Group Policy Computer Settings for VDAs

Last Modified: Mar 15, 2021 @ 7:03 am

69 Comments

Navigation

💡 = Recently Updated

Change Log

Create Group Policy Objects

  1. Within Active Directory Users and Computers (dsa.msc), create a parent Organizational Unit (OU) to hold all VDA computer objects.
  2. Then create sub-OUs, one for each Delivery Group. The VDA computer objects for each Delivery Group should be placed in these sub-OUs. Notes:
    • The only objects that belong in these VDA OUs are the VDA computer accounts.
      • There’s no need to put any user accounts in these VDA OUs since Group Policy Loopback Processing mode will handle user settings.
      • The computer objects for the Citrix brokering infrastructure machines (Controllers, StoreFront, Director, etc.) should go in normal server OUs, and not in the VDA OUs.
    • Separate VDA sub-OUs for each Delivery Group lets you apply different GPO settings to each Delivery Group.
    • Grant Citrix Admins the permission to add computer objects to the VDA OUs.
    • Grant Citrix Admins the permission to link GPOs to the VDA OUs.
    • Master images should be placed in the VDA OUs so the VDA GPO Computer Settings can be burned into the master image. This avoids timing issues when non-persistent machines reboot and GPO settings haven’t applied yet.
  3. Move the VDAs from the Computers container to one of the Delivery Group OUs.
  4. Within Group Policy Management Console (gpmc.msc), create a Group Policy Object (GPO) called Citrix VDA Computer Settings, and link it to one of the Citrix OUs. This particular GPO usually applies to all Delivery Groups, and thus should be linked to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.

  5. On the left, click the new VDA Computer Settings GPO to highlight it.
  6. On the right, switch to the Details tab.
  7. Change the GPO Status drop-down to User configuration settings disabled. This GPO will only contain computer settings.

  8. Create and link two new Citrix-specific GPOs (in addition to the Citrix VDA Computer Settings GPO).
  9. One of the GPOs is called Citrix VDA All Users (including admins), and the other is called Citrix VDA Non-Admin Users (lockdown).


  10. Modify the Details page of both of these GPOs, and set GPO Status to Computer configuration settings disabled. These GPOs will only contain user settings.

  11. On the left, click the Citrix VDA Non-Admin Users GPO to highlight it.
  12. To delegate administration of this GPO to Citrix Admins:
    1. On the right, switch to the Delegation tab, and click Add.
    2. Find your Citrix Admins group, and click OK.
    3. In the Add Group or User window, change the Permissions to Edit settings, and click OK.
  13. To prevent the user lockdown GPO from applying to administrators:
    1. On the Delegation tab, click Advanced.
    2. On the top half, click the Citrix Admins group to highlight it.
    3. Scroll down to reveal the Apply Group Policy row, and then place a check mark in the Deny column.
    4. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins.
    5. Click OK to close the Security Settings window.
    6. Click Yes when asked to continue.
  14. To delegate the other two GPOs, add the Citrix Admins group with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

Windows Group Policy Templates

The latest Windows 10 GPO templates includes the GPO settings for Windows Server.

  1. Download the Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2).
  2. Run the downloaded Administrative Templates (.admx) for Windows 10 October 2020 Update.msi file.
  3. In the Welcome to the Administrative Templates (.admx) for Windows 10 November 2019 Update Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, record the Location field since you’ll need to go there later.
  6. Click Next.
  7. In the Ready to install Administrative Templates (.admx) for Windows 10 November page, click Next.
  8. In the Completed the Administrative Templates (.admx) for Windows 10 November 2019 Update Setup Wizard page, click Close.
  9. In File Explorer, go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2).
  10. Open the PolicyDefinitions folder.
  11. Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files and folders to the clipboard.
  12. Go to your domain’s sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the files in the PolicyDefinitions folder. If you don’t have this folder, then you can create it. Or copy the files to C:\Windows\PolicyDefinitions as detailed next.

    • If prompted, replace the existing files.
  13. If your Sysvol does not have a PolicyDefinitions folder, then instead go to C:\Windows\PolicyDefinitions and paste the files. Overwrite the existing files.

See Group Policy Settings Reference Spreadsheet for Windows 10 October 2020 Update (20H2) for a spreadsheet containing all GPO settings in Windows.

The spreadsheet can be filtered to only show the newest settings.

Microsoft Edge (Chromium)

Download and install Microsoft Edge for Business on your VDA machines or Horizon Agent machines.

Installation and Configuration instructions can be found at Kasper Johansen Microsoft Edge in Citrix – Revamped. The article details group policies for Edge.

Avanite Roaming Edge Chromium details the folders that should be roamed by Citrix Profile Management (UPM) or VMware Dynamic Environment Manager (DEM).

Microsoft Teams

Prevent the per-user version of Teams from installing with Office 365 (aka Microsoft 365 apps). Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.

This setting requires the latest Office GPO templates to be installed.

  • Edit a GPO that contains Computer Settings.
  • UpdatesComputer Configuration | Policies | Administrative Templates | Microsoft Office 2016 (Machine) | Updates
    • Don’t install Microsoft Teams with new installations or updates of Office = enabled

Prevent Microsoft Teams from starting automatically after installation. Set this GPO setting before you install Teams. This setting requires the latest Office GPO templates to be installed.

  • Edit a GPO that contains User Settings. These User Settings probably won’t apply unless you enable Group Policy Loopback Processing in a computer settings GPO.
  • TeamsUser Configuration | Policies | Administrative Templates | Microsoft Teams
    • Prevent Microsoft Teams from starting automatically after installation = enabled

Install Teams using the machine-based installer. See Manuel Winkel Install Teams & OneDrive in Citrix (Machine-Based)

  • The Machine-wide installer does not update itself. You must periodically download the latest version, uninstall the Machine-wide installer, and install the latest version.

Microsoft recommends excluding the Media-Stack folder from roaming. Add the exclusion for AppData\Roaming\Microsoft\Teams\media-stack\ to Citrix Profile Management’s Exclusion List – Directories setting.

If your VDAs don’t have GPUs, then disable GPU in Teams to reduce CPU. Citrix has a PowerShell script that can disable this setting for each user.

Microsoft FSLogix

Microsoft FSLogix

If you need to roam the user’s Outlook .OST file (Outlook Cached Mode), Outlook Search Index, OneDrive cache, OneNote data, SharePoint data, Skype data, and/or Teams data, then download, install, and configure Microsoft FSLogix. FSLogix has more Office roaming features than Citrix Profile Management. A common architecture is to enable FSLogix Office Container for the Office cache files and use Citrix Profile Management for all other roaming profile files and registry keys.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

G0-EUC tested FSLogix Profile Container (not Office Container) and found that it reduces capacity by 27%. (source = The impact of managing user profiles with FSLogix)

Do the following to install Microsoft FSLogix on the VDA machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine. Here is some info on group policy configuration:

  1. The FSLogix .zip file contains fslogix.admx and fslogix.adml files for configuration of FSLogix through Group Policy. Copy these files to your PolicyDefinitions folder. The .adml file goes in the en-US folder.

  2. Find the settings in Group Policy Editor at Computer Configuration | Policies | Administrative Templates | FSLogix | Office 365 Containers. The Office 365 Containers node controls Office 365 Containers only. The Profile Containers node lets you configure the entire profile and not just Office 365. You can also configure both as detailed at FAQ: How to use Office 365 Containers and Profile Containers together.
  3. You’ll need a file share with appropriate permissions to store the Office containers.
  4. Set Virtual disk type to VHDX.
  5. The .vhdx files are thin provisioned and can grow up to the maximum Size in MBs, which defaults to 30 GB. It’s difficult to change this value later, so make sure it’s large enough for your Office users.
  6. Under Container and Directory Naming enable the setting Swap directory name components.
  7. Back in the Office 365 Containers node, review each of the Include settings and enable whichever data you want to include in the Office Container. More details at Configure Office Container at Microsoft Docs.
  8. Enable Store search database in Office 365 container.
    1. For Windows Server 2019 RDSH, don’t enable FSLogix Search Roaming since Windows 2019 has per-user Search that puts the Search Index in the user’s profile. However, many people have reported problems with Windows 2019 Search. It might be possible to disable the new per-user search and instead enable FSLogix search roaming. See CTX270433 Outlook Search Indexing Fails on Windows Server 2019 VDA.
    2. If Windows Server 2016 RDSH VDAs, then select Multi-user search.
    3. If Virtual Desktop VDAs, then select Single-user search. This means you’ll probably need different FSLogix GPOs for Multi-user VDAs vs Single-user VDAs.
    4. In Group Policy Editor, move up to the FSLogix node. On the right, enable the setting Enable search roaming and set it to Multi-user or Single-user. You have to enable two different Search Roaming settings. See CTP James Kindon FSLogix Containers – Search Index Considerations and Troubleshooting.

    5. Make sure the Windows Search service is set to Automatic and Running.
    6. You can use Group Policy Preferences to force WSearch to start.
    7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.
  9. In a Group Policy that applies to Citrix users, you might want to configure Cached Exchange Mode Sync Settings to reduce the size of the .ost files. You’ll need to install the Office GPO templates if you haven’t already. Then find the setting at User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 (also applies to 365 and 2019) | Account Settings | Exchange | Cached Exchange Mode.

Other FSLogix Configurations and Links

Full Profile Container (not just Office):

OneDrive ADMX Template

See CTP James Rankin Managing OneDrive on Citrix Virtual Apps and Desktops 💡

Microsoft has a per-machine installation of the OneDrive sync client. To reduce the size of your roaming profiles, the per-machine install is strongly recommended over the normal per-user install of OneDrive.

To enable Files-on-demand, you’ll need the OneDrive ADMX Template.

  1. Go to a Windows 10 1709 or Windows Server 2019 or newer machine that has OneDrive installed.
  2. If machine-wide installation, go to C:\Program Files (x86)\Microsoft OneDrive.
    • If per-user installation, go to %localappdata%\Microsoft\OneDrive.
  3. Double-click the latest version.
  4. Then open the adm folder.
  5. Right-click the OneDrive.admx file and copy it.
  6. If your domain has PolicyDefinitions in SYSVOL (\\corp.local\sysvol\corp.local\Policies\PolicyDefinitions), paste the .admx file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the .admx file.
  7. Go back to the OneDrive files and copy OneDrive.adml.
  8. If your domain has a PolicyDefinitions central store in SYSVOL, paste the .adml file to the en-us folder in PolicyDefinitions in SYSVOL. en-US is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the .adml file. en-US is a subfolder of the PolicyDefinitions folder.

Group Policy Computer Settings

Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Process tracking for Director

  • Audit Policy – Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

Idle Time to Lock Session

  • Security Options – Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options
    • Interactive logon: Machine inactivity limit – Windows 8/2012 and newer – published desktops only – seconds of idle time before session locks

Control Panel

Teams

Prevent the per-user version of Teams from installing with Office 365 (aka Microsoft 365 apps). Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.

This setting requires the Office GPO templates to be installed.

  • Updates – Computer Configuration | Policies | Administrative Templates | Microsoft Office 2016 (Machine) | Updates
    • Don’t install Microsoft Teams with new installations or updates of Office = enabled

Network

OneDrive Files-on-demand

For Windows 10 1709 and newer or Windows Server 2019 and newer. Make sure the OneDrive .admx file is installed first.

  • OneDrive – Computer Configuration | Policies | Administrative Templates | OneDrive
    • Use OneDrive Files On-Demand = enabled

Verbose Messages

  • System – Computer Configuration | Policies | Administrative Templates | System
    • Display highly detailed status messages = enabled. Windows 10. Shows what’s happening during logon.

Group Policy Settings

  • Group Policy – Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.

Logon Settings

To get rid of the Windows 10 “we’re happy you’re here” message:

  • Logon – Computer Configuration | Policies | Administrative Templates | System | Logon
    • Show first sign-in animation = disabled
    • Show clear logon background = enabled – for Win10 1903 and newer – source = Citrix Discussions

DelayedDesktopSwitchTimeout. Create a Group Policy Preferences Registry Item (Computer Configuration | Preferences | Windows Settings | Registry) to set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DelayedDesktopSwitchTimeout (REG_DWORD) = 2. On Windows 10, this might cause the desktop to appear sooner. (Source = VMware Communities)

Sven Huisman Windows 10 in non-persistent VDI – Login speed – part 1 has some additional group policy settings to speed up Windows 10 logon. Scroll down to the Group Policy section.

Power Settings

The following are more applicable to virtual desktops than session hosts:

  • Hard Disk Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
    • Turn Off the hard disk (plugged in) = enabled, 0 seconds
  • Sleep Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
    • Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
    • Specify the system sleep timeout (plugged in) = enabled, 0 seconds
    • Turn off hybrid sleep (plugged in) = enabled, 0 seconds
  • Video and Display Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
    • Turn off the display (plugged in) = enabled, 0 seconds

Remote Assistance Settings

Configure the following so you can shadow users using Director:

  • Remote Assistance – Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
    • Configure Solicited Remote Assistance = disabled
    • Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance

User Profiles Settings

  • User Profiles – Computer Configuration | Policies | Administrative Templates | System | User Profiles
    • Add the Administrators security group to roaming user profiles = enabled
    • Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
    • Do not check for user ownership of Roaming Profile Folders = enabled
    • Set maximum wait time for the network if a user has a roaming user profile or remote home directory = enabled, 0 seconds

Cloud Content

  • Cloud Content – Computer Configuration | Policies | Administrative Templates | Windows Components | Cloud Content   (Windows 10 1511 and newer)

File Explorer Settings

Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100 – Windows 8 and newer

  • File Explorer – Computer Configuration | Policies | Administrative Templates | Windows Components | File Explorer
    • Allow the use of remote paths in file shortcut icons = enabled

Event Viewer Settings

If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.

  • Application – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
    • Control the location of the log file = enabled, D:\EventLogs\Application.evtx
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
    • Control the location of the log file = enabled, D:\EventLogs\Security.evtx
  • System – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
    • Control the location of the log file = enabled, D:\EventLogs\System.evtx
  • Folder – Computer Configuration | Preferences | Folder
    • Action = update
    • Path = D:\EventLogs

Microsoft Account – Windows 10 (1703 and newer)

  • Microsoft account – Computer Configuration | Policies | Administrative Templates | Windows Components | Microsoft account
    • Block all consumer Microsoft account user authentication = Enabled

OneDrive Settings – Windows 10

  • OneDrive – Computer Configuration | Policies | Administrative Templates | Windows Components | OneDrive
    • Prevent the usage of OneDrive for file storage = enabled

Remote Desktop Services Settings

  • Connections – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
  • Device and Resource Redirection – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
    • Allow time zone redirection = enabled
    • Do not allow smart card device redirection = enabled
  • Licensing – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
    • Set the Remote Desktop license mode = enabled, Per User
    • Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers (e.g. the XenDesktop Controllers)
  • Remote Session Environment – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Remote Session Environment
  • Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
    • Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
  • Session Time Limits – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
    • Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
    • Set time limit for disconnected sessions = enabled, 3 hours or similar

Search Settings – Windows 8.1 / 2012 R2, Windows 10

  • Search – Computer Configuration | Policies | Administrative Templates | Windows Components | Search
    • Allow Cortana = disabled (Windows 10)
    • Don’t search the web or display web results in search = enabled
    • Additional search settings can be found here

Store Settings – Windows 8.1 / 2012 R2, Windows 10

Windows Update Settings

  • Windows Update – Computer Configuration | Policies | Administrative Templates |  Windows Components | Windows Update
    • Allow non-administrators to receive update notifications = disabled
  • Windows Update for Business – Computer Configuration | Policies | Administrative Templates |  Windows Components | Windows Update | Windows Update for Business
    • Select when Preview Builds and Feature Updates are received = Enabled, Semi-Annual Channel, 365 day deferral

Additional Settings

Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at Microsoft Technet Manage connections from Windows operating system components to Microsoft services.

James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana, disable services, block DNS domains.

After modifying the GPO, use Group Policy Management Console to update the VDA machines.

Or run the command gpupdate /force. Or wait 90 minutes.

Citrix Receiver

If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, use receiver.admx to enable pass-through authentication.

  1. See the instructions at https://www.carlstalhood.com/receiver-for-windows/#admx to copy the receiver.admx file to PolicyDefinitions.
  2. Edit the Citrix Computer Settings GPO.
  3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
  4. Enable the setting.
  5. Check the top two boxes and click OK.

Next Steps

Group Policy Objects – VDA User Settings

69 thoughts on “Group Policy Computer Settings for VDAs”

  1. Carl, I apologize and I am sure you have answered this but I need some guidance. Currently when users switch between VDA servers Acrobat will constantly ask them to sign in. Only 2 servers they can log on to but everyday they are asked to sign in. Log them off Citrix, back on to the same server and again, asking to log in. Can you help guide me on what I am missing to make this work?

    Reply

    1. What roaming profile tool are you using? Are you excluding locations that Adobe uses, like AppData\Roaming\Adobe\SLData?

      Reply

      1. I believe Windows GPO under Citrix Profile Management. However we are using a NUL license so does that cause an issue? Is there a potential way around this?

        Reply

        1. Hey Mercer, not sure if you figured it out yet or not but I went through the same problem. The solution is rather simple, add these keys in the registry. Once done the user will be prompted to log in again and it will store the info in the user profile so it roams around.

          [HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Licensing\UserSpecificLicensing]”Enabled”=”1″ (REG_SZ)
          [HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Identity\UserSpecificIdentity]”Enabled”=”1″ (REG_SZ)

          Sournce – https://www.adobe.com/devnet-docs/acrobatetk/tools/VirtualizationGuide/citrix.html

          Reply

          1. I have not deep dived into this page before or those registry keys. I did make the changes to the keys but then users were not able to even log into Adobe. I will review more about this page those.

  2. Hi Carl, or anybody 🙂

    I’m looking for recommendations on migration of FSLogix profiles from W2K16 to W2K19 servers.
    We currently have a W2K16 farm, about 200 users with FSLogix profiles + ODFC, I’ve now setup new W2K19 servers, with all the same software (latest versions if available).
    Can I simply point the W2K19 servers to the same FSLogix folder, so that profiles are re-used (and worst-case scenario, also the other way round, should we want to fall back to W2K16)?

    Or should I simply create a new file share and migrate only the needed configuration? I.e. let user logon to W2K19 server with a fresh profile, via script mount their W2K16 VHDX, copy the needed files(/registry settings) and dismount the VHDX again?

    Already did some first tests with test-accounts, simply pointing to the W2K16 profile and didn’t get any errors, but would like confirmation if anybody did that before.
    Thanks!
    Peter

    Reply

    1. They both use .v6 profiles so they’ll probably work, just like profiles work after a Windows 10 version upgrade.

      The World of EUC Slack team has an active FSLogix channel.

      Reply

  3. Hello, I have a frozen “welcome screen” when users reconnect to their published desktop. (OS Servers 2016).
    We have Ivanti, app layering.
    DelayedDesktopSwitchTimeout key?
    ApplicationLaunchWaitTimeoutMS key?

    Reply

  4. Hello Carl,

    we are preparing a new master with W10 1909 and now have the problem that our Startup Script (*.cmd) which is working with our 1803 master are not executed on 1909 – the error in GPO Result is “The system can not find the stated file” (german translation)

    we call the startup command file from Networkshare: \\Fileserver\Skripts$\W10XDSTARTUP.cmd

    there are the same Policy but I cannot find the problem – any ideas?

    are ther more restriced settings/policy in 1909 which I have to take care?

    robert

    Reply

    1. Computer script? Or user script?

      Try doing a procmon during logon and search for that script to see the issue.

      Reply

  6. Hi

    We are trying to implement FSLogix in our VMWare Horizon environment. Setup is simple, FSLogix agent, Instant Clone pool and a share for the VHDX files. When implementing the redirections.xml configuration with a GPO, the user profile is unable to get reattached (Status 0x00000017 Reason: 0x00000000 Error Code: 0x0000000D). If we do not implement the redirection.xml, we do not have that issue. I’ve tried with an empty XML only containing the following:

    But we are still getting the error. So here are the scenarios:

    1. New VHDX, no redirections.xml, it works. Sign-out and sign-in, still works.

    2. New VHDX, redirections.xml, first sign in works, sign-out and sign-in, User profile failed to attach. After that, even when I remove the redirections.xml GPO, the VHDX is unusable.

    Thank you

    Dash

    Reply

    1. FSLogix policy settings are burned into the registry and removing the GPO does not remove the setting. You have to look in HKLM\Software\FSLogix\Profile to find the registry key.

      Anything interesting in C:\Programdata\FSLogix\Logs\Profile?

      Reply

  7. Hi Carl,

    Thanks for all your helpful information. Just a note to say that in the latest OneDrive ADMX file as of 17/09/20 the option for OneDrive Files on Demand is now called “Use OneDrive Files On-Demand” rather than “Enable OneDrive Files on Demand”.

    Reply

  8. HI Carl,

    we are using OneDrive with FSLogix for Citrix server Desktops and we configured folder redirection policy through GPO to redirect document and downloads to OneDrive but it is not working. could you please suggest correct settings.

    Reply

  9. the link for the FXLogix exclusions seems to lead no where that they provide adn clear definded list

    Reply

    1. Are you referring to the Antivirus exclusions. That seems to be an old link that is no longer valid. I just removed it. Thanks for pointing it out.

      Reply

  10. Hi Carl, made the switch to FSLogix. Love the product, but see one major flaw. It does not retain user printers after they set them. Can you guide me on a workable solution for this?

    Reply

      1. Yes, but I have that policy configured. We provide a VDI to our users. There local printers are mapped, but they are also able to map certain printers on their VDI. The printers they map on the VDI are the ones not being retained by the FSlogix profile

        Reply

  11. Hi Carl – so we are running into an issue with session lock ups. This seems to happen when only accessing Citrix from external network sources. I am running XenApp 7.15 LTSR on Windows 2016 VDA’s We are utilizing F5 LB but right now they are not hitting the F5 externally.
    User seem to be working fine for 5 to 10 minutes then sessions lock and they are no longer able to access the published application. Only resetting session clears.
    Wondering if there is something you know of that could be causing session locks or somewhere to check to see what could be the issue.

    Reply

    1. Can you run other applications (e.g Notepad) in the same session? Need to determine if the whole session is locked, or just the app.

      Reply

      1. According to the users experiencing these issues is the whole session. So if user has two applications running both applications are in a locked state

        Reply

      2. I was able to reproduce this issue. Seems sessions lock up after 2 to 3 minute period of idle time. It locks up all applications I have open. Is there a policy I do not have set correctly? I followed your policy setting almost to the letter with regard to time out session. I followed the settings for Application presentation that applied to my environment.

        Reply

        1. Is there any NAT or other security device between the user and the Horizon Agent? Maybe one of those devices has a short timeout for TCP/UDP connections.

          For external users, how are you proxying the ICA connection?

          Reply

          1. Hi Carl,

            When the user session is idle for 15 mins application went locked state,Citrix session is locked not the local machine,can you helpe to fix it?
            Iam using 7.15 CU2 environment

          1. Hi Mohanraj -I believe the issue to be a Network driver on our particular laptops. We have Dell Lattitude E4740’s. We don’t have issues with other types of hardware like Microsoft Surface laptops. If you do use Dell laptops update the Wireless drivers to latest Intel driver. (Also use the INTEL driver). Also make sure the following

            Wireless Properites
            Advanced Tab
            802.11a/b/g Wireless Mode – 5. Dual Band 802.11a/g/\
            Preferred Band – 3 Prefer 5GHZ

            Also
            Power Management Tab
            Uncheck “Allow the computer to turn off this device to save power”

  12. Great article(s) – you are a true lifesaver! Maybe you can help me one more time 😉 Sometimes my users get an error saying they need the right to sign in through remote desktop services when starting an app on VDA 7.15. My delivery controllers are both configured and activated Windows Server 2016 licensing servers, even the GPO is configured to contact them for per User CALs. Basic troubleshooting and license diagnosing says all fine and it doesn’t happen all the time, just sometimes and on different servers. We don’t use MCS or PVS, all servers are running Windows Server 2016 and VDA 7.15LTSR is in use. Do you have any idea how to get this right?

    Reply

    1. If it’s an RDS Licensing problem, then there are normally events in Event Viewer when licensing is not working.

      The same symptom might happen if you run out of Citrix licenses.

      Reply

  13. Hello Carl, we are still in the build phase of our new environment and made the decision to move the Citrix Computer and User policies in Active Directory instead of storing them in the SQL Database. The problem I can’t seem to figure out is that I do not see those policies in the registry or on the linked clones. Where would those be written to in the VDA and Master templates’ registry?

    Reply

    1. I think they only apply when you perform a Citrix connection. Then you should see them under HKLM\Software\Policies\Citrix. Some will be under HDX nodes. Others will be under the nodes that are numbered based on session ID.

      Reply

      1. I do know about the registry key that would show under .\Policies\Citrix then folders named after the session ID but nothing of the sort matches up. I did find a folder named “2” that had my session info but on the server I am session 12. Either way, I do not see any of our policies applying in the folder.

        Reply

      2. Does the Group Policy Management console need to be installed on a delivery controller for managing the Citrix policies in Active Directory? In Active directory using GPMC, I picked the user portion of Citrix Policies and wanted to apply a Citrix policy to a delivery group using the Delivery Group filtering. When I attempted to do that, I typed in the name of the DDC and it prompted me for Citrix Cloud credentials. After getting passed that, I got a drop-down box to see the names of the Delivery Groups. Nothing is listed and I cannot manually type it in. Is what I am attempting to perform a supported operation?

        Reply

      3. We have opened a case with Citrix on this issue. Policies are not applying to the VDAs using GPO. If we set the policies in the Studio console to store in the SQL Database, that works. According to Citrix , we have everything setup correctly and meeting the criteria. We have a single GPO that only contains Citrix policies only. We have full control to that policy as well as Group Policy Modeling permissions and they do not seem to apply. We have confirmed the permissions are set correctly on the policy itself for delegation and scope. Now it is just trying to figure out how to capture the logging in process to see where it skips the policy or refuses to apply it. BTW – this is not even working for the Unfiltered policy set in the GPO.

        Reply

      4. I was able to figure it out as to why the policies set in GPO were not applying. At our top level Citrix OU, we have inheritance turned off. The users reside in a different OU not in the Citrix OU’s. We forgot to enable Group Loopback Processing in the GPO and that corrected our issue.

        Reply

  14. Hi Carl,

    Can the Remote Desktop Services settings apply to Windows 10 too?

    I am also doing dedicated full desktop for Windows 10, any specific settings from there that could help for that setup?

    Would this work – Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts) as I plan to use Appsense and Local Profiles and Personalization on Persistent Desktop.

    Many thanks in advanced.

    Reply

  15. Hi Carl. I have XenApp 7.15 with Windows 2016 VDA Shared Desktops. I configured the GPO Interactive logon: Machine inactivity limit, but only works if the conection is via RDP. No works over ICA.

    Any suggest?

    Reply

  16. Hi Carl,

    I have a scenario in my VDI environment. I uninstalled OneDrive 17.x and installed 18.x version in my master image and when publishing a non-persistent desktop pool using it, on every user launch, version 17.x gets installed again in it as a fresh setup.

    It starts automatically and I noticed in the Windows startup “Microsoft OneDrive Setup” on user session launch under Task Manager -> Startup.

    I need version 18.x for on-demand feature and be available to take the user login configuration automatically on launch.

    Your inputs will surely help.

    Regards,
    Pravin

    Reply

  17. hi carl,

    I have Xenapp 7.13 with one controller and three separate VDAs. there is a problem with the VDA server. every user accesses the published application, the user automatically becomes the local administrator group on the VDA server so that the user can remote desktop the VDA server. please help me..

    Reply

    1. If you run Group Policy Results, it should show you which GPO is adding users to the local administrators group. Citrix does not do that, so it has to be something else.

      Reply

  18. Carl and others,
    Does the event log policy create the folder or does that need to be pre-created. Also how does this work for custom logs from an application under application logs. For example if I have an app that writes its log under applications and services (win2k16) How do I redirect that? Does the policy allow me to create a custom entry. Forgive me if these are newbie questions.

    Reply

  19. Hi Carl,

    is it possible to save or store the event logs to some kind of persistent storage (like a persistent disk for PvS, for example) when I want to provide non persistent VDAs (Server VDAs in my case) with MCS?
    In case it is possible, how should I do that?

    Thanks

    Ewald

    Reply

  20. Hey Carl, pasting the Win10 1803 objects to C:\Windows\Policy Definitions won’t allow overwrite even logged in as the default admin and running Explorer as an admin. The individual policy objects in the folder do not inherit parent permissions. I am assuming that I would need to do this on any domain controller or build a central store. What do you recommend? Thanks.

    Reply

  21. Hello carl, digging through my huge mess of GPO’s and seems like my event log redirection GPO is not working correctly, seems like every night the logs get refreshed, I have a GPO that creates the folder on E:\ and then redirects the event logs, Every night when the machine reboots that’s when the logs get created for the first time so I only have one days worth of logs. Do have an idea of what to check? thanks in advance

    Reply

  22. Carl,

    Don’t see any mention this this issue for Windows 10/2016 server OS VDA’s in regards to XenApp 7.XX;

    https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows

    Seems with latest updates to 2016, Microsoft has created per user Services, which flood the event log and show pop-up errors to users on XenApp on occasion.

    “Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account – this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks”

    There a best practice for this yet?

    Reply

  23. Excellent post.
    So I found this post as I was facing issues with XA7.13 running on Windows 2016.
    Cortana and SearchUI are filling the event logs full of errors when a user log into the Desktop.
    Event ID’s 1000, 5973, 10, are showing numerous times.

    Also, left clicking on the start menu brings up nothing which of course is a problem but right clicking does bring up the context menu.
    I have disabled redirecting the start menu but that didn’t seem to help.

    So far I haven’t found much. Any ideas?
    Thanks!

    Reply

  24. Thank you very much for this Carl and all the excellent articles on your site, you should include a Donate button somewhere on your front page as you are making a lot of peoples lives a lot easier….

    Reply

  25. Hi Carl,

    Now that I solved my issue with a parent domain policy not applying in a XA76/2012R2 context, I find that your advice “make sure the VDA computer has read permission on the policy” is clear and sufficient but at first glance I must admit I did not see it as clearly as now 😉

    The issue I had led me to this article https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which describes in details why in a certain scenario, some policies may no longer apply after having installed a security patch.

    Have a great day !

    Yvan

    Reply

  26. Hello Carl,
    Hope you are doing well and thanks for the instructions.
    I just want to know if three policies above will be the same to all the OU’s? I.E. RDSH as well as VDI’s?
    Thanks,
    Pavan

    Reply

    1. For the most part, yes. There are some minor differences (e.g. delete cached profiles on logoff). If a setting doesn’t apply to a particular VDA, there’s usually no harm in applying it. I usually have a parent OU for common settings (everything in this article) and sub-OUs for Delivery Group-specific settings.

      Reply

      1. Thanks Carl. The GPO applied to the parent OU applies to all the sub OU’S as it has been applied at the top level? If you say delivery group specific settings will that be application related?

        Reply

  27. Great Article . I dont know how I would survive without these easy to use guides. One question though.. do we have a tuning/optimization GPO for Xenapp 7.6 like we have had in the past ie. 6.5? setting like TCPMasDataRetransmissions etc for windows server 2012/R2

    Reply

Leave a Reply to gdlg3 Cancel reply