Group Policy Objects – VDA Computer Settings

Last Modified: Mar 9, 2017 @ 5:20 pm

Navigation

ūüí° = Recently Updated

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all VDA computer objects.
  2. Then create sub-OUs, one for each delivery group.
  3. Move the VDAs from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Citrix VDA Computer Settings and link it to the OU created in step 1. If this policy should apply to all Delivery Groups then link it to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled.

  6. Create and link two new GPOs to the VDA OU (in addition to the Citrix VDA Computer Settings GPO). One of the GPOs is called Citrix VDA All Users (including admins) and the other is called Citrix VDA Non-Admin Users (lockdown).

  7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.

  8. Click the Citrix VDA Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab and click Add.
  10. Find your Citrix Admins group and click OK.
  11. Change the Permissions to Edit settings and click OK.
  12. Then on the Delegation tab click Advanced.
  13. For Citrix Admins, place a check mark in the Deny column in the Apply Group Policy row. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Citrix Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

Windows Group Policy Templates

Unfortunately, some of the client-focused GPO settings are only available in the Windows 10/2016 templates and not in the GPO templates included with 2012 R2.

  1. Download the Administrative Templates for Windows 10 and Windows Server 2016.
  2. Run the downloaded Windows 10 and Windows Server 2016 ADMX.msi file.
  3. In the Welcome to the Administrative Templates (ADMX) for Windows 10 and Windows Server 2016 Setup Wizard page, click Next.
  4. In the License Agreement page, select I Agree and click Next.
  5. In the Select Installation Folder page, copy the location to your clipboard. You need to go to this location later.
  6. Select Everyone and click Next.
  7. In the Confirm Installation page, click Next.
  8. In the Installation Complete page, click Close.
  9. Go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 and Windows Server 2016.
  10. Open the PolicyDefinitions folder.
  11. Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files and folders to the clipboard.
  12. Go to your domain’s sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the files in the PolicyDefinitions folder. If you don’t have this folder then you can create it. Or skip to the next step.
  13. If prompted, replace the existing files.

  14. If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files. Overwrite the existing files.

  15. In the PolicyDefinitions folder, look for a file called microsoft-windows-geolocation-wlpadm.admx and delete it. More information at Microsoft 3077013 “‘Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined” error when you edit a policy in Windows.
  16. When editing a GPO, if you see the message that Microsoft.Policies.WindowsStore is already defined, then delete the file WinStoreUI.admx from your PolicyDefinitions folder.

Group Policy Computer Settings

Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Group Policy Settings

  • Group Policy – Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.

Logon Settings

To get rid of the Windows 10 “we’re happy you’re here” message:

  • Logon – Computer Configuration | Policies | Administrative Templates | System |¬†Logon
    • Show first sign-in animation =¬†disabled

Sven Huisman Windows 10 in non-persistent VDI ‚Äď Login speed ‚Äď part 1 has some additional group policy settings to speed up Windows 10 logon. Scroll down to the Group Policy section.¬† ūüí°

Power Settings

The following are more applicable to virtual desktops than session hosts:

  • Hard Disk Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
    • Turn Off the hard disk (plugged in) = enabled, 0 seconds
  • Sleep Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
    • Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
    • Specify the system sleep timeout (plugged in) = enabled, 0 seconds
    • Turn off hybrid sleep (plugged in) = enabled, 0 seconds
  • Video and Display Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
    • Turn off the display (plugged in) = enabled, 0 seconds

Remote Assistance Settings

Configure the following so you can shadow users using Director:

  • Remote Assistance – Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
    • Configure Solicited Remote Assistance = disabled
    • Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance

User Profiles Settings

  • User Profiles – Computer Configuration | Policies | Administrative Templates | System | User Profiles
    • Add the Administrators security group to roaming user profiles = enabled
    • Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
    • Do not check for user ownership of Roaming Profile Folders = enabled

File Explorer Settings

Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100 РWindows 8 and newer

  • File Explorer – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†File Explorer
    • Allow the use of remote paths in file shortcut icons = enabled

Event Viewer Settings

If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.

  • Application – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
    • Control the location of the log file = enabled, D:\EventLogs\Application.evtx
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
    • Control the location of the log file = enabled, D:\EventLogs\Security.evtx
  • System – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
    • Control the location of the log file = enabled, D:\EventLogs\System.evtx
  • Folder – Computer Configuration | Preferences | Folder
    • Action = update
    • Path = D:\EventLogs

Remote Desktop Services Settings

  • Connections – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
  • Device and Resource Redirection – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
    • Allow time zone redirection = enabled
    • Do not allow smart card device redirection = enabled
  • Licensing – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
    • Set the Remote Desktop license mode = enabled, Per User
    • Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers (e.g. the XenDesktop Controllers)
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
    • Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
  • Session Time Limits – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
    • Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
    • Set time limit for disconnected sessions = enabled, 3 hours or similar

OneDrive¬†Settings ‚Äď Windows¬†10

  • OneDrive – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†OneDrive
    • Prevent the usage of OneDrive for file storage = enabled

Search Settings ‚Äď Windows 8.1 / 2012 R2, Windows 10

  • Search – Computer Configuration | Policies | Administrative Templates | Windows Components | Search
    • Allow Cortana = disabled (Windows 10)
    • Don‚Äôt search the web or display web results in search = enabled
    • Additional search settings can be found here

Store Settings ‚Äď Windows 8.1 / 2012 R2, Windows 10

  • Cloud Content – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†Cloud Content ¬† (Windows 10 1511 and newer)
  • Store – Computer Configuration | Policies | Administrative Templates | Windows Components | Store

Windows Update Settings

  • Windows Update – Computer Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update
    • Allow non-administrators to receive update notifications = disabled

Additional Settings

Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at Microsoft Technet Manage connections from Windows operating system components to Microsoft services.

James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana, disable services, block DNS domains.

After modifying the GPO, use Group Policy Management Console to update the VDA machines.

Or run the command gpupdate /force. Or wait 90 minutes.

Citrix Receiver

If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, use receiver.admx to enable pass-through authentication.

  1. See the instructions at http://www.carlstalhood.com/receiver-for-windows/#admx to copy the receiver.admx file to PolicyDefinitions.
  2. Edit the Citrix Computer Settings GPO.
  3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
  4. Enable the setting.
  5. Check the top two boxes and click OK.

Next Steps

Group Policy Objects – VDA User Settings

10 thoughts on “Group Policy Objects – VDA Computer Settings”

  1. Thank you very much for this Carl and all the excellent articles on your site, you should include a Donate button somewhere on your front page as you are making a lot of peoples lives a lot easier….

  2. Hi Carl,

    Now that I solved my issue with a parent domain policy not applying in a XA76/2012R2 context, I find that your advice “make sure the VDA computer has read permission on the policy” is clear and sufficient but at first glance I must admit I did not see it as clearly as now ūüėČ

    The issue I had led me to this article https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which describes in details why in a certain scenario, some policies may no longer apply after having installed a security patch.

    Have a great day !

    Yvan

  3. Hello Carl,
    Hope you are doing well and thanks for the instructions.
    I just want to know if three policies above will be the same to all the OU’s? I.E. RDSH as well as VDI’s?
    Thanks,
    Pavan

    1. For the most part, yes. There are some minor differences (e.g. delete cached profiles on logoff). If a setting doesn’t apply to a particular VDA, there’s usually no harm in applying it. I usually have a parent OU for common settings (everything in this article) and sub-OUs for Delivery Group-specific settings.

      1. Thanks Carl. The GPO applied to the parent OU applies to all the sub OU’S as it has been applied at the top level? If you say delivery group specific settings will that be application related?

  4. Great Article . I dont know how I would survive without these easy to use guides. One question though.. do we have a tuning/optimization GPO for Xenapp 7.6 like we have had in the past ie. 6.5? setting like TCPMasDataRetransmissions etc for windows server 2012/R2

Leave a Reply