Group Policy Objects – VDA User Settings

Last Modified: May 14, 2017 @ 6:13 pm

Navigation

đź’ˇ = Recently Updated

User Lockdown

The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings are located at User Configuration > Policies.

This page assumes the GPOs have already been created and Loopback Processing has already been enabled.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Control Panel GPO Settings

  • User Configuration | Policies | Administrative Templates | Control Panel
    • Always open All Control Panel Items when opening Control Panel = enabled
    • Show only specified Control Panel items = enabled, canonical names = 
      • Microsoft.RegionAndLanguage
      • Microsoft.NotificationAreaIcons
      • MLCFG32.CPL
      • Microsoft.Personalization
      • Microsoft.Mouse
      • Microsoft.DevicesAndPrinters
      • Microsoft.System (lets users see the computer name)
  • User Configuration | Policies | Administrative Templates | Control Panel | Add or Remove Programs
    • Remove Add or Remove Programs = enabled
  • User Configuration | Policies | Administrative Templates | Control Panel | Programs
    • Hide the Programs Control Panel = enabled

Desktop GPO Settings

  • User Configuration | Policies | Administrative Templates | Desktop
    • Hide Network Locations icon on desktop = enabled
    • Prohibit user from manually redirecting Profile Folders = enabled
    • Remove Properties from the Computer icon context menu = enabled
    • Remove Properties from the Recycle Bin icon context menu = enabled

If you prevent access to the Properties of the Computer icon then users might not be able to determine the name of the machine they are connected to.

Start Menu & Taskbar GPO Settings

  • User Configuration | Policies | Administrative Templates |  Start Menu & Taskbar
    • Clear the recent programs list for new users = enabled
    • Do not allow pinning Store app to the taskbar = enabled
    • Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled
    • Remove common program groups from Start Menu = enabled (only if you have some other means for putting shortcuts back on the user’s Start Menu/Desktop. Also, enabling this setting might prevent Outlook 2013 desktop alerts. Microsoft 3014833)
    • Remove Help menu from Start Menu = enabled
    • Remove links and access to Windows Update = enabled
    • Remove Network Connections from Start Menu = enabled
    • Remove Network icon from Start Menu = enabled
    • Remove Run menu from Start Menu = enabled
    • Remove the Action Center icon = enabled (not in Windows 10)
    • Remove the networking icon = enabled
    • Remove the Security and Maintenance icon = enabled (Windows 10)
    • Remove user folder link from Start Menu = enabled

If you hide common program groups, then you will need some other method of creating application shortcuts for each user. Group Policy Preferences Shortcuts is the typical method.

Removing the Run menu also prevents users from entering drive letters in Internet Explorer.

CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Density contains the following:

  • Lock down a section of the Start Menu
  • Configure Citrix Profile Management to roam the Start Menu
  • Remove Provisioned Apps
  • Tune Windows using OS Optimization Tool
  • Disable Telemetry services

Microsoft Technet Customize Windows 10 Start with Group Policy.  From RenĂ© Bigler at UPM 5.x Server 2012 R2 Startlayout at discussions.citrix.com: To include Explorer, IE, and Computer icons in the Start Layout XML, “create shortcuts to this standard items in C:\ProgramData\Microsoft\Windows\Start Menu\Programs and use this new shortcuts to create the tiles in your start layout xml”.

System GPO Settings

  • User Configuration | Policies | Administrative Templates |  System
    • Prevent access to registry editing tools = enabled, Disable regedit from running silently = No
    • Prevent access to the command prompt = enabled, Disable command prompt script processing = No

 

Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.

Explorer GPO Settings

  • User Configuration | Policies | Administrative Templates |  Windows Components | File Explorer (Windows 8+) or Windows Explorer (Windows 7)
    • Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only
    • Hides the Manage item on the File Explorer context menu = enabled
    • Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you can’t use Start Menu’s search to find programs.
    • Prevent users from adding files to the root of their Users Files folder = enabled
    • Remove “Map Network Drive” and “Disconnect Network Drive” = enabled
    • Remove Hardware tab = enabled
    • Remove Security Tab = enabled
    • Turn off caching of thumbnail pictures = enabled

From Citrix Discussions: To hide specific drive letters:

  1. User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive
  2. Choose Action Update => Drive Letter Existing C => Hide this drive
  3. Common Tab: Run in logged-on users’s Security

Windows Update GPO Settings

  • User Configuration | Policies | Administrative Templates |  Windows Components | Windows Update
    • Remove access to use all Windows Update features = enabled, 0 – Do not show any notifications

Hide Favorites, Libraries, Network and redirected local drives

Terence Luk Hide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these items. Similar instructions are provided by David Wilkinson at Remove Quick Access from File Explorer in Windows Server 2016.



File Explorer

From TenForums How to Hide or Show Sync Provider Notifications within File Explorer in Windows 10: Windows 10 1607 adds notifications inside File Explorer.

To stop these, use Group Policy Preferences to set the following registry value:

  • Key = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • Value = ShowSyncProviderNotifications (DWORD) = 0

Windows Spotlight  💡

Windows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows (Start Menu, lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration | Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard Hay Windows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating System and Chris Hoffman How to Disable All of Windows 10’s Built-in Advertising.

Explorer Replacement

Instead of locking down Windows File Explorer, you can run a 3rd party Explorer like Tablacus Explorer. The tool is detailed by Marco Hofmann at Tablacus Explorer is an awesome replacement for explorer.exe as a #XenApp published Application!.  💡

Flickering Icons

If you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network share, then desktop icons might flicker. Helge Turk at XenApp 7.12/13, Server 2016 desktop icons flickering at Citrix Discussions resolved it be creating the following Registry Key using Group Policy Preferences:  💡

  • HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}

Internet Explorer / Edge Settings

This section assumes the GPOs have already been created.

Internet Explorer First Run Wizard

When a new user launches Internet Explorer, the first run wizard appears.

To prevent this from occurring, edit the Citrix VDA All Users GPO.

Internet Explorer First Run GPO Settings

  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer
    • Prevent managing SmartScreen Filter = enabled, on
    • Prevent running First Run Wizard = enabled, Go directly to home page
    • Specify default behavior for a new tab page = enabled, Home page
    • Turn on Suggested Sites = disabled
  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Compatibility View
    • Include updated Web site lists from Microsoft  = enabled
  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page
    • Turn on Enhanced Protected Mode  = disabled

Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should be disabled.

Users might see a message that Protected mode is turned off for the Local intranet zone.

To prevent this message, do the following:

  1. Edit the Citrix VDA All Users GPO.
  2. Go to User Configuration > Preferences > Windows Settings > Registry.
  3. Create a new Registry Item.
  4. Set the Hive to: HKEY_CURRENT_USER
  5. Set the Key Path to: Software\Microsoft\Internet Explorer\Main
  6. Set the Value name to: NoProtectedModeBanner
  7. Set the Value type to: REG_DWORD
  8. Set the Value data to: 1
  9. Click OK.

IE 11 in Windows 10 1703 and newer has a new button to open Edge.

  • To hide this button, edit a Group Policy that applies to users, go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Settings | Advanced Settings | Browsing, and enable the setting Hide the button (next to the New Tab button) that opens Microsoft Edge. Source = RenĂ© Bigler on Twitter.

4SysOps Disable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607: registry keys and PowerShell script to disable it.

Published Internet Explorer Settings – Runonce

If a user launches Internet Explorer as a published application, then Internet Explorer might not be fully configured and thus some websites won’t work. By default, Windows runs per-user configuration (ActiveSetup) of Internet Explorer only when the user connects to a full desktop, which doesn’t happen when only launching published apps. To override this behavior so it works with published IE even if the user never connects to a full desktop, do the following:

  1. Edit the Citrix VDA All Users GPO.
  2. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
  3. Double-click Logon.
  4. Click Add.
  5. In the Script Name field, enter runonce.exe.
  6. In the Script Parameters field, enter /AlternateShellStartup. Click OK.
  7. Note: running runonce.exe /AlternateShellStartup might cause black borders around windows in published applications. Black Border (IE 11) in Xen App 7.11 with runonce.exe is an example forum thread at Citrix Discussions. A workaround detailed at Black Windows title bars at Citrix Discussions is to export HKCU\Control Panel\Colors from a working session, and use Group Policy Preferences to deliver to values to the black border sessions.  💡
  8. Runonce.exe /AlternateShellStartup also causes the items in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to be executed when a published app is launched. Consider deleting the items (e.g. VMware Tools icon), or they might keep sessions open after users close their apps. Also see CTX891671 Graceful Logoff from a Published Application Renders the Session in Active State.
  9. An alternative to runonce.exe /AlternateShellStartup is to run the following commands provided by Steve Washburn at Active Receiver connection after app is closed at Citrix Discussions.
    @echo off
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenUser
    start "" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    exit

 

Windows 8.1/2012 R2 might not run the script at logon. Configure the following GPO computer settings to enable the script (configure these in the Citrix VDA Computer Settings GPO):

Logon Script GPO Settings

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

Internet Explorer Group Policy Preferences

The Internet Explorer Maintenance settings in group policy (User Configuration > Windows Settings > Internet Explorer Maintenance) have been removed in Internet Explorer 10 and Windows Server 2012.

If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or Internet Explorer 10.

If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option.

If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10. When configuring a setting, notice the red or green lines (and red or green circles). Only green settings are applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your keyboard.

As you look through the tabs, you’ll see a bunch of green items. These green items will be applied and might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them back on, press F5.

On the Common tab you can check the box to Apply once and do not reapply.

Internet Explorer Security Zone Configuration

There is a group policy setting at User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page |  Site to Zone Assignment List that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their own sites (the user interface in Internet Explorer is grayed out).

This section details an alternative procedure for administrator-configured zones while allowing users to add their own Trusted Sites.

Note: Zones can’t be configured using a Group Policy Preferences Internet Settings object so instead you’ll need to configure registry keys as detailed below.

  1. Run Internet Explorer and configure security zones as desired.
  2. If you are using Workspace Control in Receiver for Web or need pass-through authentication, make sure you add StoreFront as a Local Intranet Site.
  3. Run Group Policy Management Console on the same machine where you have security zones configured.
  4. Edit the Citrix VDA All Users GPO.
  5. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Collection Item. Name it IE Zones or similar.
  6. Right-click the collection and click New > Registry Item.
  7. Click the … button next to Key Path.
  8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Click the key corresponding to the FQDN you’re adding. Then select the registry value on the bottom that corresponds to the protocol (e.g. * or https). Click Select. Note: 1 indicates Local Intranet zone.
  9. Then click OK. Note: 1 indicates Local Intranet zone.
  10. Feel free to rename the Registry Item to reflect the actual zone.
  11. Repeat these steps for additional zones.

Internet Explorer Home Page

If you don’t have access to Windows 8/2012 group policy editor, configure the default home page using a registry key.

  1. Run Internet Explorer and configure home page as desired.
  2. Run Group Policy Management Console on the same machine where you have the home page configured.
  3. Edit the Citrix VDA All Users GPO.
  4. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Registry Item.
  5. Click the … button next to Key Path.
  6. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. On the bottom, select Start Page. Then click Select.
  7. On the Common tab, you can select Apply once and do not reapply. Then click OK.

Proxy Settings

If you don’t have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. Use Group Policy Preferences or similar to distribute the registry keys.

To prevent users from changing proxy settings, also configure the following group policy setting.

  • User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel
    • Disable the Connections page = enabled

Internet Explorer Performance  💡

Julian Mooren at XenApp & Internet Explorer – Improving User Experience details how to enable Tracking Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set registry keys, and adds a folder to Citrix Profile Management synchronization.

LoginVSI Web Browsing & Advertising Impact on VDI Performance is a 33 page paper detailing how to enable Tracking Protection in Internet Explorer and Firefox, plus ad blocking plugin for Chrome.

Office 2013/2016

Office 365 Planning

Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:

  • Considerations for Outlook Cached Mode
  • Group Policy settings for Outlook Cached Mode
  • For Lync Audio/Video – various options for delivering the Lync client
  • Caveats for OneDrive for Business
  • Licensing – shared computer activation

Group Policy Templates

Office GPO settings are tied to a particular version of Office. If you want to copy Office 2013 settings to Office 2016 settings, see Microsoft’s Copy-OfficeGPOSettings PowerShell script.

Download the Office 2013 group policy templates or Office 2016 group policy templates.

If you installed the 32-bit version of Office 2013/2016 then you’ll need the 32-bit (x86) version of the templates.

  1. Go to the downloaded Office 2013 group policy templates and run AdminTemplates_32.exe. Or for Office 2016, run admintemplates_x86_4286-1000_en-us.exe.

  2. Check the box next to Click here to accept and click Continue.

  3. Specify a folder to place the extracted templates in.

  4. Click OK to acknowledge that files extracted successfully.

  5. Go to the folder where you extracted the files and in the ADMX folder copy all of the .admx files and the en-us folder to the clipboard.

  6. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the files.
  7. If you do not have PolicyDefinitions in your Sysvol then instead go to C:\Windows\PolicyDefinitions and paste the files.

Group Policy and Tweaks

This section assumes the Group Policy Objects have already been created.

Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under User Configuration > Policies.

  • User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | First Run
    • Disable First Run Movie = enabled
    • Disable Office First Run on application boot = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Global Options |Customize
    • Allow roaming of all user customizations = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Miscellaneous
    • Disable Office Animations = enabled
    • Do not use hardware graphics acceleration = enabled
    • Suppress recommended settings dialog = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Privacy | Trust Center
    • Automatically receive small updates to improve reliability = disabled
    • Disable Opt-in Wizard on first run = enabled
    • Enable Customer Experience Improvement Program = disabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2013 (or 2016) | Tools | Options | General | Service Options… | Online Content
    • Online Content Options = enabled, Allow Office to connect to the Internet
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) | Account Settings | Exchange | Cached Exchange Mode
    • Use Cached Exchange Mode for new and existing Outlook profiles = disabled
    • If you prefer to use Cached Exchange Mode, see Citrix’s Implementation Guide and add below:

      • Cached Exchange Mode Sync Settings = enabled, time-window of downloaded content
      • Administrative Templates | Microsoft Outlook 2013 | Miscellaneous | PST Settings | Default location for OST files = enabled, UNC path to user home directories
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) | Miscellaneous | PST Settings
    • Default location for PST files = enabled, user’s home directory
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) | Outlook Options | Other | AutoArchive
    • AutoArchive Settings = enabled, uncheck box next to Turn on AutoArchive
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) | Outlook Options | Preferences | Search Options
    • Prevent installation prompts when Windows Desktop Search component is not present = enabled

 

To prevent Office temp file errors:

  • User Configuration | Preferences | Window Settings | Folders | New Folder
    • Action = Create
    • Path = %Localappdata%\Microsoft\Windows\INetCache

 

When launching Outlook, you might see the message “Please wait while Windows configures Microsoft Office 64-bit Components”.

To fix the Outlook search problem, you can either install Windows Search Service (Windows Feature).

Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components | Search | Prevent indexing Microsoft Office Outlook.

Microsoft hotfix 2786932 – Dialog boxes and new windows displayed as blank in Office 2013 RemoteApps on a client computer that is running Windows 7 or Windows Server 2008 R2

From Thomas Koetzing – How to disable Office 2013 shadow border:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI\MSO_BORDEREFFECT_WINDOW_CLASS]
"ClassName"="MSO_BORDEREFFECT_WINDOW_CLASS"
"Type"=dword:00001000

 

From Fixed Issues in XenApp/XenDesktop 7.11 and older: Live scrolling (the synced state of page scrolling and scrollbar motion) does not work in Excel spreadsheets. The issue occurs because the key and value in registry location HKEY_CURRENT_USER\Control Panel\Desktop\UserPreferencesMask on the VDA are overwritten by the wfshell.exe process each time a user logs on to the VDA. To prevent this, create the following registry key on the VDA and set the value to 1 (same value as next issue).

From Fixed Issues in XenApp/XenDesktop 7.12: Changes you make to “Advanced System Settings” under “Visual Effects” apply to the current VDA session but might not be retained for subsequent sessions. To make such changes persistent, you must set the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix
    • Name: EnableVisualEffect
    • Type: REG_DWORD
    • Value: 1

Adobe Reader

Adobe Reader Group Policy

  1. Download the Adobe Reader XI Policy Templates from Reader XI Administrative Template
  2. Copy the .admx file and the en-us folder.
  3. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files. If this folder doesn’t exist, go to C:\Windows\PolicyDefinitions instead.
  4. Click Yes when asked to replace files.
  5. Now open a group policy that applies to all Citrix users.
  6. Go to User Configuration > Administrative Templates > Adobe Reader > Preferences > General.
  7. Open the setting Accept EULA and Enable it.
  8. Then open the Display splash screen at launch setting and Disable it.

Disable Repair

In Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation.

Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.

  1. In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\Installer.
  2. Add the DWORD DisableMaintenance and set it to 1.
  3. Now the Repair option is grayed out on the Help menu.

Disable Updates

For Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe ARM\Legacy\Reader\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
    • Mode = 0 (disables updates)

 

In Adobe Reader XI, there is a GUI method of disabling updates:

  1. Run Adobe Reader from the Start Menu.
  2. Open the Edit menu and click Preferences.
  3. On the Updater page, change the selection to Do not download or install updates automatically and click OK.

Other Optimizations

Rick van Soest Removing “The Cloud” from Adobe Acrobat Reader DC:

  • To remove tools, delete them from C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU
  • To remove the welcome screen, add the following registry dword value: HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
    • bUsageMeasurement (REG_DWORD) = 0
  • To remove the “add account” button, HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint
    • BDisableSharePointFeatures (REG_WORD) = 1
  • To remove the “Check for update” button, HKLM\Software\Adobe\Acrobat Reader\DC\Installer
    • DisableMaintenance (REG_DWORD) = 1

 

Citrix Blog Post Optimizing Adobe Reader in XenApp details the following optimizations:

  • Remove toolbar on right side of screen
  • Remove links from the Help menu
  • Disable Adobe ARM
  • Disable Autosave

 

Adobe.com – Citrix Deployments: Before deployment, the product should be configured as needed. In particular, you will want to disable features and behaviors that should not be accessible to end users in an IT-managed environment. For example:

  • The Updater should be disabled as described in this guide and the Preference Reference.
  • Accept the EULA on behalf of all users by setting the appropriate registry key.
  • For multilanguage installations (MUI), set the preferred language for all users via the SUPPRESSLANGSELECTION property or registry settings described in the Preference Reference.
  • Deploy enterprise files to the product’s directories (rather than per-user directories) so they are available to all users.
  • There are over 500 documented settings. Refer to the Preference Reference for complete registry and plist details.

 

Scrolling performance

If scrolling performance is poor in graphic intensive documents, try the following:

  • Go toEdit > Preferences > Rendering.
  • UncheckSmooth line art and Smooth images. Alternatively, you can set these preferences during pre-deployment configuration:
    • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasGraphics: 0x00000000
    • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasImages: 0x00000000

 

Distiller performance

  • In some environments, Distiller performance may suffer if the messages.log file becomes too large after a number of Distiller operations. Delete this file periodically. It is located at \Application Data\Adobe\Acrobat\Distiller<version>\messages.log.
  • Remove unused fonts from the Windows installation.

ShareFile

ShareFile Drive Mapper allows Employee users to connect their account as a mapped drive on the Windows file system, without performing a full sync of account content. It’s fully supported on XenApp/XenDesktop 7.8 and newer.

ShareFile On-Demand Sync is the older method of connecting to ShareFile files without performing a full sync.

ShareFile Drive Mapper instructions at https://support.citrix.com/article/CTX207791.

  1. Download ShareFile Drive Mapper.  💡
  2. On a VDA, run ShareFileDriveMapper64_3.7.110.0.msi.
  3. Check the box next to I agree to the license terms, and click Install.
  4. In the Setup Successful page, click Close.
  5. Go to C:\Program Files\Citrix\ShareFile\DriveMapper\PolicyDefinitions, and copy the files and folder.
  6. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files and folder. If this path doesn’t exist, then paste the files in C:\Windows\PolicyDefinitions on your Group Policy editing machines instead.
  7. Edit a GPO that applies to all users.
  8. Go to User Configuration > Policies > Administrative Templates > ShareFile > Drive Mapper.
  9. Drive Mapper is enabled by default. If you only want some users to use Drive Mapper, then you can configure a GPO to disable Drive Mapper, and then configure a different GPO that re-enables it. The GPO that enables Drive Mapper would be targeted to an AD group, and the GPO would be higher priority than the GPO that disables it.
  10. Edit the Account setting.
  11. Enable the setting, and enter your ShareFile URL. Click OK.
  12. The mapped drive letter defaults to S:\. You can change it by editing the ShareFile Data Location setting. You can even eliminate the drive letter by setting the data location to %userprofile%\ShareFile\DM or similar.


  13. Edit a GPO that applies to the machines that have Drive Mapper installed.
  14. Go to Computer Configuration > Policies > Administrative Templates > ShareFile > Drive Mapper.
  15. The default Cache Location is %localappdata%\Citrix\DriveMapper3.
  16. Default Cache Size is 256 MB.
  17. Delete Cache is not needed on non-persistent machines or if roaming profile cache is deleted on logoff. Make sure the ShareFile cache is excluded from roaming profiles as detailed later.
  18. Auto-Update does not apply to Remote Desktop Session Host so you’ll have to update those machines manually.
  19. Newer versions of Drive Mapper support File Encryption and Personal Cloud Connectors. Both are enabled by default.
  20. Edit your Profile Management GPO.
  21. Go to Computer Configuration > Policies > Administrative Templates > Citrix > Profile Management > File system.
  22. Edit the setting Exclusion list – directories.
  23. Make sure ShareFile is in the list. Note: if this list is empty, you need to fill the list with default exclusions before you add any new exclusions. Or in Profile Management 5.5 and later, enable the Enable Default Exclusion List  – directories setting.
  24. Add !ctx_localappdata!\Citrix\DriveMapper3 to the exclusion list, and click OK.
  25. If you have on-premises StorageZones Controllers, you can enable Single Sign-on by enabling Windows Authentication. On the StorageZones Controllers, run IIS Manager.
  26. Navigate to Default Web Site > cifs.
  27. In the middle, double-click Authentication.
  28. Right-click Windows Authentication and Enable it. If you don’t see Windows Authentication in your list, you might have to install it using the Roles and Features wizard.
  29. After logging into Citrix and logging into ShareFile Drive Mapper, when you launch File Explorer, you’ll see ShareFile Drive Mapper on the left.

On-Demand Sync

This is the older product and Drive Mapper is preferred.

On most Citrix VDA machines, ShareFile Sync should be configured for On-Demand Sync where files are only downloaded when the user demands them. On-Demand Sync is enabled using group policy.

Citrix Whitepaper Implementing ShareFile On-Demand Sync

ShareFile Sync – Install

  1. Go to the downloaded ShareFile On-Demand Sync for Windows 2.15. Download the one with the push install description.
  2. Run the downloaded ShareFileSync64_2.15.108.1.exe.
  3. In the Please read the Citrix ShareFile Sync License Agreement page, check the box next to I accept the terms and click Install.
  4. In the Completed the Citrix ShareFile Sync Setup Wizard page, click Finish.

ShareFile Sync Group Policy Templates

  1. Find the GPO templates at C:\Program Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions. Copy them to the clipboard.
  2. Go to \\corp.local\sysvol\corp.local\Policies and paste the files in the PolicyDefinitions folder. If you don’t have this folder, then paste them in C:\Windows\PolicyDefinitions.

ShareFile Sync Group Policy Settings

From Dan Brinkmann at discussions.citrix.com: “There is a known issue with XenDesktop 7.6 when there are no XD policies applied it deletes the ShareFile key.” Also at the same post: “Somehow Sharefile will not use proxy settings when in On-Demand mode.”

Edit the Citrix Computer Settings GPO and enable the Group Policy setting shown below. All are located under Computer Configuration > Policies.

  • Computer Configuration\Policies\Administrative Templates\ Citrix\Profile Management\File System
    • Exclusion list – directories = add ShareFile to the list
  • Computer Configuration\Policies\Administrative Templates\ ShareFile\Enterprise Sync
    • On-demandSyncDiskVolume = enabled, C:\

 

Edit the Citrix VDA All Users Settings GPO and enable the Group Policy setting shown below. All are located under User Configuration > Policies.

  • User Configuration | Policies | Administrative Templates |  ShareFile | Enterprise Sync
    • Account = enabled, enter your account address (e.g. company.sharefile.com)
    • Authentication Type = enabled, and configure as appropriate for your environment. If you use SAML Forms, make sure *.sharefile.com and your gateway.company.com DNS names are added to Trusted Sites in Internet Explorer.
    • LocalSyncFolder = enabled,  enter %userprofile%\ShareFile. Network drive is not supported.
    • On-demandPersonalFolder = enabled, check Sync personal folder
  • User Configuration | Policies | Administrative Templates| Windows Components | File Explorer (or Windows Explorer)
    • Turn off the display of thumbnails and only display icons = enabled. This setting prevents Windows from downloading ShareFile files when retrieving thumbnails.

After logging in to Citrix and running ShareFile Sync, if you go to the ShareFile folder it will look like the files have been downloaded.

However, if you browse to the same folder from another machine, you’ll see they haven’t been downloaded yet. They will be downloaded when the user demands them.

File Type Association

James Rankin – Deploying per-user file type associations (FTAs) on Server 2012 R2, Windows 8.1, Server 2016 and Windows 10 (reloaded again!) provides an overview of the challenges of administratively configuring FTAs on modern versions of Windows.

James Rankin – Deploying per-user file type associations in Windows 8.1 / Server 2012 R2 and beyond: Microsoft’s new DISM method of changing File Type Associations is done at the machine-level. Use Group Policy Preferences to change the machine registry key but on a per-user basis.

Next Steps

26 thoughts on “Group Policy Objects – VDA User Settings”

  1. Thanks again Carl for creating and collating this information so thoroughly.
    Why do you set “Allow Office to connect to the Internet”? For non-persistent clients, can the downloaded content be stored on a UNC path shared by all users, or on user redirected folders? Or is the content so tiny that we can happily dump it to the temporary cache?

    1. “Allow Office to connect to the Internet” is one of the settings that older Office used to ask you the first time you run Office. I’m not sure about your other questions.

  2. Great article.

    Question – me and my citrix partner are trying o fix outlook 2016 from popping up with ‘windows search engine is currently disabled etc” and the “Search performance will be impacted because windows search service is turned off”
    We have enabled this GPO:
    User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) | Outlook Options | Preferences | Search Options
    Prevent installation prompts when Windows Desktop Search component is not present = enabled

    Confirmed its on in the registry and local policy – but the prompts still appear. the above GPO does not work.
    We are XenDesktop 7.6.300 and outlook 2016.

  3. Carl I must say that this is by far the best summary I have seen for customising Citrix / RDS since I did my first deployment in 1999. There are good guides on other sites, but hands down, this page is the best and most complete.

    What an excellent community resource, thank you.

  4. Hello,
    I was wondering how much of this information could be applied to VMWare Horizon 6?
    I have read some of your View 6/7 posts and wondered if this info could apply or is it somewhere for View 6?
    Thanks.

  5. Hi Carl, would you happen to know a way to not apply a GPO for the members of the local Admins group? In my case the local admins group on multiple servers are different and we do not want the admins on server A to not have the GPO applied on server B. So in this case I do not see how Deny GPO setting would work. Any ideas?

    1. I don’t think that’s possible. You can exclude AD groups, of course, but I don’t see any way to add local groups. If you add users to an AD group and then add that AD group to local Administrators group, then you can exclude that AD group. But you’d need a different OU, different GPO, and different AD group for each group of servers.

  6. Hi Carl,

    Your site has been an incredible resource to get my new XenApp 7.9 (2012R2 session hosts) with NetScaler 11 environment up and running.

    I did run into one setting that caused some strange behavior. The following GPO caused the active application to have a black border when in focus. For example, notepad turned black instead of gray when selected.

    User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff). Script Name field, enter runonce.exe. Script Parameters field, enter /AlternateShellStartup

    I did follow your suggestions and added the three recommended computer policies in my VDA computer settings GPO, but still had this problem.

    Just wanted to share in case case anyone else ran into this issue.

    Jake

    1. I’ve seen problems caused by it. But I’ve also seen problems fixed by it. It depends on what’s in the ActiveSetup and Run registry keys.

  7. Hi Carl
    First thank you I use allot your site guides
    Our organization moving for windows 10
    we use folder redirection for appdata roaming for couple of reasons like IOPs and logon time.
    After windows 10 Migration we noticed that the pinned taskbar icons are not saved after logoff \ reboot.
    When we open the Appdata Roaming UNC path manually, we can see that the Pinned Icons are created successfully.

    We tested different permissions for the folder redirection UNC path – With no luck.
    (on windows 7 machine with the exact same policy everything works)

    Have you experienced that issue? Did you manage to solve or find a workaround?

    Thanks you very much.

    1. I’ve also found problems on Windows 10 with taskbar icons disappearing, even without redirection.

      Can you reproduce it without redirection?

      1. Yes. if i manage upm policies from the studio only (not from GPMC). i can reproduce it to works without folder redirection. (UPM 5.4 on XENDESKTOP 7.6.1000)

  8. Hi Carl,

    First off, thank you for tis wonderful blog post. A very nice list to get started.
    I do have a couple of thoughts though:
    Prevent access to drives from My Computer = enabled –> careful with ShareFile, wasn’t able to set the sync folder to %userprofile%\ShareFile due to that setting.
    Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled –> This removes the disconnect button from 2012R2 (don’t know who came up with the idea to put it behind the power button….)
    runonce.exe /AlternateShellStartup –> the disadvantage is that this starts all apps that are in the Run key, meaning that a user will get double Receiver icons etc and possible other strange behavior (you have to put a lot in logoffchecksysmodules I think). An option is to only run it once (GPP in RunOnce or something), so far I’ve opted to set some of the things the alternateshellstartup does with a GPP, but that tends to be a PITA.
    I prefer using the NoDrives registry key as opposed to “Hide these specified drives”, gives you some more flexibility.

    Thanks again.
    Wout

  9. Any working around the new email alert not appearing and whilst also have the Remove Common program groups from Start? Got a 2012r2 RDS with redirected start and desktop, new email alerts don’t appear because I have enabled this setting? Seems mad to have one or the other?

    1. Found a fix myself after some playing about.

      Scenario;
      Redirected Start Menus and Desktop on 2012R2.
      Remove Common program groups from Start Enabled.
      Outlook notifications fail to appear.

      The shortcuts on my Start Menu and Desktop are taken direct from C:\Program Files(x86)\…. From what I’ve found Windows will only display notifcations from programs listed within C:\ProgramData\Microsoft\Windows\Start Menu\Programs. Because we are removing this area and replacing it with our own, Windows does not recognise that any notifications should appear at all. Its not a case of it suppressing the popup, it never see’s it!

      Solution: Replace all shortcuts on desktop and start menu with Outlook shortcut taken from C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\….

  10. HI carl,
    We are using XenDesktop 7 and we have applications that need to be run from Windows 7 32bits, when we launch the applications using the Windows 7, we get a full screen showing the Windows 7 welcome Splash screen.
    You can hide the Windows Welcome screen when starting the application?

    Thank Carl.

    Alex form Chile.

  11. Hi Carl,
    About the Disable SharePointFeatures, it should be set to 1 instead of 0:
    BDisableSharePointFeatures (REG_WORD) = 1

    Congrats for your blog. Every single line here is pure gold!

  12. Hi Carl,

    First of all: kudos for your great site!
    Doing exactly what the tagline suggests (and more).
    Thanks a million!

    I’m a bit confused about the Group Policy sections though

    http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#create
    Here you suggest to create
    – Citrix VDA All Users (including admins) and
    – Citrix VDA Non-Admin Users (lockdown).
    Both with disabled Computer Configuration portion.

    Q1.
    http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie
    However, section “Logon Script GPO Settings” refers to 3 settings under Computer configuration.

    Wouldn’t those be filters (given that the computer configuration portion is disabled).
    Can this section be ommitted?

    Q2.
    Citrix VDA All Users (including admins)
    This GPO is created, but not used/mentioned afterwards.
    Is this deliberate?
    (Adapt to your own situation, e.g. only a subset of the settings applies to All Users?).

    Q3
    Can I use the receiver.admx template mentioned here:
    http://www.carlstalhood.com/receiver-for-windows/#admx
    instead of icaclient.adm mentioned under:
    http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#receiver

    1. LOL. I guess I have a few things to fix. Thanks for pointing these out.

      1. For people that read the IE section without reading the other sections, my intent was remind them of the other GPO settings that might prevent the script from working. I just updated the text to clarify which GPO those settings belong in.

      2. There are several references to Citrix All Users. I fixed their names in the text so it matches the GPO name. I keep changing my mind on what to name that GPO.

      3. I must have missed that one. I’ll fix it.

      Let me know if you find any other issues with the content. Thanks.

    2. Regarding the All Users GPO, I use it for application configurations (e.g. Office setting, Internet Explorer settings). Every environment has different applications so usage of that GPO will vary.

  13. Hi Carl,
    first of all, thanks for the great work you are doing with your blog.
    There is something not clear to me about the GPO settings. If you disable the ‘Computer configuration settings’ for the Users GPO, does the ‘Configure User Group Policy loopback processing mode’ setting (stored in the computer settings) still apply in that GPO?

    Stefano

    1. Not if that setting is in the same GPO. I usually put it in a separate Computer Settings GPO. The loopback setting only needs to be enabled once since it is an HKLM registry key.

Leave a Reply