Group Policy Objects – VDA Computer Settings

Last Modified: Aug 11, 2019 @ 7:50 am


ūüí° = Recently Updated

Change Log

Create Group Policy Objects

  1. Within Active Directory Users and Computers (dsa.msc), create a parent Organizational Unit (OU) to hold all VDA computer objects.
  2. Then create sub-OUs, one for each Delivery Group. The VDA computer objects for each Delivery Group should be placed in these sub-OUs. Notes:
    • The only objects that belong in these VDA OUs are the VDA computer accounts.
      • There’s no need to put any user accounts in these VDA OUs since Group Policy Loopback Processing mode will handle user settings.
      • The computer objects for the Citrix brokering infrastructure machines (Controllers, StoreFront, Director, etc.) should go in normal server OUs, and not in the VDA OUs.
    • Separate VDA sub-OUs for each Delivery Group lets you apply different GPO settings to each Delivery Group.
    • Grant Citrix Admins the permission to add computer objects to the VDA OUs.
    • Grant Citrix Admins the permission to link GPOs to the VDA OUs.
    • Master images should be placed in the VDA OUs so the VDA GPO Computer Settings can be burned into the master image. This avoids timing issues when non-persistent machines reboot and GPO settings haven’t applied yet.
  3. Move the VDAs from the Computers container to one of the Delivery Group OUs.
  4. Within Group Policy Management Console (gpmc.msc), create a Group Policy Object (GPO) called Citrix VDA Computer Settings, and link it to one of the Citrix OUs. This particular GPO usually applies to all Delivery Groups, and thus should be linked to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.

  5. On the left, click the new VDA Computer Settings GPO to highlight it.
  6. On the right, switch to the Details tab.
  7. Change the GPO Status drop-down to User configuration settings disabled. This GPO will only contain computer settings.

  8. Create and link two new Citrix-specific GPOs (in addition to the Citrix VDA Computer Settings GPO).
  9. One of the GPOs is called Citrix VDA All Users (including admins), and the other is called Citrix VDA Non-Admin Users (lockdown).

  10. Modify the Details page of both of these GPOs, and set GPO Status to Computer configuration settings disabled. These GPOs will only contain user settings.

  11. On the left, click the Citrix VDA Non-Admin Users GPO to highlight it.
  12. To delegate administration of this GPO to Citrix Admins:
    1. On the right, switch to the Delegation tab, and click Add.
    2. Find your Citrix Admins group, and click OK.
    3. In the Add Group or User window, change the Permissions to Edit settings, and click OK.
  13. To prevent the user lockdown GPO from applying to administrators:
    1. On the Delegation tab, click Advanced.
    2. On the top half, click the Citrix Admins group to highlight it.
    3. Scroll down to reveal the Apply Group Policy row, and then place a check mark in the Deny column.
    4. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins.
    5. Click OK to close the Security Settings window.
    6. Click Yes when asked to continue.
  14. To delegate the other two GPOs, add the Citrix Admins group with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

Windows 1903 Group Policy Templates

  1. Download the Administrative Templates (.admx) for Windows 10 May 2019 Update (1903). ūüí°
  2. Run the downloaded Administrative Templates (.admx) for Windows 10 May 2019 Update.msi file.
  3. In the Welcome to the Administrative Templates (ADMX) for Windows 10 October 2018 Update Setup Wizard page, click Next.
  4. In the Select Installation Folder page:
    1. Copy the installation Folder to your clipboard. You need to go to this location later.
    2. Select Everyone.
  5. Click Next.
  6. In the Confirm Installation page, click Next.
  7. In the Installation Complete page, click Close.
  8. Go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903).
  9. Open the PolicyDefinitions folder.
  10. Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files and folders to the clipboard.
  11. Go to your domain’s sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the files in the PolicyDefinitions folder. If you don’t have this folder, then you can create it. Or copy the files to C:\Windows\PolicyDefinitions as detailed next.

    • If prompted, replace the existing files.
  12. If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files. Overwrite the existing files.

See Group Policy Settings Reference Spreadsheet Windows 1809 for a spreadsheet containing all GPO settings in Windows.

The spreadsheet can be filtered to only show the newest settings.

OneDrive ADMX Template

Microsoft is previewing a per-machine installation of the OneDrive sync client. The per-machine install is strongly recommended over the normal per-user install of OneDrive.

To enable Files-on-demand, you’ll need the OneDrive ADMX Template.

  1. Go to a Windows 10 1709 or newer machine that has OneDrive installed.
  2. Go to %localappdata%\Microsoft\OneDrive. Double-click the latest version. Then open the adm folder.
  3. Right-click the OneDrive.admx file and copy it.
  4. If your domain has PolicyDefinitions in SYSVOL (\\corp.local\sysvol\corp.local\Policies\PolicyDefinitions), paste the .admx file there.

    • If you don‚Äôt have SysVol PolicyDefinitions, then go to¬†C:\Windows\PolicyDefinitions¬†and paste the .admx file.
  5. Go back to the OneDrive files and copy OneDrive.adml.
  6. If your domain has a PolicyDefinitions central store in SYSVOL, paste the .adml file to the en-us folder in PolicyDefinitions in SYSVOL. en-US is a subfolder of the PolicyDefinitions folder.

    • If you don‚Äôt have SysVol PolicyDefinitions,, then go to¬†C:\Windows\PolicyDefinitions\en-US¬†and paste the .adml file. en-US is a subfolder of the¬†PolicyDefinitions¬†folder.

Group Policy Computer Settings

Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Idle Time to Lock Session

  • Security Options – Computer Configuration | Policies |¬†Windows Settings| Security Settings | Local Policies | Security Options
    • Interactive logon: Machine inactivity limit – Windows 8/2012 and newer – published desktops only – seconds of idle time before session locks

Control Panel


OneDrive Files-on-demand

For Windows 10 1709 and newer. Make sure the OneDrive .admx file is installed first.

  • OneDrive – Computer Configuration | Policies | Administrative Templates | OneDrive
    • Enable OneDrive Files On-Demand¬†= enabled

Verbose Messages

  • System – Computer Configuration | Policies | Administrative Templates | System
    • Display highly detailed status messages = enabled. Windows 10. Shows what’s happening during logon.

Group Policy Settings

  • Group Policy – Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.

Logon Settings

To get rid of the Windows 10 “we’re happy you’re here” message:

  • Logon – Computer Configuration | Policies | Administrative Templates | System |¬†Logon
    • Show first sign-in animation =¬†disabled

DelayedDesktopSwitchTimeout. Create a Group Policy Preferences Registry Item (Computer Configuration | Preferences | Windows Settings | Registry) to set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DelayedDesktopSwitchTimeout (REG_DWORD) = 2. On Windows 10, this might cause the desktop to appear sooner. (Source = VMware Communities)

Sven Huisman Windows 10 in non-persistent VDI ‚Äď Login speed ‚Äď part 1 has some additional group policy settings to speed up Windows 10 logon. Scroll down to the Group Policy section.

Power Settings

The following are more applicable to virtual desktops than session hosts:

  • Hard Disk Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
    • Turn Off the hard disk (plugged in) = enabled, 0 seconds
  • Sleep Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
    • Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
    • Specify the system sleep timeout (plugged in) = enabled, 0 seconds
    • Turn off hybrid sleep (plugged in) = enabled, 0 seconds
  • Video and Display Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
    • Turn off the display (plugged in) = enabled, 0 seconds

Remote Assistance Settings

Configure the following so you can shadow users using Director:

  • Remote Assistance – Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
    • Configure Solicited Remote Assistance = disabled
    • Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance

User Profiles Settings

  • User Profiles – Computer Configuration | Policies | Administrative Templates | System | User Profiles
    • Add the Administrators security group to roaming user profiles = enabled
    • Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
    • Do not check for user ownership of Roaming Profile Folders = enabled
    • Set maximum wait time for the network if a user has a roaming user profile or remote home directory = enabled, 0 seconds

Cloud Content

  • Cloud Content – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†Cloud Content ¬† (Windows 10 1511 and newer)

File Explorer Settings

Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100 РWindows 8 and newer

  • File Explorer – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†File Explorer
    • Allow the use of remote paths in file shortcut icons = enabled

Event Viewer Settings

If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.

  • Application – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
    • Control the location of the log file = enabled, D:\EventLogs\Application.evtx
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
    • Control the location of the log file = enabled, D:\EventLogs\Security.evtx
  • System – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
    • Control the location of the log file = enabled, D:\EventLogs\System.evtx
  • Folder – Computer Configuration | Preferences | Folder
    • Action = update
    • Path = D:\EventLogs

Microsoft Account – Windows 10 (1703 and newer)

  • Microsoft account –¬†Computer Configuration | Policies | Administrative Templates | Windows Components | Microsoft account
    • Block all consumer Microsoft account user authentication = Enabled

OneDrive¬†Settings ‚Äď Windows¬†10

  • OneDrive – Computer Configuration | Policies | Administrative Templates | Windows Components |¬†OneDrive
    • Prevent the usage of OneDrive for file storage = enabled

Remote Desktop Services Settings

  • Connections – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
  • Device and Resource Redirection – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
    • Allow time zone redirection = enabled
    • Do not allow smart card device redirection = enabled
  • Licensing – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
    • Set the Remote Desktop license mode = enabled, Per User
    • Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers (e.g. the XenDesktop Controllers)
  • Remote Session Environment –¬†Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host |¬†Remote Session Environment
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
    • Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
  • Session Time Limits – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
    • Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
    • Set time limit for disconnected sessions = enabled, 3 hours or similar

Search Settings ‚Äď Windows 8.1 / 2012 R2, Windows 10

  • Search – Computer Configuration | Policies | Administrative Templates | Windows Components | Search
    • Allow Cortana = disabled (Windows 10)
    • Don‚Äôt search the web or display web results in search = enabled
    • Additional search settings can be found here

Store Settings ‚Äď Windows 8.1 / 2012 R2, Windows 10

Windows Update Settings

  • Windows Update – Computer Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update
    • Allow non-administrators to receive update notifications = disabled
  • Windows Update for Business – Computer Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update | Windows Update for Business
    • Select when Preview Builds and Feature Updates are received¬†= Enabled, Semi-Annual Channel, 365 day deferral

Additional Settings

Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at Microsoft Technet Manage connections from Windows operating system components to Microsoft services.

James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana, disable services, block DNS domains.

After modifying the GPO, use Group Policy Management Console to update the VDA machines.

Or run the command gpupdate /force. Or wait 90 minutes.

Citrix Receiver

If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, use receiver.admx to enable pass-through authentication.

  1. See the instructions at to copy the receiver.admx file to PolicyDefinitions.
  2. Edit the Citrix Computer Settings GPO.
  3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
  4. Enable the setting.
  5. Check the top two boxes and click OK.

Next Steps

Group Policy Objects – VDA User Settings

39 thoughts on “Group Policy Objects – VDA Computer Settings”

  1. Hi Carl – so we are running into an issue with session lock ups. This seems to happen when only accessing Citrix from external network sources. I am running XenApp 7.15 LTSR on Windows 2016 VDA’s We are utilizing F5 LB but right now they are not hitting the F5 externally.
    User seem to be working fine for 5 to 10 minutes then sessions lock and they are no longer able to access the published application. Only resetting session clears.
    Wondering if there is something you know of that could be causing session locks or somewhere to check to see what could be the issue.

    1. Can you run other applications (e.g Notepad) in the same session? Need to determine if the whole session is locked, or just the app.

      1. According to the users experiencing these issues is the whole session. So if user has two applications running both applications are in a locked state

      2. I was able to reproduce this issue. Seems sessions lock up after 2 to 3 minute period of idle time. It locks up all applications I have open. Is there a policy I do not have set correctly? I followed your policy setting almost to the letter with regard to time out session. I followed the settings for Application presentation that applied to my environment.

        1. Is there any NAT or other security device between the user and the Horizon Agent? Maybe one of those devices has a short timeout for TCP/UDP connections.

          For external users, how are you proxying the ICA connection?

  2. Great article(s) – you are a true lifesaver! Maybe you can help me one more time ūüėČ Sometimes my users get an error saying they need the right to sign in through remote desktop services when starting an app on VDA 7.15. My delivery controllers are both configured and activated Windows Server 2016 licensing servers, even the GPO is configured to contact them for per User CALs. Basic troubleshooting and license diagnosing says all fine and it doesn’t happen all the time, just sometimes and on different servers. We don’t use MCS or PVS, all servers are running Windows Server 2016 and VDA 7.15LTSR is in use. Do you have any idea how to get this right?

    1. If it’s an RDS Licensing problem, then there are normally events in Event Viewer when licensing is not working.

      The same symptom might happen if you run out of Citrix licenses.

  3. Hello Carl, we are still in the build phase of our new environment and made the decision to move the Citrix Computer and User policies in Active Directory instead of storing them in the SQL Database. The problem I can’t seem to figure out is that I do not see those policies in the registry or on the linked clones. Where would those be written to in the VDA and Master templates’ registry?

    1. I think they only apply when you perform a Citrix connection. Then you should see them under HKLM\Software\Policies\Citrix. Some will be under HDX nodes. Others will be under the nodes that are numbered based on session ID.

      1. I do know about the registry key that would show under .\Policies\Citrix then folders named after the session ID but nothing of the sort matches up. I did find a folder named “2” that had my session info but on the server I am session 12. Either way, I do not see any of our policies applying in the folder.

      2. Does the Group Policy Management console need to be installed on a delivery controller for managing the Citrix policies in Active Directory? In Active directory using GPMC, I picked the user portion of Citrix Policies and wanted to apply a Citrix policy to a delivery group using the Delivery Group filtering. When I attempted to do that, I typed in the name of the DDC and it prompted me for Citrix Cloud credentials. After getting passed that, I got a drop-down box to see the names of the Delivery Groups. Nothing is listed and I cannot manually type it in. Is what I am attempting to perform a supported operation?

      3. We have opened a case with Citrix on this issue. Policies are not applying to the VDAs using GPO. If we set the policies in the Studio console to store in the SQL Database, that works. According to Citrix , we have everything setup correctly and meeting the criteria. We have a single GPO that only contains Citrix policies only. We have full control to that policy as well as Group Policy Modeling permissions and they do not seem to apply. We have confirmed the permissions are set correctly on the policy itself for delegation and scope. Now it is just trying to figure out how to capture the logging in process to see where it skips the policy or refuses to apply it. BTW – this is not even working for the Unfiltered policy set in the GPO.

      4. I was able to figure it out as to why the policies set in GPO were not applying. At our top level Citrix OU, we have inheritance turned off. The users reside in a different OU not in the Citrix OU’s. We forgot to enable Group Loopback Processing in the GPO and that corrected our issue.

  4. Hi Carl,

    Can the Remote Desktop Services settings apply to Windows 10 too?

    I am also doing dedicated full desktop for Windows 10, any specific settings from there that could help for that setup?

    Would this work – Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts) as I plan to use Appsense and Local Profiles and Personalization on Persistent Desktop.

    Many thanks in advanced.

  5. Hi Carl. I have XenApp 7.15 with Windows 2016 VDA Shared Desktops. I configured the GPO Interactive logon: Machine inactivity limit, but only works if the conection is via RDP. No works over ICA.

    Any suggest?

  6. Hi Carl,

    I have a scenario in my VDI environment. I uninstalled OneDrive 17.x and installed 18.x version in my master image and when publishing a non-persistent desktop pool using it, on every user launch, version 17.x gets installed again in it as a fresh setup.

    It starts automatically and I noticed in the Windows startup “Microsoft OneDrive Setup” on user session launch under Task Manager -> Startup.

    I need version 18.x for on-demand feature and be available to take the user login configuration automatically on launch.

    Your inputs will surely help.


  7. hi carl,

    I have Xenapp 7.13 with one controller and three separate VDAs. there is a problem with the VDA server. every user accesses the published application, the user automatically becomes the local administrator group on the VDA server so that the user can remote desktop the VDA server. please help me..

    1. If you run Group Policy Results, it should show you which GPO is adding users to the local administrators group. Citrix does not do that, so it has to be something else.

  8. Carl and others,
    Does the event log policy create the folder or does that need to be pre-created. Also how does this work for custom logs from an application under application logs. For example if I have an app that writes its log under applications and services (win2k16) How do I redirect that? Does the policy allow me to create a custom entry. Forgive me if these are newbie questions.

  9. Hi Carl,

    is it possible to save or store the event logs to some kind of persistent storage (like a persistent disk for PvS, for example) when I want to provide non persistent VDAs (Server VDAs in my case) with MCS?
    In case it is possible, how should I do that?



  10. Hey Carl, pasting the Win10 1803 objects to C:\Windows\Policy Definitions won’t allow overwrite even logged in as the default admin and running Explorer as an admin. The individual policy objects in the folder do not inherit parent permissions. I am assuming that I would need to do this on any domain controller or build a central store. What do you recommend? Thanks.

  11. Hello carl, digging through my huge mess of GPO’s and seems like my event log redirection GPO is not working correctly, seems like every night the logs get refreshed, I have a GPO that creates the folder on E:\ and then redirects the event logs, Every night when the machine reboots that’s when the logs get created for the first time so I only have one days worth of logs. Do have an idea of what to check? thanks in advance

  12. Carl,

    Don’t see any mention this this issue for Windows 10/2016 server OS VDA’s in regards to XenApp 7.XX;

    Seems with latest updates to 2016, Microsoft has created per user Services, which flood the event log and show pop-up errors to users on XenApp on occasion.

    “Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account – this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks”

    There a best practice for this yet?

  13. Excellent post.
    So I found this post as I was facing issues with XA7.13 running on Windows 2016.
    Cortana and SearchUI are filling the event logs full of errors when a user log into the Desktop.
    Event ID’s 1000, 5973, 10, are showing numerous times.

    Also, left clicking on the start menu brings up nothing which of course is a problem but right clicking does bring up the context menu.
    I have disabled redirecting the start menu but that didn’t seem to help.

    So far I haven’t found much. Any ideas?

  14. Thank you very much for this Carl and all the excellent articles on your site, you should include a Donate button somewhere on your front page as you are making a lot of peoples lives a lot easier….

  15. Hi Carl,

    Now that I solved my issue with a parent domain policy not applying in a XA76/2012R2 context, I find that your advice “make sure the VDA computer has read permission on the policy” is clear and sufficient but at first glance I must admit I did not see it as clearly as now ūüėČ

    The issue I had led me to this article which describes in details why in a certain scenario, some policies may no longer apply after having installed a security patch.

    Have a great day !


  16. Hello Carl,
    Hope you are doing well and thanks for the instructions.
    I just want to know if three policies above will be the same to all the OU’s? I.E. RDSH as well as VDI’s?

    1. For the most part, yes. There are some minor differences (e.g. delete cached profiles on logoff). If a setting doesn’t apply to a particular VDA, there’s usually no harm in applying it. I usually have a parent OU for common settings (everything in this article) and sub-OUs for Delivery Group-specific settings.

      1. Thanks Carl. The GPO applied to the parent OU applies to all the sub OU’S as it has been applied at the top level? If you say delivery group specific settings will that be application related?

  17. Great Article . I dont know how I would survive without these easy to use guides. One question though.. do we have a tuning/optimization GPO for Xenapp 7.6 like we have had in the past ie. 6.5? setting like TCPMasDataRetransmissions etc for windows server 2012/R2

Leave a Reply