device Redrection along with Redirection Rules as a separate Policy enabled. I think it conflicts with the other policy, so I tested enabling the other policy and it worked.

    1) How do we disable USB and Mass Storage Devices via Studio for Internal and Remote Access use?

    2) Internally we do not show Desktop Viewer, so I will not see devices tab. When I use Storefront with Desktop Viewer it gives me an option to tick it, I want this done automatically as users will not see desktop viewer as I want their experience to look like a normal environment. Please can you assist?

  16. Hi Carl
    When I use Microsoft GPMC to configure the citrix policies, I cannot use the filters. The controller field is empy and then the delivery group drop down box when clicked would say ” Xendesktop not installed”

    I tried manually entering the controller address in the controller field but still same issue. Any thoughts on that.

    Regards

  17. Is it possible to filter drive mapping from my Citrix environment to another 3rd party Citrix environment? Can I filter this rule to allow one 3rd party and deny the rest?

  18. Hi Carl,

    is there any way to enable secure printing in citrix, since one of our customers have five canon printer and the want to enable secure print through citrix. is there any citrix policy that enable this feature ? also how can i disable citrix universal printer driver for these printers ?

    Thank you in advance

    Basem

    1. The default policy configuration uses the real print driver if the print driver is installed on the VDA. “Use Universal Printing only if requested driver is unavailable”

      Citrix doesn’t do anything specific for secure printing.

  19. I have a question on Legacy Graphic mode policy. I am running on 7.6 fp3, some of my remote users report slow response when accessing my Server OS desktops. While i understand that there could a significant network reasons for this, i also would like to know if enabling Legacy Graphic mode policy will improve performance?

    1. In 7.6.300, It should be using the new Thinwire Plus codec, which is supposed to be similar to Legacy.

      You can try Legacy on Windows 2008 R2 VDAs, but not on anything newer.

  20. Hi Carl,

    If I want to apply FP3 Studio templates (Specifically the Very High Definition User Experience) to an existing delivery Controller running 7.6.0, I understand that I can install the Citrix Group Policy Management.msi which permits me to administer the policies via AD, however at the moment we would like to continue using studio. Is it a case of exporting the template from the Group Policy Management Editor and importing the required template into studio ? Is this a valid in order to have the policies apply ? thanks

      1. Thanks Carl for the reply.

        To your knowledge does an import of the policy from 1 version to another have any impact on the database schema ? Also are the policy templates site dependant in any way ? The import will be occurring on a different site and server running citrix studio

        1. The templates are just a collection of predefined policy settings. Or course different GPMx versions have different settings but unsupported settings for a particular VDA version or GPMx version will be ignored.

  21. Hello Carl,

    Have you run across when a USB device such as Mass storage device or a usb scanner. The device is automatically redirected with the optimization setting. I can switch it to generic without any issues. But the check box is grey out for the redirect option. What I am seeing is if for example I add a Deny: VID=0781 PID=5202 either with in studio or in the admx GPO. Once the user connects you will see the USB device state….. Optimzed, Policy Restricted.

    It shows both.

    But the USB device in my case Mass storage device shows up.

    This is Xendesktop 7.11 and Citrix Receiver 4.5
    I have a case open but I reach a newable @ citrix who wasn’t very experienced in this aspect.

    So I am curious if you or if anybody on this forum has seen this?

    Thank you
    Ray Davis

  22. Carl,

    Quick question I setup my Citrix policy for the “For Actively Changing Regions” and I’m using the newest Receiver however when I run the remote display tool its telling me I am only using Thinwire not Thinwire Plus.

    Here is a screenshot:

    http://imgur.com/a/qTRBH

    Any idea’s as to why that happening?

    1. There’s a thread on this at discussions.citrix.com. The WMI paths were changed in 7.11 and the tools need to be updated to report it accurately.

      1. So the tool is wrong and not XenDesktop itself?

        Also thanks for all this great info I have built up a new 7.11 Environment from scratch because of all your great information!

  23. Hi

    I’ve built a Windows 7 Static Non Persistent VDI with VDA 7.6 CU1, all Windows Updates ran, Antivirus Exclusions included, legacy graphics mode. Its a clean build

    2 CPU
    8GB Memory
    50GB OS Win7 x64 Bit
    10GB Write Cache
    Page Filing done
    Win7 Optimization followed as per your guide
    Citrix HDX WMI Provider installed

    But when I seem to use it, it runs terribly slow, not sure what I’m missing….. but it runs absolutely fine on a 2k8 RDSH connecting from the same thin client.

    1. What kind of storage? If not SSDs/Flash, then you have to design the storage to handle the IOPS.

      However, there are many causes of slow performance. Is it hardware (CPU/Disk/Memory)? Is it environmental (profiles, GPOs, slow mapped drives, etc.)? Slow network?

      1. Hi Carl do these policies for Legacy Graphic mode apply to Windows 7 64 VDA’s (7.6) as well? or only rdsh 2k8’s

  24. I need to enable the “Legacy Graphics Mode” for clients using an older receiever ONLY. Then i want to disable it for people connecting via the latest receiver ? can I target policies at Reciever level ?

    1. Are you trying to block H.264? There’s a “use video codec” Citrix Policy and you can use various filters like Client IP, client name, etc. But I’m not aware of any Client Version filter.

  25. Hi Carl,

    Good Morning. Thanks a Lot for your wonderful articles and Blog. I had a small question regarding the Citrix Policies.

    In a given Scenario say I don’t have any Server Based Citrix Policies, but I configure my Citrix Receiver Settings with the ICA ADM Templates and configure the Color Depth Bit, Disk Caching, Lossy Compression, Speed Screen etc on the Client Machines.

    Will they still function as expected and help in improving better performance ?

    1. Color Depth depends on the codec used on the server side. Not all codecs support lower colors.

      Not sure about the others. Those seem like older settings for older versions of Citrix.

      1. Hi Carl

        We have had a recent IT Health check and they have said that we need to disallowed Powershell for standard users, as they were able to get a Powershell terminal through a macro (Excel).

        Do you have any suggestion Carl?

        Much appreciated.

        1. Are you using it for logon scripts?

          You might be able to change NTFS permissions. Or use AppLocker to block it. Or there are third party products (e.g. AppSense) that can block executables.

  26. Hey Carl,
    We’re using Client USB device redirection rules with 29 Allow rules (VID and PID specified) and 1 Deny All rule. The problem is with 30 Allow rules or more, everything is allowed, all attached devices become visible. When we remove some Allow rules, the policy is working again as it should. Is there a limit for the number of Allow and/or Deny rules? Does this number have something to do with the maximum of 32 USB devices in Windows? We’re using Windows 7 x86 with VDA 7.6.300.
    Thanks!
    Ronald.

    1. Hi Ronald,

      This is a known issue. If an Allow/Deny policy for USB devices is > 1500 characters the policy will fail to apply and ALL USB devices will become available in session. This was addressed with LC1153.

      This LC was included in 7.6.300.

      Regards,
      Sai

  27. Thanks Carl, Citrix policies don’t seem to be working to stop the drive mapping from the local laptop. I checked the Registry under HKLM\software\Policies\Citrix and the Citrix policy is getting applied, but the drives are still mapped into the session. I just have 3 setting in my Citrix policy. 1- Auto connect client drives = Disabled , 2- Client drive redirection = Prohibited , 3- Client fixed drives = Prohibited. Fairly simple\vanilla install. Any other suggestions. I am talk with my mgmt. to see if I can open a support case, but it should not be this tough. 🙂 thanks for your help

  28. Carl, I am working on a new XenApp 7.6 LTSR build and I am have trouble trying to find out how my local laptops C drive is getting mapped into my session. I have no Citrix policies in place yet, and have configured my receiver client version 4.4.1000.16 to no allow access. Now with this setting I get access denied when I try to connect to my laptops C drive from the HSD. I just don’t understand why its getting Mapped into the session? Does this version of Receiver automatically map the local drive into your session? Any insight?

  29. Hi Carl, Great site! We’re having some difficulty apply the “View windows contents while dragging” policy and setting it to prohibited. It seems to apply inconsistently – sometimes it works, but when u disconnect and reconnect to the VDI in suddenly stops working. The policies are being applied via Citrix Studio. I have also tried applying them in conjunction with the AD GPO settings that relate to disabling dragfullwindows, but to no avail. Anything that you could suggest trying ? Citrix don’t seem to be able to help. Thanks.

  30. Hello Carl,

    Issue, In my citrix Xendesktop 7.6 environment as soon as i launch the published desktop server it launches and then exits. i’m able to launch with Fat clients/Desktops/laptops with no issues.
    End client: Wyse Thin Client N4000 model
    firmware Version :2.6.1 (Latest updated)
    Receiver Version: 13.0
    Url: PNAgent url
    No Feature pack has installed

    Is anything to be updated such as HDX/Resolution/firmware policies or Hotfixes or Feature packs?

    Please need help or advise on this.

    1. Are you doing ICA Proxy internally? Is SSL enabled on your delivery group? Maybe it’s a certificate issue.

      Are you able to get a network trace of the thin client trying to connect?

      1. Hi Carl, Thanks for your prompt reply.

        We are not using SSL, as we are running on http. we don’t have provision to tracert/telnet in the thin client.
        And also we have encountered event logs on HSD the time we are accessing thin client, Might the below mentioned error/information logs can help.

        Event logs

        Error

        The Citrix Device Redirector service could not complete an IO operation with Redirector Bus.
        Event Id:261

        Information

        1.The citrix ICA Transport Driver is now connected to IP x.x.x.x:35632
        Event Id:1004

        1.The citrix ICA Transport Driver connection to IP x.x.x.x:35630 has been suspended
        Event id: 1005

        2.The citrix ICA Transport Driver connection to IP x.x.x.x:35630 has been closed
        Event Id: 1007

  31. Hello Carl,

    i have a problem and hope you can help me.

    In my XenDesktop 7.6 FP3 Environment we use Wyse ThinClients with a local USB Lable-Printer (Dymo) connected.

    My GPOs allow this Printer to redirect in to the VDI but after the USB-Printer was redirected it gets the Status “Printer offline” and not react to any pressure.

    Unplug and replug again the Device gets active and switch the Status to “Printer online”, but it can’t be the solution to do this every morning :(. Did you have any solution for my Problem?

    Many thanks and greetings
    Daniel

    1. I recommend posting this question to CITRIX Discussions (discussions.citrix.com). Does the same problem occur on a Windows client?

      1. This Client is an Windows 7 Embedded OS – and i do not have installled the printer driver locally because i only want it redirected and in my master image the drivers are installed.

        After i logon with my testuser over my thinclient in my VDI the printer will be installed with the correct drivers my problem is that it is offline… if i unplug it an replug it is online 🙁

        1. You’re doing generic USB redirection instead of optimized client printer redirection? For regular client printing, the client device needs to be able to print. Then the VDA simply offloads the actual printing to the client device. It you use a driver on the VDA then Citrix requires the same driver on the client.

          I’ve never encountered this problem before so I recommend either posting to discussions.citrix.com or calling Citrix Support.

          1. We try this over the generic USB redirection so the client device did not have the driver and in the VDA it gets installed but my problem is that for the first time it is offline… If i install the dymo driver to the client device i got 2 devices in my VDA first is my USB redirected Offline and second is my regular Printer Dymo Labelwrite XX from ThinlcientXY and the second one i do not want 🙂

            On our old XenDesktop 5.6 this works without any problems

          2. FYI..

            I found the Problem, it was the Dymo driver which created a Ghostdevice in our VDI Master Image.
            After i deleted this Ghostdevice from our Master Image everything work now as it should 🙂

            Thanks

  32. Hi Carl

    I have a question regarding to local USB printer on Xendesktop VDI. I use Wyse thin client and all local printer connected over usb port . I have installed all the drivers on Windows 7 Master Image. If user log on Windows VDI , I see several session printer, which is copy2 is copy1. (For example HP LaserJet 2015 Copy1 …) How can prevent it? is there any solution?

    Best

    1. Is this specific to Wyse? Does it happen on other client devices?

      What are they pointing to for port? Local client port? Network UNC port?

      Are these in HKLM\System\CurrentControlSet\Control\Print\Printers? Or HKCU\Printers?

      1. Hi Carl
        I have only Wyse. Therefore I can not test on other devices. The Printer is connected local USB Port on Wyse and all printer listed on VDI Windows 7 master Image (HKLM\CurrentControlSet\Control\Printer\Printer)
        If user login on VDI,the print driver is installed and listed several Printer copy1….. Unfortunately I don’t have solution for this.

        1. I though I saw a similar thread at discussions.citrix.com.

          Are you able to call Citrix support? If not, your Citrix Partner can help you.

  33. Carl,
    Thank you for your reply. Is there a way to do this with Win 2008 R2 hosted desktop?
    Regards
    Ray

  34. Hi Carl,
    I am able to see the usb key when plugged into the the local desktop while accessing my server shared desktop (Win 2008 R2). My issue is to restrict which usb keys are allowed to be redirected to the shared server desktop. I have enabled the redirection and placed the deny attributes in the redirection rules with no success. Also as in my previous reply I have attempted at making a reg key inside the user config of a gpo to include a deny in the generic usb key with no success. From all that I have read I should be able to deny all and then allow specific keys using the VID and PID and class.

    Regards
    Ray

    1. USB keys are treated as client drives and are mapped using Client Drive Mapping, not USB mapping. Citrix Policy lets you disable client removable drives but I don’t think it gets any more granular than that. You could disable Client Drive Mapping and enable generic USB mapping instead but this only works with Windows 2012 R2 (or virtual desktops).

      1. Carl,
        I am sorry but I am a little confused here. I understand the allow or disable access to client drives (local) I also understand the preventing access to the hosted server desktop drives in Xenapp 7.8. My confusion is there is the ability and process using citrix policy to allow USB devices to be mapped and then by redirection rules deny or allow specific USB by defining VID’s and PID’s. Are you saying that this is only supported if the hosted server desktop is Win 2012? I would like to send a screenshot but cannot.
        Regards
        Ray

        1. Correct. Generic USB is not available with 2008 R2 XenApp. Microsoft didn’t add it until Windows 2012 R2.

  35. Hi Carl,

    This is win 2008 R2. When you say client side do you mean a gpo being applied to any clients accessing the server desktop hosted on the VDA?
    I have modified this reg key with no success so far.

    SOFTWARE\Wow6432Node\Citrix\ICA Client\GenericUSB
    DENY:VID=1B1C PID=1AB1 Class=08 subclass=05 # Mass Storage Corsair

    Regards
    Ray

  36. Hi Carl,
    I have setup USB redirection and allowed it. I have gone further and setup redirection rules to deny specific USB keys using the VID= and PID= with no success. The policy is being applied to both users and computers in the scope. I have tried using deny class 08 and then allow a specific VID and still no success. I have tired setting this up in both studio and gpedit on a citrix policy. Is there a bug? Xenapp 7.8 and a hosted server desktop. When I allow the usb I see them but I cannot seem to get specific.

    Thanks
    Ray

    1. Is this 2012 r2? There’s no generic USB in 2008 r2.

      The client side GPO might need to be configured.

  37. Hello Carl !

    i have strange situation =) i think so =)
    i have farm xd 7.7, and some app servers for users. (windrows 2008 r2 terminal servers)

    in policy , i make 1 additional policy, and set high priority level for it.
    in additional policy, i disable usb, some graphic parameters and set all settings about session time limits.
    this policy applied to all servers and users, without limits.
    when i check, and login on servers all setting applied, except limit on session time, idle time … disconnect time.
    when i check ica listener on this terminal servers, all setting on listener a default by os.
    i can control this setting on terminal server over citrix farm policy engine ? or i must make it in manual mode on servers.

    tnx.

    1. If you look at the timeout settings, on the top there’s an “Applies to” section. Do you see Server OS in the list?

      To configure Server OS timeouts, you need a GPO with Computer Config > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.

  38. You state that the User\ICA\File Redirection\Allow file transfer between desktop and client policy is only for 7.7 and newer… But this works on 7.6 when you have GPM 7.6.300 installed on the controller…

      1. Yup, I had told my colleagues that we couldn’t do this policy after reading your page but then someone sent me that link, we tested it and it worked… Thanks Carl!

  39. Carl,

    I’m having trouble with login times for new users. So users who don’t currently have a Citrix UPM profile/folders redirected yet are seeing extremely long login times. For instance user1 who is logging into Citrix for the very first time with no profile or folders redirected yet will see a login time of 205-575 seconds according to director. I’m using Citrix UPM with Redirected folders to the home drive as your suggestions stated with streaming profiles. After the first login the time drops significantly to 28-50secs per logon. I noticed it seems to sit a while at “applying folder redirection policy” at logon. Any suggestions on how to cut down the initial logon which includes creation of profile and folder redirections? Those times are horrible.

    1. What OS version?

      For folder redirection, you can uncheck the box th copy the contents to the new location.

        1. If brand new users, nothing. If existing users with local profiles, you probably want to copy existing content to the new location.

          1. Ok. So the “applying Folder Redirection Policy” went by a little quicker but I’m now noticing that “Personalized Settings” takes quite a bit.

          2. I typically run procmon during logon. There’s a process summary tool that might help.

  40. Hi Carl
    Have a question regarding licenses. In earlier XA6.5 environment we had the citrix policies to set license edition and type. I can´t find that in XA 7.7?
    I have a mixed environment with license for: 20 XenDesktop PLT , 350 XenApp ent CCU and 35 XenDesktop (fysical desktops with HDX3dPro).
    I have bought licenses for each of these delivery groups and now I thought I could set the policy for each delivery group.
    Or will the license server figure this out?
    I had to set the farm license to XenDesktop PLT otherwise I couldn´t add the fysical workstations.

    Any idea??

    1. Sorry, each XenDesktop site can only use one license type. Go to Configuration > Licenses and on the right is a link to Set Product Edition.

      You can either convert all of your licenses to be the same. Or you create separate farms for each license type.

        1. Not in this release. I don’t know if they are adding it to a future release or not. Please call Citrix Support and submit an enhancement request.

  41. Thanks Carl,

    How can I force XenDesktops (7.6) to launch in full screen mode and SPAN across dual monitors without users losing the ability to resize to their hearts content?

    I have both Web Interface and Storefront

    Changing web.config in Storefront “showDesktopViewer=false” loses the ability to resize

  42. Hi Carl, Can you tell me how to do Server-Side Content fetching bcaz i tried its not working for me after enabled the policy in both client and server side even after i saw that “HDX Flash Redirection” when i right click the video so i can you tell me about tat policy and details like how to confirm it.

  43. Hi Carl,

    In XA 6.5 you had the ‘New-CtxManagedDesktopGPO’ script to setup an initial set of policies for published desktops.

    Do you know if there is an equivalent tool in 7.6?

    Cheers,
    James

    1. It’s not needed in 7.6. Instead, there’s an Enhanced Desktop Experience Citrix Policy setting, which is enabled by default.

          1. Thanks, but that just tells me that the setting is “Allowed” by default and certain issues that can arise when users have conflicting profiles.

            My setup is Win2k12 R2 shared desktop and I know that the settings are being applied successfully. I just want to be able to see a list of the settings that are being applied and from where (which policy) they are being applied, so that I can document them before configuring any additional policies that need to be applied to the VDA servers.

          2. I’ve figured it out……

            Its part of the “Unfiltered” policy configured in Studio’s policies node.

            What was confusing was I disabled that policy but the settings were still applied, which completely threw me. It wasn’t until I enabled the policy and ‘Prohibited’ the setting that I saw that it had an effect on the VDA server.

            Thanks Carl

  44. Hi Carl,

    I have followed your guidance once again 😉 but stumbled upon something odd. As I am fairly new to Citrix I am wondering if

    I did not understand your article or

    just do not get the complete picture how MS and Citrix policies work or

    if I missed something important

    So I hope you can clarify ,,,

    As said before I followed your guidance and created the GPO ‘s and so on which works 😉 but I could not get rid of enhanced desktop expirience on my 2012R2 RDSH if I prohibited this within the default unfiltered policy in my “VDA system” GPO.

    Finally I decided to create a Studio Policy in addition to the unfiltered to prohibit “enhanced desktop experience” and this works instantly.. I wished I did this 36 hours ago which would have saved me a lot of time.

    So now I believe I can better configure citrix based policies within studio and the MS part through GPMC

    Your article led me to believe this could be configured through Microsoft ‘s GPMC but this does not seem to work in my case.

    Regards,
    Raymond

    1. Citrix Policies should work the same whether you configure them in Studio or in a GPO.

      Themes are applied to the user’s profile. Did it work with a brand new user or with a user with profile deleted? The help text also says that the VDA needs to be rebooted.

      1. Okay in my case not.

        Yes, via powershell pushed into the local GPO
        It was active from the start and I prohibited it via GPO. I rebooted and also deleted the user profile multiple times even build an additional RDSH and separate GPO ‘s from scratch but it simply did not work. Only after I created and assigned a 2nd studio policy as per CTX139375 and rebooted once it finally worked. I only configured unfiltered within GPO.

        1. I just tried it and it works. Did the GPO create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICAPolicies\EnhancedDesktopExperience=0?

  45. Hello Carl , I have turned on Auto Client Drive redirection ( Enabled) , Client Drive redirection ( Enabled) and Client Fixed drive ( Prohibited ) in Citrix Policy – We have VDA 7.6 HSD environment – Still I am not able to see the Client drives mapped on HSD.

    Am i missing anything ?

    Thanks,
    Sohail

    1. Which client drives? You disabled the fixed drives.

      When launching the session the user is prompted to allow client drive mapping. If the user didn’t allow it then they won’t map. You can open connection center on the client side to change the file mapping setting. Or in Desktop Toolbar there’s a Preferences button.

      1. Carl is there a way to gray-out or prevent the client from changing settings on the Citrix Receiver Preferences toolbar? We are blocking access to local drives but noticed they still have the option to change that setting by going to the Preferences toolbar.

        1. If it’s denied in a Citrix Policy, I’m don’t see how enabling it on the client side would work.

          Or are you referring to raw USB mapping? That can also be disabled in a Citrix Poliy.

Leave a Reply to Rikesh Cancel reply

Your email address will not be published. Required fields are marked *