Citrix Policy Settings

Last Modified: Dec 22, 2023 @ 4:52 am

Navigation

💡 = Recently Updated

Change Log

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio – also known as FMA policies
  • Group Policy Object – the Citrix Group Policy installer (included with Studio) adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more information on the recommended Microsoft group policy settings for a Citrix Virtual Apps and Desktops environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are not portable, meaning that you can’t export them from one Citrix Virtual Apps and Desktops site/farm and import them to another.

GPOs linked to an Active Directory OU can apply to VDAs in multiple Citrix Virtual Apps and Desktops sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.

 

CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings Reference for Citrix XenApp and XenDesktop.

 

If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User 

cd LocalFarmGpo:\Computer

copy * TargetGPO:\Computer

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine. This plug-in adds the Citrix Policies node to the Group Policy Editor.

Do the following to install the plug-in.

  1. Login to a machine that has the Group Policy Management Console (GPMC) Windows Feature installed.
  2. If this machine doesn’t have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the Citrix Virtual Apps and Desktops ISO. Make sure all Group Policy consoles are closed first.

  3. Citrix Virtual Apps and Desktops (CVAD) 2311 comes with Citrix Group Policy Management 7.40.0.30.

    1. Citrix Virtual Apps and Desktops (CVAD) 2203 LTSR CU4 comes with Citrix Group Policy Management 7.33.4000.2.
    2. Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU8 comes with Citrix Group Policy Management 7.24.8000.0.
    3. XenApp/XenDesktop 7.15 LTSR Cumulative Update 9 comes with Citrix Group Policy Management 3.1.9000.0.
  4. Click Finish to finish the wizard.
  5. Citrix releases quarterly updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines (machines with Group Policy Management Console installed).
  6. Citrix Policies let you use Delivery Groups as a filter. To see the list of Delivery Groups, install the Broker SDK plug-in.

    1. On the CVAD ISO, go to \x64\Citrix Desktop Delivery Controller and run Broker_PowerShellSnapIn_x64.
    2. Check the box next to I accept and click Install.
    3. Close the Group Policy Editor and re-open it. Now you can see the list of Delivery Groups.

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, we’ll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of Citrix Virtual Apps and Desktops.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Delivery Agent 7.x.
  10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Change the Categories drop-down to ICA.
  12. Scroll down and add the setting Virtual channel allow list.

    • In VDA 2109 and newer, the setting Virtual channel allow list is enabled by default, which means that non-Citrix virtual channels, like Zoom and WebEx, won’t work. One option is to disable this setting. Another option is to find the name of the third-party virtual channel and add it to this list as detailed in Citrix Docs. See Citrix Blog Post Virtual channel allow list now enabled by default for a list of virtual channels to add.
    • CVAD 2206 and newer let you enter wildcards in the Virtual channel allow list setting. See Citrix Docs.
  13. CVAD 2311 and newer support HDX Direct for both internal and external connections. HDX Direct automatically installs self-signed certificates on the VDAs. Workspace apps then connect directly to the VDAs without going through ICA Proxy (NetScaler Gateway). For external users, the connections use STUN to traverse NAT. Use Citrix Policy to enable HDX Direct and set the mode to Internal and external. See HDX Direct at Citrix Docs.
  14. Change the Categories drop-down to Auto Client Reconnect.
  15. Click Add next to the setting Auto client reconnect logging.

    • Change the Value to Log auto-reconnect events, and click OK.
  16. Change the Categories drop-down to End User Monitoring.
  17. Click Add next to the setting ICA round trip calculations for idle connections.

    • Change the selection to Enabled, and click OK.
  18. Change the Categories drop-down to Local App Access.
  19. Click Add next to the setting Allow Local App Access.

  20. Change the Categories drop-down to Printing.
  21. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.

    • Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  22. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  23. Click Add next to the setting Enable monitoring of application failures.

    • You can optionally change the Value drop-down to Both application errors and faults. Click OK.
  24. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.

  25. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

    • Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. You can also use the Templates tab to create a policy based on a template.
  4. In CVAD 2012 and newer, in the Search Box, enter Drag and Drop and click Add Value.

    • Drag and Drop is enabled by default. Decide if this is acceptable to your security policies.
  5. In CVAD 2012 and newer, in the Search Box, enter WIA and click Add Value.

    • WIA Redirection is disabled by default. You can enable it if you have applications that use Windows Image Acquisition.
  6. On the Settings tab, change the Categories drop-down to Audio.
  7. Click Add next to the setting Audio quality.

    • Workspace app 2109 and newer connecting to CVAD 2109 and newer support Adaptive Audio and no longer need this Audio quality setting.
    • For all older versions of Citrix, change the Value of Audio quality to Medium – optimized for speech, and click OK.
  8. Change the Categories drop-down to Client Sensors.
  9. Click Add next to the Allow applications to use the physical location setting.

    • Change the selection to Allowed, and click OK.
  10. Change the Categories drop-down to Graphics.
  11. CVAD 2112 and newer allow users to Screen sharing with each other. This setting requires Graphic status indicator to be enabled. 💡
  12. Change the Categories drop-down to Mobile Experience.
  13. Click Add next to the Automatic keyboard display setting.

    • Change the selection to Allowed, and click OK. Note: this setting might break SAP.
  14. Click Add next to the Remote the combo box setting. Note: this setting might break SAP.

    • Change the selection to Allowed, and click OK.
  15. Change the Category drop-down to Multimedia.
  16. Click Add next to the Use GPU for optimizing Windows Media setting.

    • Change the selection to Allowed, and click OK.
  17. Change the Categories drop-down to Printing.
  18. Click Add next to the setting Auto-create PDF Universal Printer.

    • Change the selection to Enabled and click OK.
    • This setting normally only applies to sessions using HTML5 Receiver or HTML5 Workspace app.
    • In Citrix Virtual Apps and Desktops (CVAD) 1808 or newer, and Workspace app 1808 or newer, the PDF Universal Printer also applies to regular Workspace app connections and is no longer limited to HTML5 connections.
  19. Click Add next to the setting Automatic installation of in-box printer drivers.

    • Change the selection to Disabled, and click OK.
  20. Click Add next to the setting Direct connections to print servers.

    • Change the selection to Disabled, and click OK.
  21. Click Add next to the setting Printer auto-creation event log preference.

    • Change the Value to Log errors only and click OK.
  22. Click Add next to the setting Universal print driver usage.

    • Change the Value to Use universal printing only.
  23. Workspace app for Mac version 2203 and newer along with VDA 2112 and newer supports PDF printing instead of Postscript printing. With PDF, it’s no longer necessary to install the HP Color LaserJet 2800 Series PS driver on the VDA. Citrix Policy setting Universal driver preference must be adjusted to enable PDF printing as higher priority than PS (postscript) printing. See Citrix Docs for more details.
  24. CVAD 2206 and newer let you set RDSH timers in the user half of a Citrix Policy under the Server Limits category. Citrix Docs says: Timer settings for multi-session machines configured using Citrix policies are expected to override timer settings configured through Microsoft Group Policies. To avoid unexpected behavior, we recommend you configure timer settings using one of the two methods.
  25. Change the Categories drop-down to Session Limits.
  26. If you look at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO or in the Server Limits section in CVAD 2206 and newer,

  27. Change the Categories drop-down to Time Zone Control.
  28. Click Add next to the setting Use local time of client.

  29. CVAD 1906 has a new policy for Desktop OS only that can revert to the VDA’s original time zone when the user disconnects or logs off. It’s called Restore Desktop OS time zone on session disconnect or logoff.
  30. Change the Categories drop-down to USB Devices.
  31. Click Add next to the setting Client USB device redirection.

    • If your security policies allow it then change the selection to Allowed, and click OK. This is the last generic setting. See the next couple sections for more settings.

Also see:

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

As of Citrix Virtual Apps and Desktops (CVAD) 1811, Framehawk is a deprecated feature.

In CVAD 1903 and newer, Framehawk has been completely removed.

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 7.20 included in Citrix Virtual Apps and Desktops 1811) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit one of the Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

  5. Framehawk requires the newest Citrix Workspace app / Receiver (4.3.100 or newer).



  6. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  7. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  8. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
  9. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

Citrix Blog Post What graphics policies do I need, and when? says you should not change any Citrix Policy Graphics Settings. The only exception is 3D workloads, which should have the Visual Quality user setting set to Build to Lossless.

Citrix Blog Post HDX Graphics Encoder Configuration Overview: a comprehensive overview of all relevant HDX Graphics Encoder settings. This overview should give you a guidance and allow you to configure an optimal HDX policy set based on your own needs. A Visio chart with an overview of all relevant configurations and their possible combinations. Furthermore, almost every setting has a review box. The review boxes contain, where applicable, the policy name, facts & figures, recommendations, and example use cases.

In 1811 and newer, Graphics Status Indicator replaces the Lossless Indicator.

  • Graphics Status Indicator can be enabled in a Citrix policy in the user half in the Category named Graphics.
  • The graphics status indicator should eventually show up in the system tray.

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.13 and  and newer, EDT is officially supported.

EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.

EDT has several requirements:

  • VDA 7.13 or 1808 or newer.
  • UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if you’re using NetScaler Gateway.
  • Receiver for Windows must be 4.7 or newer. Or upgrade to Workspace app.
  • Receiver for Mac must be 12.5 or newer. Or upgrade to Workspace app.
  • StoreFront must be 3.9 or newer.
  • HDX Insight requires NetScaler ADC 12.1 build 49 and newer
  • NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features are not supported with EDT at this time:
  • Use a Citrix Policy to enable EDT. The HDX Adaptive Transport setting is in the Computer half of a GPO. See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol. EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.
  • Preferred means it will try to use UDP if it can, and TCP if it can’t.
  • EDT MTU Discovery prevents EDT packet fragmentation that might result in performance degradation or failure to establish a session. This feature requires the following:
    • Citrix Workspace app 1911 for Windows or newer
    • Citrix ADC 13.0.52.24 or newer
    • Citrix ADC 12.1.56.22 or newer
    • On VDA 2203 and newer, MtuDiscovery should be enabled by default. In older VDAs, configure it at Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icaw
      • Value (DWORD) = MtuDiscovery = 1
  • From inside a session, you can run ctxsession -v to verify that it’s using UDP and see the detected MTU.
  • Director will also show if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware

7.11 and newer:

  • Use video codec for compression can be configured For actively changing regions, which uses H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got Smarter…Again explains this new setting.
  • In 7.11 and newer, Use when preferred = Thinwire+ with Selective H264. This is the default selection, so generally there’s no need to change this setting.
  • In 7.18 and newer, Selective H.264 uses H.264 for build to lossless instead of JPEG for build to lossless.
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post “Use Video Codec for Compression”: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:

Graphics Tools

Security Settings

CTP Dave Bretty Making Your Citrix Policy Secure – By Default.

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Drag and Drop = Disabled (CVAD 2012 and newer)
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives = Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.

 

XenDesktop 7.17 adds a Session Watermark feature.

Find the settings in the user half of a Citrix Policy under the Session Watermark category.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the “Extra Color Compression Threshold” should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or “Heavyweight compression” in case image quality loss is not acceptable (more CPU intensive)
  • Enable “Windows Media Redirection
  • Enable “Flash acceleration” with client side content fetching
  • Enable “Audio over UDP Real-Time Transport”. Please note that this configuration requires audio quality to be set to “Medium – optimized for speech”
  • Set “Progressive compression level” to “Low” or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

233 thoughts on “Citrix Policy Settings”

  1. Morning Carl –
    I’ve run into a question I can’t find an answer for. Hopefully, you can help point me in the right direction. Is it possible for me to isolate published applications on the same server with multiple network interfaces (VMWare Host) for different customers. For example. One customer needs the published app to get to their environment but we don’t want them to cross to another area and the ip must be from that single IP. I know this isn’t typical because most people bond the interfaces for more throughput, but we are trying to maintain the least amount of virtual servers as possible. The answer may be on the VMWare side or the actual app config, but just wanted to know if this is an option or not. Thank you for your time and all of your articles. I wouldn’t be a Citrix admin without them…that’s for sure.

      1. Thank you for the quick response and for the direction to look. It’s been an issue since we have multiple external customers that reach in to our network resources. We need to control what each customer is able to access. I appreciate your insight as always!

  2. From a theoretical point of view can I create/manage GPOs with Citrix Policy from a Domain Controller with Citrix Group Policy Management installed and of course the Group Policy Management console?
    Does it make sense to do so?

  3. Hi Carl! Thanks for all your contributions to the Citrix community, you are always the reference.
    I am applying inactivity time policies to my VDAs and I want to apply a different time if it is peak hour and another one if it is off-peak hour.
    Is there any way to do this?

    1. VDI? Or RDSH? RDSH timers are set in GPO that sets registry values. You can use a scheduled task to change those registry values.

      Another option is to write a script that enumerates sessions looking for idle time and disconnect time and then your script logs off users based on those values and the time of day. Schedule your script to run periodically throughout the day.

  4. I figured I should put this out there, to help the next admin that finds this gem of an issue:

    I recently encountered a Citrix DaaS Policies issue on both Server 2019 and Windows 10 Multi-Session 21H1. After updating to the 2209 VDA from the 2203 VDA, almost all of the Citrix Polices from Citrix DaaS were missing. The culprit was identified as a remnant of older Citrix Policies from GPOs – policies that were removed from within GPMC and no longer displayed in GPMC. The ‘Citrix’ folder was left behind in the GPOs and still had the ‘gpf’ files intact. Once the Citrix folder was removed from the individual GPO folders and a quick run of ‘gpupdate /force’, the correct Citrix Policies were pulled by the VDA. A simple disconnect/reconnect of the user sessions allowed the policies to load without issue.

  5. I am using Windows 10 VDI with Citrix PVS golden image.
    We are in the process of migration to Citrix 2203.

    With Citrix VDA 2203 installed on the golden image certain websites (mine was an internal authentication page) are not working correctly with Edge chromium or Chrome.
    Page is left greyed out and the utility: video capture hangs in the Edge browser task manager (To open this right click Edge browser in the task bar while holding shift button)
    Issue is encountered only from certain end clients like MS Surface and MacBook. All end clients have the same workspace app version
    The issue is not there with Citrix VDA 1912.

    To fix this I have set the following to Allowed, or try to unselect it completely since the default is also allowed.
    ICA\Multimedia – Windows Media redirection.
    We had it set as Prohibited for a long time, not sure what changed in VDA 2203 that is causing this issue, but if you have similar issues, you might give this option a try. Until now I have not found another fix for this issue

  6. Hello Carl,
    A question on html5: If I configure session timeout policies for idle, disconnect etc. in GPO. Should I expect them to take effect on HTML5 sessions? They don’t appear to be even though they work on workspace app sessions. If not, is there a way I can get timeouts to apply on html5.
    Not I am using GPOs because Citrix policies on Server OS appear to (still be?) ineffective.

    1. What kind of VDA? Multi-session? If so, then timeouts are configured in the RDSH section of a Microsoft GPO. The newest VDA 2206 adds timeouts for multi-session to Citrix Policies.

  7. Any one having issues Citrix Policy’s not being applied after upgrade to VDA 2206, everything was fine with 2203.

    Just Upgraded the VDA to 2206 that’s all, also updated the Citrix GPO extension on the server we use for GPO management, but that should have not have anything to do with it.

    We are a citrix Cloud user, Citrix Policies GPO’s managed .

    1. When I re install the 2203 VDA all the Citrix policies work as expected, so VDA 2206 is definitely causing me issues

      1. It was just the User Citrix Policies that did not apply, tried all the KB articles nothing but a re-install of the 2203 VDA worked

        1. I found an article which tells me to implement a registry key in HKLM\Software\Citrix\GroupPolicy.

          Key name should be NoDomainGpoDetour with a value of 1.

          Did you test this and does it work for you?

          1. “”I found an article which tells me to implement a registry key in HKLM\Software\Citrix\GroupPolicy.
            Key name should be NoDomainGpoDetour with a value of 1.
            Did you test this and does it work for you?””

            I just tested and it is working (just need longer to verify long term)

            I could before only get it working on the 2203 and 2203 CU1 branch 2206 and 2209 would fail to load the user policies section. I am now using 2209 with the above settings,

            I am also now using the Cloud Studio for the Policies this also failed before, but is working now with the above setting.

            Will Monitor the Situation

            Thanks
            Alan

    2. HI Alan, We do have same problem. Using Citrix Cloud and VDA with 2206. The policies are not working.

      Open P2 case with Citrix and awaiting for the remediation….!!

      1. HI Let us know how you get on, I should have known better than to apply the latest VDA 2006 so soon, Citrix never get this right at first release of anything new.

        Cheers
        Alan

        1. “”I found an article which tells me to implement a registry key in HKLM\Software\Citrix\GroupPolicy.
          Key name should be NoDomainGpoDetour with a value of 1.
          Did you test this and does it work for you?””

          I just tested and it is working (just need longer to verify long term)

          I could before only get it working on the 2203 and 2203 CU1 branch 2206 and 2209 would fail to load the user policies section. I am now using 2209 with the above settings,

          I am also now using the Cloud Studio for the Policies this also failed before, but is working now with the above setting.

          Will Monitor the Situation

          https://intelligentsystemsmonitoring.com/knowledgebase/citrix/citrix-policy-applied-through-active-directory-gpo-does-not-get-reflected-in-user-session/

          You need this setting if you have GPO Loop Back Processing, and it is set to Replace mode on the VDA OU

        2. The article is gone, but the key is still working! I’ve implemented the key in our environment, Citrix Cloud with VDA 2209

  8. What’s the trick to configuring a machine that has the Citrix Group Policy Management plug-in to communicate with the Citrix cloud controllers? I can open and edit Citrix policies, but if I try to apply a filter the Controller field is blank and I cannot enumerate delivery groups.

        1. Are you Citrix Cloud? If so, then you’d need the Cloud version of PowerShell SDK. It should ask you to login to Citrix Cloud.

          1. Yes, on Citrix Cloud, Cloud Connectors are in Azure with our VDAs. I’ve got the Virtual Apps and Desktops Remote PowerShell SDK from 4/19/22 installed from citrix.com/downloads/citrix-cloud/product-software/xenapp-and-xendesktop-service.html.
            I’ve got the secureclient API access key set up in Powershell, and have no trouble communicating with the site in powershell. I then invoke gpmc from the powershell command, and in the group policy management editor I can see our existing Citrix policies and settings in the GPO – but delivery groups are identified by GUID, and if I try to create a new policy or edit an existing and filter on delivery group – the controller text box is blank, and the delivery group drop down empty.
            We had this set up previously on a Windows VM that was on-prem, but that machine got decommissioned, and am trying to set it up on another – is there any chance it is a firewall issue? What ports are required for this communication? There’s somewhat surprisingly very little online with regards to setting this up – CTX220345 seems to be the appropriate article but is lacking.

          2. Hello Carl

            I’ve exactely the same problem as Michael Norton has.

            We have our Delivery Groups in Citrix Cloud DaaS and want to manage the Citrix Policies locally with Citrix GPMC. When I type the FQDN from the Cloud Connectors in the Controller Field, the Delievery Group Dropdown is empty. I Assume there should popup the CitrixCloud Window for askin the credentials? Firewall Ports from the Domain Computer where GPMC is installed to the Cloud Connectors are open (Any Policy).

            Installed Components on the Active Directory Server
            – Citrix DaaS Remote PowerShell SDK 7.35.25293.36172
            – Citrix Group Policy Management 7.34.0.16

            Maybe you have an input what it can be or what I forgot? Michael, did you solve the poblem already?

            I’m looking forward for a Feedback

          3. Yonathan – no, I have not yet managed to get this working as I would expect it to, and as it obviously did at one point in the past.

  9. Has anyone ever seena situation where USB \ TWAIN scanners work fine inside the network when VDI is launch from the storefront base URL but not when launched from the gateway? I’m checking ports now.

    1. Do you have any Citrix Policies with Access Control filters that might be disabling TWAIN?

      Any Smart Control on your ADCs?

  10. Good morning dear Carl,
    I wanted to raise a query, we currently maintain a Citrix Cloud solution, our XenApps are on the premise, we have implemented MCS and ramdon desktops, with traveling profiles through AD, we are migrating to Microsoft365 and we are interested in implementing the profiles through Citrix to be able to save the license activations correctly, for our environment is it configured in the same way?

    1. Citrix Profile Management or FSLogix are configured in group policy, which doesn’t care where your broker or VDAs are located.

  11. Hello, I am recently having an issue on 7.15 where i can copy files from the local device into the published desktop but i am unable to copy files from the published desktop to the local device, but i can copy text. Am I understanding this correctly on CTX238130 that session to local device is not supported in 7.15?

      1. Sadly, those scripts only touch the Citrix Policies as handled within Studio, not domain-based GPOs. There has to be a way to access the Citrix policy settings held within an actual GPO through Powershell but it seems to be like searching for the Holy Grail (minus the coconuts). Any thoughts?

  12. Hi Carl

    I have a 450 w10 private machines delivery group within which some machines should have more restricted policies in terms of resource mapping (no client drives, no clipboard redirection, etc).

    I tagged these machines with a specific tag and linked a new policy to this tag. I moved this policy to the top priority level.

    The settings were not applied, as I thought they would be, only to sessions started on these tagged machines, but instead to every session, whatever the delivery group or user used (the evidence was easy to spot as I also setup session watermarking in this new policy).

    Is there a known bug in CVAD 1912 LTSR CU1 related to Citrix policies or did I miserably fail to properly understand how tag assigned policies work ?

    Thanks for your help, have a great day

    Kind regards

    Yvan

  13. whats the difference between setting clipboard redirection to prohibited and enabling restrict clipboard client or session ? Thanks

  14. Hello! I know this might be a necro-post, but on our network, we have a mix of Citrix and Windows. If a user uses Citrix, and log out, their roaming profile gets written over with Citrix policies. When they decide to use a workstation, the user may receive the dreaded “Group Policy Service Failed. Access Denied”. After looking at it, it seems that the user’s roaming profile (.V6) is trying to go to the Citrix Profile Share that I’ve created for only Citrix. Is there a way to work this out?

    1. Are you using Microsoft roaming profiles for both? If so, in Active Directory Users & Computers, edit a user. There’s a tab for Remote Desktop Services Profile that only applies when a user logs into Remote Desktop Session Host (aka XenApp).

      Another option is to use GPOs to set different values for “Set roaming profile path for all users logging onto this computer”.

  15. Hello,
    I have a black flash problem that appears every 15 min when the user launches an application : environnent (VDA 7.1912 CU1 + Windows server 2016)
    Do you have a suggestion for this problem please ?

  16. How do you set up Outlook auto discovery via Citrix policies? We are using folder redirection. we need users to be able to set up their Outlook profile via auto discover and for their settings to be saved for the next time they log on to the vdi.

    1. In GPO you can set the following:

      User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Account Settings | Exchange
      Automatically configure profile based on Active Directory Primary SMTP address = enabled

  17. Fresh installation of 1912 LTSR CU2 seems to be automatically installing Citrix Group Policy Management Plug-in. Didn’t notice this in earlier cumulative updates or versions.

    XenDesktop Installation.log

    02:50:43.5385 : XenDesktopSetup:VerifyCDRoot: Found MediaID file at ‘E:\x64’
    02:50:43.5385 : XenDesktopSetup:VerifyCDRoot: Found MediaID file at ‘E:\x64’
    02:50:43.5385 : XenDesktopSetup:Media found, Continuing.
    02:50:43.5385 : XenDesktopSetup:Component: Citrix Policy SDK, MSI full path: E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    02:50:43.5385 : XenDesktopSetup:Component: Citrix Policy SDK, MSI full path: E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    02:50:43.5385 : XenDesktopSetup:Component: Citrix Policy SDK, MSI full path: E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    02:50:43.5385 : XenDesktopSetup:About to install MSI File ‘E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi’ using params ‘INSTALLDIR=”C:\Program Files\Citrix” ARPSYSTEMCOMPONENT=”1″ MSIFASTINSTALL=”1″ MSIRMSHUTDOWN=”2″ METAINSTALLER=”1″‘ log file is ‘C:\Users\adm-nigup\AppData\Local\Temp\Citrix\XenDesktop Installer\MSI Log Files\CitrixGroupPolicyManagement_x641354332738.txt’
    02:50:43.5385 : XenDesktopSetup:Starting synchronous process ‘msiexec’ with args ‘/i “E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi” /lv “C:\Users\nigupta\AppData\Local\Temp\Citrix\XenDesktop Installer\MSI Log Files\CitrixGroupPolicyManagement_x641354332738.txt” /quiet INSTALLDIR=”C:\Program Files\Citrix” ARPSYSTEMCOMPONENT=”1″ MSIFASTINSTALL=”1″ MSIRMSHUTDOWN=”2″ METAINSTALLER=”1″ CLOUD=False REBOOT=ReallySuppress’
    02:50:54.2305 : XenDesktopSetup:Process completed with error code 0x00000000
    02:50:54.2305 : XenDesktopSetup:Installation of MSI File ‘E:\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi’ succeeded

  18. Are there any scanners that work with MacOS and also work through Citrix Apps/Desktops? My scanners work when connecting to apps via a windows machine but not on my mac. I can see the device listed in my devices but the VDA does not detect the device.

  19. Thanks you very mucho for your quick answer Carl 🙂
    I would also like to ask you if it is ok to use both methods (Citrix Studio and Windows GPO)
    for Citrix Policies or if it is recommended to use only one method.
    Many thanks again,

  20. Hi Carl,

    According to Citrix documentation, mixing Windows and Citrix policies in the same GPO is not supported.

    So, can’t we use the same policy “Citrix VDA Computer Settings” for Computer settings and Citrix settings? Same for “Citrix VDA All Users (including admins” policy.

    Many thanks!!

    1. I’m not aware of any reason why it won’t work. Ultimately, both just create configuration files. Then the client machine reads those files and performs actions based on the contents of those files.

      I have not see the “not supported” message but you’re welcome to create new GPOs to honor it.

    2. We “honor” the Citrix way when it comes to using GPO for Citrix Policies. We decided to keep them separate . To help us easily identify them quickly, we added the words “Citrix Policy ONLY” in addition to the GPO specific naming convention

  21. HI Carl,

    Need your help we have windows and citrix environment on citrix servers i dont able to apply any policy if i change on group policy in DC after doing gpupdate / force on DC server and citrix servers nothing is changing there i dont why group policy not apply on citrix OU i tried above step didnt work for me can please me i am only getting problem citrix server OU . please need your help Thank You.

    1. Try standard group policy troubleshooting like running “gpresult /h gpo.html” and then view the report.

      1. Try this nothing is work, we are not getting why the policy is not apply on citrix OU is something user permission problem or some configuration problem how to rectify this problem. Pls help
        Thank you

      2. Hi Carl,

        I have run this command on client pc report is generated now what should I check in this pls help me.

        Waiting for your reply
        Thank you

      3. Windows update can’t check for update because setting on this pc are controlled by your system administrator

        Above is the error when were I click for windows update above message come.

  22. Hi Carl,
    Thanks as always for your work. Wanted to know, is there a way to determine what delivery group/app/shared desktop a user will see based on their endpoint. This is internally for load-balanced storefront servers so for a user that is not going through the vpn gateway. Essentially if a user comes from a specific set of end-points (by name or IP or some other attribute) can I direct them to only see a specific delivery group using Citrix policies?

  23. Hi Carl,

    We are just starting to use 1912 LTSR and have enabled the graphics tool indicator policy. What we see is that the “switch to pixel perfect” is enabled, and after 2-3 hours it is unticked. Any suggestions?

  24. Hi Carl, we are currently running 4.9 LTSR receiver and going to move to 1912 LTSR Workspace. Are we able to able to replace the Receiver ADMX Templates in Group Policy with the Workspace ADMX Tempaltes and retain the receiver settings that have been set.

    So if we replaced the templates (as they are named the same) it would retain group policy settings for 4.9 LTSR and we would see additional settings fot 1912 LTSR?

    Thanks in advance.

    1. Yep. The templates just show the “available” settings. The “configured” settings are usually not modified when you change a template. If you remove the template, the “configured” settings then appear as “extra registry settings” indicating that doing anything with the template doesn’t change what’s already configured.

  25. Hi Carl,

    We have 3 Mbps bandwith between head office and branches and Scanner performance is so slow with twain driver. fro example : one side b/w 25 sec and both sides b/w . 35 sec. Do you think that it is normal with this bandwith or is there any improvement method to fast scanning with limitted bandwith?

  26. Hi Carl; magnificent work as always.
    On the cusp of migrating from 715 CU4 > 1912 and have come across a strange behaviour when connecting to the 7.15 CU4 site with a desktop or server vda running 1912 VDA from a client with Workspace. We have run with FMA policies for many years and include a policy which allows clipboard redirection (text) only but not file (“Allow File transfer between desktop and client” is prohibited). However, when using WS(1911) connecting to a 715CU4 site and then to a desktop or server vda running VDA 1912 the user can transfer files between the local client and Citrix session! If you connect to the same desktop or server vda from a local client running Citrix Receiver, then the policy prohibits file transfer as expected! Head scratching all around! Has Workspace and/or 1912 LTSR introduced additional policies or a separate layer to FMA when applying policies? When looking at Director, it would appear the policies apply and if you remove the user from the policy allowing clipboard redirection, then both clipboard and file redirection is prohibited when connecting from WS to 1912 vda! Any pointers or ideas greatly appreciated.
    TIA, Paul!

    1. Transpires, policies introduced in 7.6 don’t appear to be relevant until you connect to VDAs running 19xx via Workspace!
      19xx VDA (with Workspace) require “Restrict client clipboard write” and “Restrict session clipboard write” with the appropriate CF_ formats to enforce the restriction but allow text/etc. Interesting!

  27. Hi Carl

    A wee heads up that the Citrix HDX “mobile experience” settings when enabled can cause some weird GUI issues with Oracle client 10.x/11.x such as entire menu’s and menu options disappearing. I ran into this on a XA 6.5 to 7.15 LTSR migration and simply disabling the setting(s) resolves the issue.

  28. Hi Carl. I am receiving this error when I tried to choose a delivery group from my Citrix policy within the GPO. Failed to connect to back-end server ‘localhost´,

      1. I had the same problem as Jefersomn until I entered the controller address. Do you know if there is a way to prepopulate that field?

  29. Hello Carl, Can you please assist in printer driver issues for end users. sometime they get citrix universal printer and most of them getting citrix xps universal driver in their session. Citrix xps is working for duplex but citrix universal is getting failed after first page(first page getting printed but second one has message” illegal error”. Citrix policy under xenapp is configured to create auto create client printers only with generic drivers(universal printer in case of generic driver unavailable). its strange to see, its getting auto resolve for few users without any changes in policy. Can we fine tune such inconsistency behavior. is there any tools to find out where is the issue and how to resolve it..there is no consistency in driver version.. multiple drivers version working successfully. around 7 to 8 percent users are affected some time. Kindly assist in this.

  30. Seeing a weird issue where my GPMC show/hide buttons have disappeared when Citrix Policy Management is installed. Any thoughts? Just started happening. Notice it in my legacy XA6 farm too but that may have been that way a while.

  31. Hi Carl,

    Thanks again for the tremendous work you achieve every day for the Citrix community !

    I have a question regarding the session timers policies.

    I have several delivery groups with Windows 10 private machines and other groups with pooled machines.

    The private machines are used by support teams working on a 24×7 basis, they must be as much available as possible, therefore the disconnected session timer interval is set to 3 days.
    The Citrix policy is assigned to the users groups granting access to the private delivery groups (priority 2).

    The pooled machines are used by a wider range of people for usual office work and must be updated as soon as a new PVS version has been validated. For these machines, the disconnected session timer interval is set to 9 hours via the Default user policy assigned to the whole domain users (priority 15).

    Given these settings are user based, if a user is a member of a private machine group but uses a pooled machine, he will get the 3 days timer.

    How could I configure the policies in order for a user to get the 9 hours timer while using a pooled machine whatever the groups is a member of ?

    Kind regards

    Yvan Scigala

    1. In your Citrix Policy on the Filters page, you can add a Delivery Group filter. Then move the policy higher in the priority list.

      1. Hi Carl, sorry I did not see your reply. As you mentioned, I solved this by assigning the long timer policy to delivery groups and high priority, whereas the shorter timer policy (default user policy) is assigned to domain users. Thanks again and, with a “bit” of delay, I wish you a fantastic 2020 🙂

  32. Hi Carl, what permissions are required in Active Directory for a Citrix Admin to utilize Citrix GPO management? I have all permissions on the specific GPO exist Delete and Rename. I also cannot create new GPOs either but can only EDIT this one.
    We are still trying to figure out why Citrix Policies are not applying on the VDAs in an ICA session using a GPO but apply correctly when using database based policies. We even opened a case with Citrix and they can’t seem to figure it out. We have same permissions to the GPO but it is still not working. If the Active Directory Admin wants to view the policy settings we have set, they are telling me the policy is empty.. but when I look at it, it has the Citrix Policies in there. I think that is because I have the Citrix Group Policy plugin and they do not. But that shouldn’t matter correct? If I am a Citrix admin using Group Policy editor on my local endpoint running GPEditor with the Citrix Policy plugin, it should apply the policies correctly right? Even the Unfiltered policy settings are not getting applied in the ICA session. Should I be running any GPO modifications from the Delivery Controllers only?
    This is for version 7.15.3000

    1. Did you modify the filtering of the GPO to only include users? If so, did you also add Authenticated Users (or Domain Computers) to the Delegation tab and give it Read permission? This is required for Loopback.

      Yes, only machines with the Citrix Group Policy Management plug-in can view the Citrix Policies but that shouldn’t effect whether the policies apply or not.

      On the VDA machine, there’s a Group Policy Client Side Extension that processes the Citrix Policy GPOs.

      1. Yes. Under the Scope tab, it just has Authenticated Users. Under the Delegation Tab, it has Authentication Users with READ permission only.

  33. Hi Carl, Do you know why StoreFront must be 3.9 or newer for EDT? Can EDT be enabled on a Win7 OS with a 7.15LTSR VDA and 7.8 Controller? NetScaler is on 12.0-56.20

    1. I think StoreFront 3.9 and newer adds the lines to the .ica file that enables EDT on the client side.

  34. Hi carl, we have recently upgraded VDAs server OS from Windows 2008 R2 to Windows 2012 R2 , post upgradation we have observed that during logon the black screen appears for 60-120 seconds to get the actual desktop screen with all icons, secondly users have reported slow performanace and screen freeze while working.The VDA are on VMware ESXi infra with 32 GB RAM and 8vcpu and we have close to around 700+ server OS VDAs which got upgraded to windows 2012 OS. Do we need to apply specific policies or settings for windows 2012 OS VDAs ?

    Currently we tried following

    1.Change display drivers from VMWare SVGA to Micrsoft Basic Display drivers

    2.enabled Legacy Graphic display mode via citrix policies

    3.Removed Desktop Experience feature from windows 2012 OS

    But no luck..

    Earlier on windows 2008 R2 VDA per VDA use to handle 25-30 Users with 7000 load index , but incase of windows 2012 only with 12-15 users the load index runs between 8500-9500.

    Not sure if its due to switching the OS to windows 2012 .

    We are running on 7.15 LTSR edition.

    Need to know your views on the above mentioned scenario..

    Thanks !

    1. Newer OS, especially published desktop, uses more resources than older OS.

      What roaming profile method are you using? Is first logon faster than second logon?

      1. We are using microsoft folder redirection and roaming profile.We have set Appdata on SAN storage and redirected My desktop ,documents ,favorites to NAS storage.The logon time is almost same for first logon and second logon.

        We tried isolating by setting you roaming profile via WEM 4.7 using CPM,as read some articles stating WEM can filter out few of the logon steps,but no luck.

        The VDAs are streamed via PVS to VMWare ESXi hosted VMs.

        One observation is we dont get long blackscreen on desktops streamed directly to the baremetal HP servers.

        Is ther any optimization settings for VMs hosted on ESXi ?

        Thanks !

  35. Hi,

    Regarding setting “Automatic installation of in-box printer drivers” to disabled – is this still required since “VDA support for policy setting “Automatic installation of in-box printer drivers” has been deprecated in version 7.16, as per the article below?

    https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new/removed-features.html

    The Alternative columns reads:
    None. Policy setting supported with VDAs on earlier OSs only (Windows 7, Windows Server 2012 R2 and earlier).

    Does that mean that in e.g. Windows 2016 based VDA, the drivers are not automatically installed?

    Thanks

    1. There’s probably no harm in setting it. The vast majority of my customers are 7.15 so I’m guessing it still applies to them.

  36. I’m currently dealing with one the most confounding Citrix issues I’ve seen in years. This is for XA65 (I know, I know, I’m getting my corp off of it).

    I manage all of my Citrix policies in GPO. When users log on, I can see the user Citrix policies being written to the subkeys and values below HKLM\Software\Policies\Citrix\[SESSION_ID]\User. At some point during the session, however, the User key and all its subkeys disappear, leaving only the Events and Evidence keys.

    Any ideas? Have you seen this or something similar to it before? This is wreaking havoc in my environment and I haven’t managed to get to root cause despite several weeks of testing & troubleshooting.

    1. Hi Carl, we are not setting up new citrix xenapp 7.15 in our company, we the application servers are running windows 2016, we want to setup company logo when user logs into published desktop, but can’t find a location to set this up, do you have any suggestion for this?

Leave a Reply

Your email address will not be published. Required fields are marked *