Citrix Policy Settings

Last Modified: Sep 16, 2017 @ 1:49 pm

Navigation

ūüí° = Recently Updated

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio ‚Äď also known as FMA policies
  • Group Policy Object ‚Äď the Citrix Group Policy installer (included with Studio)¬†adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more information on the recommended Microsoft group policy settings for a XenApp/XenDesktop environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are not portable, meaning that you can’t export them from one XenApp/XenDesktop site and import them to another.

GPOs linked to an Active Directory OU and can apply to VDAs in multiple XenApp/XenDesktop sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.

 

CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings Reference for Citrix XenApp and XenDesktop.

 

If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ ‚ÄĎController "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ ‚ÄĎDomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User

Do the same for Computer.

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine:

  1. Login to a machine that has Group Policy Management Console (Windows Feature) installed.
  2. Citrix CTX225741 Citrix GPMC Console 3.0.0 crashing in Win 2K12R2 DC when editing polices says that Visual C++ Redistributable for Visual Studio 2015 should be installed first.
  3. If this machine doesn’t have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the XenApp/XenDesktop 7.15¬†media. Make sure all Group Policy consoles are closed first.
  4. XenApp/XenDesktop 7.15 comes with Citrix Group Policy Management 3.1.0.0.

  5. Citrix sometimes releases updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines (machines with Group Policy Management Console installed), and Studio machines.

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, we’ll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of XenDesktop.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Delivery Agent 7.x.
  10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Change the Categories drop-down to Auto Client Reconnect.
  12. Click Add next to the setting Auto client reconnect logging.

  13. Change the Value to Log auto-reconnect events, and click OK.
  14. Change the Categories drop-down to End User Monitoring.
  15. Click Add next to the setting ICA round trip calculations for idle connections.
  16. Change the selection to Enabled, and click OK.
  17. Change the Categories drop-down to Local App Access.
  18. Click Add next to the setting Allow Local App Access.
  19. Change the selection to Allowed, and click OK. Note: Local App Access interferes with Bidirectional Content Redirection in Receiver 4.7 and newer. See http://www.carlstalhood.com/published-applications/#laa for more info on Local App Access.
  20. Change the Categories drop-down to Printing.
  21. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.
  22. Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  23. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  24. Click Add next to the setting Enable monitoring of application failures.
  25. You can optionally change the Value drop-down to Both application errors and faults. Click OK.
  26. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.
  27. Change the setting to Allowed, and click OK. See CTX223927 How to use Director to troubleshoot application launch errors for details.
  28. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.
  29. Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. You can also use the Templates tab to create a policy based on a template.
  4. On the Settings tab, change the Categories drop-down to Audio.
  5. Click Add next to the setting Audio quality.
  6. Change the Value to Medium ‚Äď optimized for speech, and click OK.
  7. Change the Categories drop-down to Client Sensors.
  8. Click Add next to the Allow applications to use the physical location setting.
  9. Change the selection to Allowed, and click OK.
  10. Change the Categories drop-down to Mobile Experience.
  11. Click Add next to the Automatic keyboard display setting.
  12. Change the selection to Allowed, and click OK.
  13. Click Add next to the Remote the combo box setting.
  14. Change the selection to Allowed, and click OK.
  15. Change the Category drop-down to Multimedia.
  16. Click Add next to the Use GPU for optimizing Windows Media setting.
  17. Change the selection to Allowed, and click OK.
  18. Change the Categories drop-down to Printing.
  19. Click Add next to the setting Auto-create PDF Universal Printer.
  20. Change the selection to Enabled, and click OK.
  21. Click Add next to the setting Automatic installation of in-box printer drivers.
  22. Change the selection to Disabled, and click OK.
  23. Click Add next to the setting Direct connections to print servers.
  24. Change the selection to Disabled, and click OK.
  25. Click Add next to the setting Printer auto-creation event log preference.
  26. Change the Value to Log errors only, and click OK.
  27. Click Add next to the setting Universal print driver usage.
  28. Change the Value to Use universal printing only.
  29. Change the Categories drop-down to Session Limits.
  30. If you look at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO.

  31. Change the Categories drop-down to Time Zone Control.
  32. Click Add next to the setting Use local time of client.
  33. Change Value to Use client time zone. Note: you must also configure the Microsoft GPO Remote Desktop Session Host time zone setting.
  34. Change the Categories drop-down to USB Devices.
  35. Click Add next to the setting Client USB device redirection.
  36. Change the selection to Allowed, and click OK. This is the last generic setting. See the next couple sections for more settings.

Also see:

  • Citrix CTX227534¬†Citrix Printing Quick Start Guide –¬†includes information on printing terms, printing configuration policies, and Citrix recommended configurations for common printing scenarios¬† ūüí°

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 3.0 included in XenApp 7.14) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit one of the Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

  5. Framehawk requires the newest Citrix Receiver (4.3.100 or newer).

  6. To use Framehawk with Receiver for iOS 6.0, on StoreFront servers, add Framehawk=On to the WFClient section of the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica.
  7. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  8. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  9. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
  10. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In 7.13, EDT is officially supported. EDT has several requirements:

  • VDA 7.13 or newer.
  • UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if you’re using NetScaler Gateway.
  • Receiver for Windows must be 4.7 or newer.
  • Receiver for Mac must be 12.5 or newer.
  • StoreFront must be 3.9 or newer.
  • NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features are not supported with EDT at this time:
  • Use a Citrix Policy to enable EDT. It’s disabled by default. The¬†HDX Adaptive Transport setting is in the Computer half of a GPO. This policy setting was renamed from the Enlightened Data Transport setting in 7.12. ¬†See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol.
  • Preferred means it will try to use UDP if it can, and TCP if it can’t.
  • From inside a session, you can run¬†ctxsession -v to verify that it’s using UDP.
  • Director will also show¬†if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware. 

7.11 and newer:

  • Use video codec for compression¬†can be configured For actively changing regions, which¬†uses H.264 for actively changing regions, and Thinwire Plus for the rest.¬†Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s).¬†Nick Rintalan at CUGC Blog Post¬†Citrix HDX Just Got Smarter…Again¬†explains this new setting.
  • In 7.11 and newer,¬†Use when preferred = Thinwire+ with Selective H264. This is the default selection, so generally there’s no need to change this setting.
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to¬†Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec.¬†Citrix Blog Post¬†‚ÄúUse Video Codec for Compression‚ÄĚ: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:

Graphics Tools

 

From http://discussions.citrix.com/topic/347341-specific-application-freezes-receiver-41-session-window/: If you experience graphics performance problems in XenDesktop 7.6, consider configuring the following settings:

  • ICA \ Desktop UI \ Desktop Composition Redirection = Disabled
  • ICA \ Graphics \ Legacy Graphics Mode = Enabled

Security Settings

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives =¬†Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.

 

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the ‚ÄúExtra Color Compression Threshold‚ÄĚ should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or ‚ÄúHeavyweight compression‚ÄĚ in case image quality loss is not acceptable (more CPU intensive)
  • Enable ‚ÄúWindows Media Redirection‚ÄĚ
  • Enable ‚ÄúFlash acceleration‚ÄĚ with client side content fetching
  • Enable ‚ÄúAudio over UDP Real-Time Transport‚ÄĚ. Please note that this configuration requires audio quality to be set to ‚ÄúMedium ‚Äď optimized for speech‚ÄĚ
  • Set ‚ÄúProgressive compression level‚ÄĚ to ‚ÄúLow‚ÄĚ or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

120 thoughts on “Citrix Policy Settings”

  1. Hi Carl,

    we have one application which is used for signature verification now user are able to copy and past in email. But client required users will not take screenshot and copy paste on particular application in xenapp 7.5 and copy past and screenshot facility will work on all application
    kindly suggest.

    1. Screenshot is from the client? You can configure Citrix Policy to block client clipboard. But it’s not really possible to completely prevent screenshots. They could always use a phone to take a picture.

      Or do you mean screenshot in the remote session? Maybe you can run a program that takes over the PrtScr key.

  2. Hi Carl,

    Good day,

    Just want to know if we use Citrix Policy, if we can able to achieve that when user upload file using HTML 5 they can able to see only one folder but per user profile and not a centralized work space that ever users can able to see.Thanks

  3. Hi Carl

    In ‚ÄúCitrix Policy GPO plug-in‚ÄĚ, in wanting to use ‚Äúfilter‚ÄĚ for “Delivery Group”, there is Field “Controller”.

    Is this required or one could do without it. If required, how can multiple controller be added? What delimiter is to be use, comma, semi-colon or dash? Or do I have to create entries for each controller, eventhough is for same Delivery Group.

    Thanks.

    1. I think the idea is that the GPO Plug-in can connect to a Controller to enumerate the Delivery Groups.

  4. Hi Carl,

    Thanks in advance for any help you can provide….

    I am so close to getting framehawk to work and this guide is the last portion.

    I enabled dtls on my gateway vserver, unbound and rebound my cert chain, and rebooted the netscaler.

    I have enabled Framehawk display channel

    I gpupdate /force and reboot my controller/broker/license server combo and sql database servers

    I do not see “HDX Adaptive Transport” or “Enlightened Data Transport” Citrix GPO option to change… has it it been re-renamed? I installed the latest version of VPX Express and XenDesktop/XenApp as of a week ago in a test environment, so I am running the latest of everything, and my infrastructure is fully functional aside from Framehawk.

    Thank you!

    1. What version of XenDesktop?

      Does the policy editing machine have the latest Citrix GPO Management Plugin installed?

      Framehawk and EDT are two different things.

    2. I also forgot to metion that I have installed remote display analyzer to confirm Framehawk is not active, only Thinwire. 443 tcp and udp are pointing to my gateway vserver on external FW and all ports for Framehawk are open from DMZ through internal FW.

      1. Framehawk is a different Citrix Policy Setting. Did you enable Framehawk? Or did you enable Adaptive Transport?

        Depending on your Gateway version, there might be limitations with AppFlow.

  5. In using “Citrix Policy GPO plug-in”, where under “filter” could the policy be set to apply to all objects.
    In creating policy through “Studio”, there is the option “All objects in the site” under “Assign policy to”

  6. hi Carl, In your view could there be a potential issue with Policies being applied in Citrix Studio that are referenced in another policy with a different setting that is lower in priority ? For example the Legacy Graphics Mode Policy which is set to disabled for a specific delivery group following by it being enabled in another policy which is assigned to all delivery groups. Should the one in the higher set policy simply take priority and the lesser one ignored ? Thanks

    1. It’s based on policy priority. You typically want the more specific policy to be higher than the generic policy.

    2. Hi carl, good afternoon.

      I would like your opinion … I have difficulties of configurations for use of the video policies for use of xendesktop in thinclients. I say because I do not know how to make policies according to the client’s device. In our environment computers, notebooks and cell phones have good video performance. However the ncomputing (zero) thinclients that we present have a certain freeze on the screen mainly where we have flash to be loaded can suggest me something of how to solve this dilemma.

      1. Can the devices be identified by client IP (subnet) or user AD group?

        If not, then you might have to implement NetScaler Gateway with User-Agent expressions (or EPA scans) on Session Polices and then use SmartAccess (Access Control) filters on your policies.

    3. I noticed that after upgrading from XenApp 7.13 to 7.14 that any modifications to a GPO that has GPPs will break if Citrix Policy is modified via Group Policy Mgmt console. I had to recreate the policy from scratch. If no GPPs are set then it’s not an issue. Anyone else see this?

  7. Hi Carl,

    Bloomberg KeyBoards

    2 Wires – KVM wire and normal Cable to connect to Thin Client

    We have two policies

    a. We disable Client USB Device Redirection and Client USB Plug and Play Device Redirection – The goal is to disable mass storage devices. However, it blocks Bloomberg KVM wire – when I disable this policy it works (well under StoreFront with Desktop Viewer)

    b. I have the Bloomberg studio policy with USB Device Redrection along with Redirection Rules as a separate Policy enabled. I think it conflicts with the other policy, so I tested enabling the other policy and it worked.

    1) How do we disable USB and Mass Storage Devices via Studio for Internal and Remote Access use?

    2) Internally we do not show Desktop Viewer, so I will not see devices tab. When I use Storefront with Desktop Viewer it gives me an option to tick it, I want this done automatically as users will not see desktop viewer as I want their experience to look like a normal environment. Please can you assist?

  8. Hi Carl
    When I use Microsoft GPMC to configure the citrix policies, I cannot use the filters. The controller field is empy and then the delivery group drop down box when clicked would say ” Xendesktop not installed”

    I tried manually entering the controller address in the controller field but still same issue. Any thoughts on that.

    Regards

  9. Is it possible to filter drive mapping from my Citrix environment to another 3rd party Citrix environment? Can I filter this rule to allow one 3rd party and deny the rest?

  10. Hi Carl,

    is there any way to enable secure printing in citrix, since one of our customers have five canon printer and the want to enable secure print through citrix. is there any citrix policy that enable this feature ? also how can i disable citrix universal printer driver for these printers ?

    Thank you in advance

    Basem

    1. The default policy configuration uses the real print driver if the print driver is installed on the VDA. “Use Universal Printing only if requested driver is unavailable”

      Citrix doesn’t do anything specific for secure printing.

  11. I have a question on Legacy Graphic mode policy. I am running on 7.6 fp3, some of my remote users report slow response when accessing my Server OS desktops. While i understand that there could a significant network reasons for this, i also would like to know if enabling Legacy Graphic mode policy will improve performance?

    1. In 7.6.300, It should be using the new Thinwire Plus codec, which is supposed to be similar to Legacy.

      You can try Legacy on Windows 2008 R2 VDAs, but not on anything newer.

  12. Hi Carl,

    If I want to apply FP3 Studio templates (Specifically the Very High Definition User Experience) to an existing delivery Controller running 7.6.0, I understand that I can install the Citrix Group Policy Management.msi which permits me to administer the policies via AD, however at the moment we would like to continue using studio. Is it a case of exporting the template from the Group Policy Management Editor and importing the required template into studio ? Is this a valid in order to have the policies apply ? thanks

      1. Thanks Carl for the reply.

        To your knowledge does an import of the policy from 1 version to another have any impact on the database schema ? Also are the policy templates site dependant in any way ? The import will be occurring on a different site and server running citrix studio

        1. The templates are just a collection of predefined policy settings. Or course different GPMx versions have different settings but unsupported settings for a particular VDA version or GPMx version will be ignored.

  13. Hello Carl,

    Have you run across when a USB device such as Mass storage device or a usb scanner. The device is automatically redirected with the optimization setting. I can switch it to generic without any issues. But the check box is grey out for the redirect option. What I am seeing is if for example I add a Deny: VID=0781 PID=5202 either with in studio or in the admx GPO. Once the user connects you will see the USB device state….. Optimzed, Policy Restricted.

    It shows both.

    But the USB device in my case Mass storage device shows up.

    This is Xendesktop 7.11 and Citrix Receiver 4.5
    I have a case open but I reach a newable @ citrix who wasn’t very experienced in this aspect.

    So I am curious if you or if anybody on this forum has seen this?

    Thank you
    Ray Davis

  14. Carl,

    Quick question I setup my Citrix policy for the “For Actively Changing Regions” and I’m using the newest Receiver however when I run the remote display tool its telling me I am only using Thinwire not Thinwire Plus.

    Here is a screenshot:

    http://imgur.com/a/qTRBH

    Any idea’s as to why that happening?

    1. There’s a thread on this at discussions.citrix.com. The WMI paths were changed in 7.11 and the tools need to be updated to report it accurately.

      1. So the tool is wrong and not XenDesktop itself?

        Also thanks for all this great info I have built up a new 7.11 Environment from scratch because of all your great information!

  15. Hi

    I’ve built a Windows 7 Static Non Persistent VDI with VDA 7.6 CU1, all Windows Updates ran, Antivirus Exclusions included, legacy graphics mode. Its a clean build

    2 CPU
    8GB Memory
    50GB OS Win7 x64 Bit
    10GB Write Cache
    Page Filing done
    Win7 Optimization followed as per your guide
    Citrix HDX WMI Provider installed

    But when I seem to use it, it runs terribly slow, not sure what I’m missing….. but it runs absolutely fine on a 2k8 RDSH connecting from the same thin client.

    1. What kind of storage? If not SSDs/Flash, then you have to design the storage to handle the IOPS.

      However, there are many causes of slow performance. Is it hardware (CPU/Disk/Memory)? Is it environmental (profiles, GPOs, slow mapped drives, etc.)? Slow network?

  16. I need to enable the “Legacy Graphics Mode” for clients using an older receiever ONLY. Then i want to disable it for people connecting via the latest receiver ? can I target policies at Reciever level ?

    1. Are you trying to block H.264? There’s a “use video codec” Citrix Policy and you can use various filters like Client IP, client name, etc. But I’m not aware of any Client Version filter.

  17. Hi Carl,

    Good Morning. Thanks a Lot for your wonderful articles and Blog. I had a small question regarding the Citrix Policies.

    In a given Scenario say I don’t have any Server Based Citrix Policies, but I configure my Citrix Receiver Settings with the ICA ADM Templates and configure the Color Depth Bit, Disk Caching, Lossy Compression, Speed Screen etc on the Client Machines.

    Will they still function as expected and help in improving better performance ?

    1. Color Depth depends on the codec used on the server side. Not all codecs support lower colors.

      Not sure about the others. Those seem like older settings for older versions of Citrix.

      1. Hi Carl

        We have had a recent IT Health check and they have said that we need to disallowed Powershell for standard users, as they were able to get a Powershell terminal through a macro (Excel).

        Do you have any suggestion Carl?

        Much appreciated.

        1. Are you using it for logon scripts?

          You might be able to change NTFS permissions. Or use AppLocker to block it. Or there are third party products (e.g. AppSense) that can block executables.

  18. Hey Carl,
    We’re using Client USB device redirection rules with 29 Allow rules (VID and PID specified) and 1 Deny All rule. The problem is with 30 Allow rules or more, everything is allowed, all attached devices become visible. When we remove some Allow rules, the policy is working again as it should. Is there a limit for the number of Allow and/or Deny rules? Does this number have something to do with the maximum of 32 USB devices in Windows? We’re using Windows 7 x86 with VDA 7.6.300.
    Thanks!
    Ronald.

    1. Hi Ronald,

      This is a known issue. If an Allow/Deny policy for USB devices is > 1500 characters the policy will fail to apply and ALL USB devices will become available in session. This was addressed with LC1153.

      This LC was included in 7.6.300.

      Regards,
      Sai

  19. Thanks Carl, Citrix policies don’t seem to be working to stop the drive mapping from the local laptop. I checked the Registry under HKLM\software\Policies\Citrix and the Citrix policy is getting applied, but the drives are still mapped into the session. I just have 3 setting in my Citrix policy. 1- Auto connect client drives = Disabled , 2- Client drive redirection = Prohibited , 3- Client fixed drives = Prohibited. Fairly simple\vanilla install. Any other suggestions. I am talk with my mgmt. to see if I can open a support case, but it should not be this tough. ūüôā thanks for your help

  20. Carl, I am working on a new XenApp 7.6 LTSR build and I am have trouble trying to find out how my local laptops C drive is getting mapped into my session. I have no Citrix policies in place yet, and have configured my receiver client version 4.4.1000.16 to no allow access. Now with this setting I get access denied when I try to connect to my laptops C drive from the HSD. I just don’t understand why its getting Mapped into the session? Does this version of Receiver automatically map the local drive into your session? Any insight?

  21. Hi Carl, Great site! We’re having some difficulty apply the “View windows contents while dragging” policy and setting it to prohibited. It seems to apply inconsistently – sometimes it works, but when u disconnect and reconnect to the VDI in suddenly stops working. The policies are being applied via Citrix Studio. I have also tried applying them in conjunction with the AD GPO settings that relate to disabling dragfullwindows, but to no avail. Anything that you could suggest trying ? Citrix don’t seem to be able to help. Thanks.

  22. Hello Carl,

    Issue, In my citrix Xendesktop 7.6 environment as soon as i launch the published desktop server it launches and then exits. i’m able to launch with Fat clients/Desktops/laptops with no issues.
    End client: Wyse Thin Client N4000 model
    firmware Version :2.6.1 (Latest updated)
    Receiver Version: 13.0
    Url: PNAgent url
    No Feature pack has installed

    Is anything to be updated such as HDX/Resolution/firmware policies or Hotfixes or Feature packs?

    Please need help or advise on this.

    1. Are you doing ICA Proxy internally? Is SSL enabled on your delivery group? Maybe it’s a certificate issue.

      Are you able to get a network trace of the thin client trying to connect?

      1. Hi Carl, Thanks for your prompt reply.

        We are not using SSL, as we are running on http. we don’t have provision to tracert/telnet in the thin client.
        And also we have encountered event logs on HSD the time we are accessing thin client, Might the below mentioned error/information logs can help.

        Event logs

        Error

        The Citrix Device Redirector service could not complete an IO operation with Redirector Bus.
        Event Id:261

        Information

        1.The citrix ICA Transport Driver is now connected to IP x.x.x.x:35632
        Event Id:1004

        1.The citrix ICA Transport Driver connection to IP x.x.x.x:35630 has been suspended
        Event id: 1005

        2.The citrix ICA Transport Driver connection to IP x.x.x.x:35630 has been closed
        Event Id: 1007

  23. Hello Carl,

    i have a problem and hope you can help me.

    In my XenDesktop 7.6 FP3 Environment we use Wyse ThinClients with a local USB Lable-Printer (Dymo) connected.

    My GPOs allow this Printer to redirect in to the VDI but after the USB-Printer was redirected it gets the Status “Printer offline” and not react to any pressure.

    Unplug and replug again the Device gets active and switch the Status to “Printer online”, but it can’t be the solution to do this every morning :(. Did you have any solution for my Problem?

    Many thanks and greetings
    Daniel

    1. I recommend posting this question to CITRIX Discussions (discussions.citrix.com). Does the same problem occur on a Windows client?

      1. This Client is an Windows 7 Embedded OS – and i do not have installled the printer driver locally because i only want it redirected and in my master image the drivers are installed.

        After i logon with my testuser over my thinclient in my VDI the printer will be installed with the correct drivers my problem is that it is offline… if i unplug it an replug it is online ūüôĀ

        1. You’re doing generic USB redirection instead of optimized client printer redirection? For regular client printing, the client device needs to be able to print. Then the VDA simply offloads the actual printing to the client device. It you use a driver on the VDA then Citrix requires the same driver on the client.

          I’ve never encountered this problem before so I recommend either posting to discussions.citrix.com or calling Citrix Support.

          1. We try this over the generic USB redirection so the client device did not have the driver and in the VDA it gets installed but my problem is that for the first time it is offline… If i install the dymo driver to the client device i got 2 devices in my VDA first is my USB redirected Offline and second is my regular Printer Dymo Labelwrite XX from ThinlcientXY and the second one i do not want ūüôā

            On our old XenDesktop 5.6 this works without any problems

          2. FYI..

            I found the Problem, it was the Dymo driver which created a Ghostdevice in our VDI Master Image.
            After i deleted this Ghostdevice from our Master Image everything work now as it should ūüôā

            Thanks

  24. Hi Carl

    I have a question regarding to local USB printer on Xendesktop VDI. I use Wyse thin client and all local printer connected over usb port . I have installed all the drivers on Windows 7 Master Image. If user log on Windows VDI , I see several session printer, which is copy2 is copy1. (For example HP LaserJet 2015 Copy1 …) How can prevent it? is there any solution?

    Best

    1. Is this specific to Wyse? Does it happen on other client devices?

      What are they pointing to for port? Local client port? Network UNC port?

      Are these in HKLM\System\CurrentControlSet\Control\Print\Printers? Or HKCU\Printers?

      1. Hi Carl
        I have only Wyse. Therefore I can not test on other devices. The Printer is connected local USB Port on Wyse and all printer listed on VDI Windows 7 master Image (HKLM\CurrentControlSet\Control\Printer\Printer)
        If user login on VDI,the print driver is installed and listed several Printer copy1….. Unfortunately I don’t have solution for this.

        1. I though I saw a similar thread at discussions.citrix.com.

          Are you able to call Citrix support? If not, your Citrix Partner can help you.

  25. Hi Carl,
    I am able to see the usb key when plugged into the the local desktop while accessing my server shared desktop (Win 2008 R2). My issue is to restrict which usb keys are allowed to be redirected to the shared server desktop. I have enabled the redirection and placed the deny attributes in the redirection rules with no success. Also as in my previous reply I have attempted at making a reg key inside the user config of a gpo to include a deny in the generic usb key with no success. From all that I have read I should be able to deny all and then allow specific keys using the VID and PID and class.

    Regards
    Ray

    1. USB keys are treated as client drives and are mapped using Client Drive Mapping, not USB mapping. Citrix Policy lets you disable client removable drives but I don’t think it gets any more granular than that. You could disable Client Drive Mapping and enable generic USB mapping instead but this only works with Windows 2012 R2 (or virtual desktops).

      1. Carl,
        I am sorry but I am a little confused here. I understand the allow or disable access to client drives (local) I also understand the preventing access to the hosted server desktop drives in Xenapp 7.8. My confusion is there is the ability and process using citrix policy to allow USB devices to be mapped and then by redirection rules deny or allow specific USB by defining VID’s and PID’s. Are you saying that this is only supported if the hosted server desktop is Win 2012? I would like to send a screenshot but cannot.
        Regards
        Ray

        1. Correct. Generic USB is not available with 2008 R2 XenApp. Microsoft didn’t add it until Windows 2012 R2.

  26. Hi Carl,

    This is win 2008 R2. When you say client side do you mean a gpo being applied to any clients accessing the server desktop hosted on the VDA?
    I have modified this reg key with no success so far.

    SOFTWARE\Wow6432Node\Citrix\ICA Client\GenericUSB
    DENY:VID=1B1C PID=1AB1 Class=08 subclass=05 # Mass Storage Corsair

    Regards
    Ray

  27. Hi Carl,
    I have setup USB redirection and allowed it. I have gone further and setup redirection rules to deny specific USB keys using the VID= and PID= with no success. The policy is being applied to both users and computers in the scope. I have tried using deny class 08 and then allow a specific VID and still no success. I have tired setting this up in both studio and gpedit on a citrix policy. Is there a bug? Xenapp 7.8 and a hosted server desktop. When I allow the usb I see them but I cannot seem to get specific.

    Thanks
    Ray

    1. Is this 2012 r2? There’s no generic USB in 2008 r2.

      The client side GPO might need to be configured.

  28. Hello Carl !

    i have strange situation =) i think so =)
    i have farm xd 7.7, and some app servers for users. (windrows 2008 r2 terminal servers)

    in policy , i make 1 additional policy, and set high priority level for it.
    in additional policy, i disable usb, some graphic parameters and set all settings about session time limits.
    this policy applied to all servers and users, without limits.
    when i check, and login on servers all setting applied, except limit on session time, idle time … disconnect time.
    when i check ica listener on this terminal servers, all setting on listener a default by os.
    i can control this setting on terminal server over citrix farm policy engine ? or i must make it in manual mode on servers.

    tnx.

    1. If you look at the timeout settings, on the top there’s an “Applies to” section. Do you see Server OS in the list?

      To configure Server OS timeouts, you need a GPO with Computer Config > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.

  29. You state that the User\ICA\File Redirection\Allow file transfer between desktop and client policy is only for 7.7 and newer… But this works on 7.6 when you have GPM 7.6.300 installed on the controller…

      1. Yup, I had told my colleagues that we couldn’t do this policy after reading your page but then someone sent me that link, we tested it and it worked… Thanks Carl!

  30. Carl,

    I’m having trouble with login times for new users. So users who don’t currently have a Citrix UPM profile/folders redirected yet are seeing extremely long login times. For instance user1 who is logging into Citrix for the very first time with no profile or folders redirected yet will see a login time of 205-575 seconds according to director. I’m using Citrix UPM with Redirected folders to the home drive as your suggestions stated with streaming profiles. After the first login the time drops significantly to 28-50secs per logon. I noticed it seems to sit a while at “applying folder redirection policy” at logon. Any suggestions on how to cut down the initial logon which includes creation of profile and folder redirections? Those times are horrible.

    1. What OS version?

      For folder redirection, you can uncheck the box th copy the contents to the new location.

        1. If brand new users, nothing. If existing users with local profiles, you probably want to copy existing content to the new location.

          1. Ok. So the “applying Folder Redirection Policy” went by a little quicker but I’m now noticing that “Personalized Settings” takes quite a bit.

          2. I typically run procmon during logon. There’s a process summary tool that might help.

  31. Hi Carl
    Have a question regarding licenses. In earlier XA6.5 environment we had the citrix policies to set license edition and type. I can¬īt find that in XA 7.7?
    I have a mixed environment with license for: 20 XenDesktop PLT , 350 XenApp ent CCU and 35 XenDesktop (fysical desktops with HDX3dPro).
    I have bought licenses for each of these delivery groups and now I thought I could set the policy for each delivery group.
    Or will the license server figure this out?
    I had to set the farm license to XenDesktop PLT otherwise I couldn¬īt add the fysical workstations.

    Any idea??

    1. Sorry, each XenDesktop site can only use one license type. Go to Configuration > Licenses and on the right is a link to Set Product Edition.

      You can either convert all of your licenses to be the same. Or you create separate farms for each license type.

        1. Not in this release. I don’t know if they are adding it to a future release or not. Please call Citrix Support and submit an enhancement request.

  32. Thanks Carl,

    How can I force XenDesktops (7.6) to launch in full screen mode and SPAN across dual monitors without users losing the ability to resize to their hearts content?

    I have both Web Interface and Storefront

    Changing web.config in Storefront “showDesktopViewer=false” loses the ability to resize

  33. Hi Carl, Can you tell me how to do Server-Side Content fetching bcaz i tried its not working for me after enabled the policy in both client and server side even after i saw that “HDX Flash Redirection” when i right click the video so i can you tell me about tat policy and details like how to confirm it.

  34. Hi Carl,

    In XA 6.5 you had the ‘New-CtxManagedDesktopGPO’ script to setup an initial set of policies for published desktops.

    Do you know if there is an equivalent tool in 7.6?

    Cheers,
    James

    1. It’s not needed in 7.6. Instead, there’s an Enhanced Desktop Experience Citrix Policy setting, which is enabled by default.

          1. Thanks, but that just tells me that the setting is “Allowed” by default and certain issues that can arise when users have conflicting profiles.

            My setup is Win2k12 R2 shared desktop and I know that the settings are being applied successfully. I just want to be able to see a list of the settings that are being applied and from where (which policy) they are being applied, so that I can document them before configuring any additional policies that need to be applied to the VDA servers.

          2. I’ve figured it out……

            Its part of the “Unfiltered” policy configured in Studio’s policies node.

            What was confusing was I disabled that policy but the settings were still applied, which completely threw me. It wasn’t until I enabled the policy and ‘Prohibited’ the setting that I saw that it had an effect on the VDA server.

            Thanks Carl

  35. Hi Carl,

    I have followed your guidance once again ūüėČ but stumbled upon something odd. As I am fairly new to Citrix I am wondering if

    I did not understand your article or

    just do not get the complete picture how MS and Citrix policies work or

    if I missed something important

    So I hope you can clarify ,,,

    As said before I followed your guidance and created the GPO ‘s and so on which works ūüėČ but I could not get rid of enhanced desktop expirience on my 2012R2 RDSH if I prohibited this within the default unfiltered policy in my “VDA system” GPO.

    Finally I decided to create a Studio Policy in addition to the unfiltered to prohibit “enhanced desktop experience” and this works instantly.. I wished I did this 36 hours ago which would have saved me a lot of time.

    So now I believe I can better configure citrix based policies within studio and the MS part through GPMC

    Your article led me to believe this could be configured through Microsoft ‘s GPMC but this does not seem to work in my case.

    Regards,
    Raymond

    1. Citrix Policies should work the same whether you configure them in Studio or in a GPO.

      Themes are applied to the user’s profile. Did it work with a brand new user or with a user with profile deleted? The help text also says that the VDA needs to be rebooted.

      1. Okay in my case not.

        Yes, via powershell pushed into the local GPO
        It was active from the start and I prohibited it via GPO. I rebooted and also deleted the user profile multiple times even build an additional RDSH and separate GPO ‘s from scratch but it simply did not work. Only after I created and assigned a 2nd studio policy as per CTX139375 and rebooted once it finally worked. I only configured unfiltered within GPO.

        1. I just tried it and it works. Did the GPO create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICAPolicies\EnhancedDesktopExperience=0?

  36. Hello Carl , I have turned on Auto Client Drive redirection ( Enabled) , Client Drive redirection ( Enabled) and Client Fixed drive ( Prohibited ) in Citrix Policy – We have VDA 7.6 HSD environment – Still I am not able to see the Client drives mapped on HSD.

    Am i missing anything ?

    Thanks,
    Sohail

    1. Which client drives? You disabled the fixed drives.

      When launching the session the user is prompted to allow client drive mapping. If the user didn’t allow it then they won’t map. You can open connection center on the client side to change the file mapping setting. Or in Desktop Toolbar there’s a Preferences button.

      1. Carl is there a way to gray-out or prevent the client from changing settings on the Citrix Receiver Preferences toolbar? We are blocking access to local drives but noticed they still have the option to change that setting by going to the Preferences toolbar.

        1. If it’s denied in a Citrix Policy, I’m don’t see how enabling it on the client side would work.

          Or are you referring to raw USB mapping? That can also be disabled in a Citrix Poliy.

Leave a Reply