Citrix Policy Settings

Last Modified: Oct 18, 2016 @ 5:15 pm


💡 = Recently Updated

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio – also known as FMA policies
  • Group Policy Object – the Citrix Group Policy installer (included with Studio) adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the Group Policies topics for more information on the recommended Microsoft group policy settings for a XenApp/XenDesktop environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are not portable, meaning that you can’t export them from one XenApp/XenDesktop site and import them to another.

GPOs linked to an Active Directory OU and can apply to VDAs in multiple XenApp/XenDesktop sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.


If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ ‑Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ ‑DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User

Do the same for Computer.


Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object:

  1. Install the Citrix Policy GPO plug-in. Login to a machine (e.g. Controller) that has Group Policy Management Console (Windows Feature) installed. If this machine doesn’t have Citrix Studio installed then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the XenApp/XenDesktop 7.11 media. Make sure all Group Policy consoles are closed first.
  2. Citrix sometimes releases updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines, and Studio machines.
  3. XenApp/XenDesktop 7.11 comes with Citrix Group Policy Management 2.9.0.

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the Policies tab, you can either edit the Unfiltered policy, or you can create a new one that is filtered. Below the policy, click the Settings tab.
  6. As you edit the policy settings, make note of the Applies to field. Some of the settings do not apply to Virtual Delivery Agent 7.x.

    Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  7. Change the Categories drop-down to Auto Client Reconnect.
  8. Click Add next to the setting Auto client reconnect logging.

  9. Change the Value to Log auto-reconnect events and click OK.
  10. Change the Categories drop-down to End User Monitoring.
  11. Click Add next to the setting ICA round trip calculations for idle connections.
  12. Change the selection to Enabled, and click OK.
  13. Change the Categories drop-down to Local App Access.
  14. Click Add next to the setting Allow Local App Access.
  15. Change the selection to Allowed and click OK.
  16. Change the Categories drop-down to Printing.
  17. Click Add next to the setting Universal Print Server enable.
  18. Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  19. Change the Categories drop-down to WebSockets.
  20. Click Add next to the setting WebSockets connections.
  21. Change the setting to Allowed and click OK. This is the last Computer setting.
  22. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  23. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. 💡
  24. Change the setting to Allowed and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method, Citrix settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and below it, click the Settings tab. Or you can create a new policy that is filtered.
  4. Change the Categories drop-down to Audio.
  5. Click Add next to the setting Audio quality.
  6. Change the Value to Medium – optimized for speech and click OK.
  7. Change the Categories drop-down to Client Sensors.
  8. Click Add next to the Allow applications to use the physical location setting.
  9. Change the selection to Allowed and click OK.
  10. Change the Categories drop-down to Mobile Experience.
  11. Click Add next to the Automatic keyboard display setting.
  12. Change the selection to Allowed and click OK.
  13. Click Add next to the Remote the combo box setting.
  14. Change the selection to Allowed and click OK.
  15. Change the Category drop-down to Multimedia.
  16. Click Add next to the Use GPU for optimizing Windows Media setting.
  17. Change the selection to Allowed and click OK.
  18. Change the Categories drop-down to Printing.
  19. Click Add next to the setting Auto-create PDF Universal Printer.
  20. Change the selection to Enabled and click OK.
  21. Click Add next to the setting Automatic installation of in-box printer drivers.
  22. Change the selection to Disabled and click OK.
  23. Click Add next to the setting Direct connections to print servers.
  24. Change the selection to Disabled and click OK.
  25. Click Add next to the setting Printer auto-creation event log preference.
  26. Change the Value to Log errors only and click OK.
  27. Click Add next to the setting Universal print driver usage.
  28. Change the Value to Use universal printing only.
  29. Change the Categories drop-down to Session Limits.
  30. If you look at the Applies to text for these settings, notice that they apply to virtual desktops, but not Remote Desktop Session Hosts. Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO.
  31. Change the Categories drop-down to Time Zone Control.
  32. Click Add next to the setting Use local time of client.
  33. Change Value to Use client time zone. Note: you must also configure the Microsoft GPO Remote Desktop Session Host time zone setting.
  34. Change the Categories drop-down to USB Devices.
  35. Click Add next to the setting Client USB device redirection.
  36. Change the selection to Allowed and click OK. This is the last generic setting. See the next couple sections for more settings.

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it and click New Policy.

Framehawk Configuration

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Also see Framehawk virtual channel at
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 2.9 included in XenApp 7.11) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the setting in User Configuration > Policies > Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting and Enable it.

  5. Framehawk requires the newest Citrix Receiver (4.3.100 or newer).

  6. To use Framehawk with Receiver for iOS 6.0, add Framehawk=On to the WFClient section of the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica in StoreFront.
  7. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  8. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  9. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at
  10. Framehawk defaults to ports UDP 3224-3324. Open this between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (H.264, ThinWire Plus)

7.11 and newer:

  • Use video codec for compression can be configured For actively changing regions, which uses H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got Smarter…Again explains this new setting.
  • In 7.11, Use when preferred = Thinwire+ with Selective H264. 💡
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post “Use Video Codec for Compression”: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:


Remote Display Analyzer lets you see the current codec and change it on the fly.
Initial overview


From If you experience graphics performance problems in XenDesktop 7.6, consider configuring the following settings:

  • ICA \ Desktop UI \ Desktop Composition Redirection = Disabled
  • ICA \ Graphics \ Legacy Graphics Mode = Enabled

Security Settings

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives = Prohibit
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.


Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the “Extra Color Compression Threshold” should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or “Heavyweight compression” in case image quality loss is not acceptable (more CPU intensive)
  • Enable “Windows Media Redirection”
  • Enable “Flash acceleration” with client side content fetching
  • Enable “Audio over UDP Real-Time Transport”. Please note that this configuration requires audio quality to be set to “Medium – optimized for speech”
  • Set “Progressive compression level” to “Low” or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

81 thoughts on “Citrix Policy Settings”

  1. Carl,

    Quick question I setup my Citrix policy for the “For Actively Changing Regions” and I’m using the newest Receiver however when I run the remote display tool its telling me I am only using Thinwire not Thinwire Plus.

    Here is a screenshot:

    Any idea’s as to why that happening?

    1. There’s a thread on this at The WMI paths were changed in 7.11 and the tools need to be updated to report it accurately.

      1. So the tool is wrong and not XenDesktop itself?

        Also thanks for all this great info I have built up a new 7.11 Environment from scratch because of all your great information!

  2. Hi

    I’ve built a Windows 7 Static Non Persistent VDI with VDA 7.6 CU1, all Windows Updates ran, Antivirus Exclusions included, legacy graphics mode. Its a clean build

    2 CPU
    8GB Memory
    50GB OS Win7 x64 Bit
    10GB Write Cache
    Page Filing done
    Win7 Optimization followed as per your guide
    Citrix HDX WMI Provider installed

    But when I seem to use it, it runs terribly slow, not sure what I’m missing….. but it runs absolutely fine on a 2k8 RDSH connecting from the same thin client.

    1. What kind of storage? If not SSDs/Flash, then you have to design the storage to handle the IOPS.

      However, there are many causes of slow performance. Is it hardware (CPU/Disk/Memory)? Is it environmental (profiles, GPOs, slow mapped drives, etc.)? Slow network?

  3. I need to enable the “Legacy Graphics Mode” for clients using an older receiever ONLY. Then i want to disable it for people connecting via the latest receiver ? can I target policies at Reciever level ?

    1. Are you trying to block H.264? There’s a “use video codec” Citrix Policy and you can use various filters like Client IP, client name, etc. But I’m not aware of any Client Version filter.

  4. Hi Carl,

    Good Morning. Thanks a Lot for your wonderful articles and Blog. I had a small question regarding the Citrix Policies.

    In a given Scenario say I don’t have any Server Based Citrix Policies, but I configure my Citrix Receiver Settings with the ICA ADM Templates and configure the Color Depth Bit, Disk Caching, Lossy Compression, Speed Screen etc on the Client Machines.

    Will they still function as expected and help in improving better performance ?

    1. Color Depth depends on the codec used on the server side. Not all codecs support lower colors.

      Not sure about the others. Those seem like older settings for older versions of Citrix.

      1. Hi Carl

        We have had a recent IT Health check and they have said that we need to disallowed Powershell for standard users, as they were able to get a Powershell terminal through a macro (Excel).

        Do you have any suggestion Carl?

        Much appreciated.

        1. Are you using it for logon scripts?

          You might be able to change NTFS permissions. Or use AppLocker to block it. Or there are third party products (e.g. AppSense) that can block executables.

  5. Hey Carl,
    We’re using Client USB device redirection rules with 29 Allow rules (VID and PID specified) and 1 Deny All rule. The problem is with 30 Allow rules or more, everything is allowed, all attached devices become visible. When we remove some Allow rules, the policy is working again as it should. Is there a limit for the number of Allow and/or Deny rules? Does this number have something to do with the maximum of 32 USB devices in Windows? We’re using Windows 7 x86 with VDA 7.6.300.

    1. Hi Ronald,

      This is a known issue. If an Allow/Deny policy for USB devices is > 1500 characters the policy will fail to apply and ALL USB devices will become available in session. This was addressed with LC1153.

      This LC was included in 7.6.300.


  6. Thanks Carl, Citrix policies don’t seem to be working to stop the drive mapping from the local laptop. I checked the Registry under HKLM\software\Policies\Citrix and the Citrix policy is getting applied, but the drives are still mapped into the session. I just have 3 setting in my Citrix policy. 1- Auto connect client drives = Disabled , 2- Client drive redirection = Prohibited , 3- Client fixed drives = Prohibited. Fairly simple\vanilla install. Any other suggestions. I am talk with my mgmt. to see if I can open a support case, but it should not be this tough. 🙂 thanks for your help

  7. Carl, I am working on a new XenApp 7.6 LTSR build and I am have trouble trying to find out how my local laptops C drive is getting mapped into my session. I have no Citrix policies in place yet, and have configured my receiver client version 4.4.1000.16 to no allow access. Now with this setting I get access denied when I try to connect to my laptops C drive from the HSD. I just don’t understand why its getting Mapped into the session? Does this version of Receiver automatically map the local drive into your session? Any insight?

  8. Hi Carl, Great site! We’re having some difficulty apply the “View windows contents while dragging” policy and setting it to prohibited. It seems to apply inconsistently – sometimes it works, but when u disconnect and reconnect to the VDI in suddenly stops working. The policies are being applied via Citrix Studio. I have also tried applying them in conjunction with the AD GPO settings that relate to disabling dragfullwindows, but to no avail. Anything that you could suggest trying ? Citrix don’t seem to be able to help. Thanks.

  9. Hello Carl,

    Issue, In my citrix Xendesktop 7.6 environment as soon as i launch the published desktop server it launches and then exits. i’m able to launch with Fat clients/Desktops/laptops with no issues.
    End client: Wyse Thin Client N4000 model
    firmware Version :2.6.1 (Latest updated)
    Receiver Version: 13.0
    Url: PNAgent url
    No Feature pack has installed

    Is anything to be updated such as HDX/Resolution/firmware policies or Hotfixes or Feature packs?

    Please need help or advise on this.

    1. Are you doing ICA Proxy internally? Is SSL enabled on your delivery group? Maybe it’s a certificate issue.

      Are you able to get a network trace of the thin client trying to connect?

      1. Hi Carl, Thanks for your prompt reply.

        We are not using SSL, as we are running on http. we don’t have provision to tracert/telnet in the thin client.
        And also we have encountered event logs on HSD the time we are accessing thin client, Might the below mentioned error/information logs can help.

        Event logs


        The Citrix Device Redirector service could not complete an IO operation with Redirector Bus.
        Event Id:261


        1.The citrix ICA Transport Driver is now connected to IP x.x.x.x:35632
        Event Id:1004

        1.The citrix ICA Transport Driver connection to IP x.x.x.x:35630 has been suspended
        Event id: 1005

        2.The citrix ICA Transport Driver connection to IP x.x.x.x:35630 has been closed
        Event Id: 1007

  10. Hello Carl,

    i have a problem and hope you can help me.

    In my XenDesktop 7.6 FP3 Environment we use Wyse ThinClients with a local USB Lable-Printer (Dymo) connected.

    My GPOs allow this Printer to redirect in to the VDI but after the USB-Printer was redirected it gets the Status “Printer offline” and not react to any pressure.

    Unplug and replug again the Device gets active and switch the Status to “Printer online”, but it can’t be the solution to do this every morning :(. Did you have any solution for my Problem?

    Many thanks and greetings

    1. I recommend posting this question to CITRIX Discussions ( Does the same problem occur on a Windows client?

      1. This Client is an Windows 7 Embedded OS – and i do not have installled the printer driver locally because i only want it redirected and in my master image the drivers are installed.

        After i logon with my testuser over my thinclient in my VDI the printer will be installed with the correct drivers my problem is that it is offline… if i unplug it an replug it is online 🙁

        1. You’re doing generic USB redirection instead of optimized client printer redirection? For regular client printing, the client device needs to be able to print. Then the VDA simply offloads the actual printing to the client device. It you use a driver on the VDA then Citrix requires the same driver on the client.

          I’ve never encountered this problem before so I recommend either posting to or calling Citrix Support.

          1. We try this over the generic USB redirection so the client device did not have the driver and in the VDA it gets installed but my problem is that for the first time it is offline… If i install the dymo driver to the client device i got 2 devices in my VDA first is my USB redirected Offline and second is my regular Printer Dymo Labelwrite XX from ThinlcientXY and the second one i do not want 🙂

            On our old XenDesktop 5.6 this works without any problems

          2. FYI..

            I found the Problem, it was the Dymo driver which created a Ghostdevice in our VDI Master Image.
            After i deleted this Ghostdevice from our Master Image everything work now as it should 🙂


  11. Hi Carl

    I have a question regarding to local USB printer on Xendesktop VDI. I use Wyse thin client and all local printer connected over usb port . I have installed all the drivers on Windows 7 Master Image. If user log on Windows VDI , I see several session printer, which is copy2 is copy1. (For example HP LaserJet 2015 Copy1 …) How can prevent it? is there any solution?


    1. Is this specific to Wyse? Does it happen on other client devices?

      What are they pointing to for port? Local client port? Network UNC port?

      Are these in HKLM\System\CurrentControlSet\Control\Print\Printers? Or HKCU\Printers?

      1. Hi Carl
        I have only Wyse. Therefore I can not test on other devices. The Printer is connected local USB Port on Wyse and all printer listed on VDI Windows 7 master Image (HKLM\CurrentControlSet\Control\Printer\Printer)
        If user login on VDI,the print driver is installed and listed several Printer copy1….. Unfortunately I don’t have solution for this.

        1. I though I saw a similar thread at

          Are you able to call Citrix support? If not, your Citrix Partner can help you.

  12. Hi Carl,
    I am able to see the usb key when plugged into the the local desktop while accessing my server shared desktop (Win 2008 R2). My issue is to restrict which usb keys are allowed to be redirected to the shared server desktop. I have enabled the redirection and placed the deny attributes in the redirection rules with no success. Also as in my previous reply I have attempted at making a reg key inside the user config of a gpo to include a deny in the generic usb key with no success. From all that I have read I should be able to deny all and then allow specific keys using the VID and PID and class.


    1. USB keys are treated as client drives and are mapped using Client Drive Mapping, not USB mapping. Citrix Policy lets you disable client removable drives but I don’t think it gets any more granular than that. You could disable Client Drive Mapping and enable generic USB mapping instead but this only works with Windows 2012 R2 (or virtual desktops).

      1. Carl,
        I am sorry but I am a little confused here. I understand the allow or disable access to client drives (local) I also understand the preventing access to the hosted server desktop drives in Xenapp 7.8. My confusion is there is the ability and process using citrix policy to allow USB devices to be mapped and then by redirection rules deny or allow specific USB by defining VID’s and PID’s. Are you saying that this is only supported if the hosted server desktop is Win 2012? I would like to send a screenshot but cannot.

        1. Correct. Generic USB is not available with 2008 R2 XenApp. Microsoft didn’t add it until Windows 2012 R2.

  13. Hi Carl,

    This is win 2008 R2. When you say client side do you mean a gpo being applied to any clients accessing the server desktop hosted on the VDA?
    I have modified this reg key with no success so far.

    SOFTWARE\Wow6432Node\Citrix\ICA Client\GenericUSB
    DENY:VID=1B1C PID=1AB1 Class=08 subclass=05 # Mass Storage Corsair


  14. Hi Carl,
    I have setup USB redirection and allowed it. I have gone further and setup redirection rules to deny specific USB keys using the VID= and PID= with no success. The policy is being applied to both users and computers in the scope. I have tried using deny class 08 and then allow a specific VID and still no success. I have tired setting this up in both studio and gpedit on a citrix policy. Is there a bug? Xenapp 7.8 and a hosted server desktop. When I allow the usb I see them but I cannot seem to get specific.


    1. Is this 2012 r2? There’s no generic USB in 2008 r2.

      The client side GPO might need to be configured.

  15. Hello Carl !

    i have strange situation =) i think so =)
    i have farm xd 7.7, and some app servers for users. (windrows 2008 r2 terminal servers)

    in policy , i make 1 additional policy, and set high priority level for it.
    in additional policy, i disable usb, some graphic parameters and set all settings about session time limits.
    this policy applied to all servers and users, without limits.
    when i check, and login on servers all setting applied, except limit on session time, idle time … disconnect time.
    when i check ica listener on this terminal servers, all setting on listener a default by os.
    i can control this setting on terminal server over citrix farm policy engine ? or i must make it in manual mode on servers.


    1. If you look at the timeout settings, on the top there’s an “Applies to” section. Do you see Server OS in the list?

      To configure Server OS timeouts, you need a GPO with Computer Config > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.

  16. You state that the User\ICA\File Redirection\Allow file transfer between desktop and client policy is only for 7.7 and newer… But this works on 7.6 when you have GPM 7.6.300 installed on the controller…

      1. Yup, I had told my colleagues that we couldn’t do this policy after reading your page but then someone sent me that link, we tested it and it worked… Thanks Carl!

  17. Carl,

    I’m having trouble with login times for new users. So users who don’t currently have a Citrix UPM profile/folders redirected yet are seeing extremely long login times. For instance user1 who is logging into Citrix for the very first time with no profile or folders redirected yet will see a login time of 205-575 seconds according to director. I’m using Citrix UPM with Redirected folders to the home drive as your suggestions stated with streaming profiles. After the first login the time drops significantly to 28-50secs per logon. I noticed it seems to sit a while at “applying folder redirection policy” at logon. Any suggestions on how to cut down the initial logon which includes creation of profile and folder redirections? Those times are horrible.

    1. What OS version?

      For folder redirection, you can uncheck the box th copy the contents to the new location.

        1. If brand new users, nothing. If existing users with local profiles, you probably want to copy existing content to the new location.

          1. Ok. So the “applying Folder Redirection Policy” went by a little quicker but I’m now noticing that “Personalized Settings” takes quite a bit.

          2. I typically run procmon during logon. There’s a process summary tool that might help.

  18. Hi Carl
    Have a question regarding licenses. In earlier XA6.5 environment we had the citrix policies to set license edition and type. I can´t find that in XA 7.7?
    I have a mixed environment with license for: 20 XenDesktop PLT , 350 XenApp ent CCU and 35 XenDesktop (fysical desktops with HDX3dPro).
    I have bought licenses for each of these delivery groups and now I thought I could set the policy for each delivery group.
    Or will the license server figure this out?
    I had to set the farm license to XenDesktop PLT otherwise I couldn´t add the fysical workstations.

    Any idea??

    1. Sorry, each XenDesktop site can only use one license type. Go to Configuration > Licenses and on the right is a link to Set Product Edition.

      You can either convert all of your licenses to be the same. Or you create separate farms for each license type.

        1. Not in this release. I don’t know if they are adding it to a future release or not. Please call Citrix Support and submit an enhancement request.

  19. Thanks Carl,

    How can I force XenDesktops (7.6) to launch in full screen mode and SPAN across dual monitors without users losing the ability to resize to their hearts content?

    I have both Web Interface and Storefront

    Changing web.config in Storefront “showDesktopViewer=false” loses the ability to resize

  20. Hi Carl, Can you tell me how to do Server-Side Content fetching bcaz i tried its not working for me after enabled the policy in both client and server side even after i saw that “HDX Flash Redirection” when i right click the video so i can you tell me about tat policy and details like how to confirm it.

  21. Hi Carl,

    In XA 6.5 you had the ‘New-CtxManagedDesktopGPO’ script to setup an initial set of policies for published desktops.

    Do you know if there is an equivalent tool in 7.6?


    1. It’s not needed in 7.6. Instead, there’s an Enhanced Desktop Experience Citrix Policy setting, which is enabled by default.

          1. Thanks, but that just tells me that the setting is “Allowed” by default and certain issues that can arise when users have conflicting profiles.

            My setup is Win2k12 R2 shared desktop and I know that the settings are being applied successfully. I just want to be able to see a list of the settings that are being applied and from where (which policy) they are being applied, so that I can document them before configuring any additional policies that need to be applied to the VDA servers.

          2. I’ve figured it out……

            Its part of the “Unfiltered” policy configured in Studio’s policies node.

            What was confusing was I disabled that policy but the settings were still applied, which completely threw me. It wasn’t until I enabled the policy and ‘Prohibited’ the setting that I saw that it had an effect on the VDA server.

            Thanks Carl

  22. Hi Carl,

    I have followed your guidance once again 😉 but stumbled upon something odd. As I am fairly new to Citrix I am wondering if

    I did not understand your article or

    just do not get the complete picture how MS and Citrix policies work or

    if I missed something important

    So I hope you can clarify ,,,

    As said before I followed your guidance and created the GPO ‘s and so on which works 😉 but I could not get rid of enhanced desktop expirience on my 2012R2 RDSH if I prohibited this within the default unfiltered policy in my “VDA system” GPO.

    Finally I decided to create a Studio Policy in addition to the unfiltered to prohibit “enhanced desktop experience” and this works instantly.. I wished I did this 36 hours ago which would have saved me a lot of time.

    So now I believe I can better configure citrix based policies within studio and the MS part through GPMC

    Your article led me to believe this could be configured through Microsoft ‘s GPMC but this does not seem to work in my case.


    1. Citrix Policies should work the same whether you configure them in Studio or in a GPO.

      Themes are applied to the user’s profile. Did it work with a brand new user or with a user with profile deleted? The help text also says that the VDA needs to be rebooted.

      1. Okay in my case not.

        Yes, via powershell pushed into the local GPO
        It was active from the start and I prohibited it via GPO. I rebooted and also deleted the user profile multiple times even build an additional RDSH and separate GPO ‘s from scratch but it simply did not work. Only after I created and assigned a 2nd studio policy as per CTX139375 and rebooted once it finally worked. I only configured unfiltered within GPO.

        1. I just tried it and it works. Did the GPO create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICAPolicies\EnhancedDesktopExperience=0?

  23. Hello Carl , I have turned on Auto Client Drive redirection ( Enabled) , Client Drive redirection ( Enabled) and Client Fixed drive ( Prohibited ) in Citrix Policy – We have VDA 7.6 HSD environment – Still I am not able to see the Client drives mapped on HSD.

    Am i missing anything ?


    1. Which client drives? You disabled the fixed drives.

      When launching the session the user is prompted to allow client drive mapping. If the user didn’t allow it then they won’t map. You can open connection center on the client side to change the file mapping setting. Or in Desktop Toolbar there’s a Preferences button.

      1. Carl is there a way to gray-out or prevent the client from changing settings on the Citrix Receiver Preferences toolbar? We are blocking access to local drives but noticed they still have the option to change that setting by going to the Preferences toolbar.

        1. If it’s denied in a Citrix Policy, I’m don’t see how enabling it on the client side would work.

          Or are you referring to raw USB mapping? That can also be disabled in a Citrix Poliy.

Leave a Reply