Navigation
- Change Log
- Create Group Policy Objects (GPOs)
- Windows 1909 Group Policy ADMX Templates 💡
- OneDrive ADMX Template
- Group Policy Computer Settings for VDAs
- VDA Receiver Configuration
- Group Policy User Settings for VDAs (separate article)
💡 = Recently Updated
Change Log
- 2019 Nov 27 – updated Windows GPO ADMX Templates for Windows 10 1909
- 2019 Aug 11 – updated Windows GPO ADMX Templates for Windows 10 1903
- 2019 Mar 24 – OneDrive – added link to per-machine install instead of per-user install
- 2018 Dec 1 – updated Windows GPO ADMX Templates for Windows 10 1809
- 2018 July 1 – Computer GPO Settings – added display highly detailed status messages
- Added DelayedDesktopSwitchTimeout = 2, to cause the desktop to appear sooner. (Source = VMware Communities
- 2018 June 11 – Computer GPO Settings – added OneDrive Files On-Demand, and OneDrive .admx file
- 2018 May 25 – Computer GPO Settings – added Interactive logon: Machine inactivity limit
- 2018 May 14 – Windows GPO ADMX Templates, added searchocr.adml fix from SearchOCR.ADMX error after installing Win10-1803 ADMX templates at TechNet Forums
- 2018 May 5 – updated Windows GPO ADMX Templates for Windows 10 1803
- 2018 Apr 1 – in Computer Settings section, added Select when Preview Builds and Feature Updates are received
- 2018 Feb 9 – in Computer Settings section, added Network setting from CTX232340 Windows 10 PVS target devices experience poor performance
- 2018 Jan 28 – in Computer Settings section, added Set maximum wait time for the network if a user has a roaming user profile or remote home directory = enabled, 0 seconds (Source = MasterXen at “Please wait for User Profile Services” – Logon delay)
- 2018 Jan 20 – in Create GPOs section, added note that master images should be moved to VDA OUs
Create Group Policy Objects
- Within Active Directory Users and Computers (dsa.msc), create a parent Organizational Unit (OU) to hold all VDA computer objects.
- Then create sub-OUs, one for each Delivery Group. The VDA computer objects for each Delivery Group should be placed in these sub-OUs. Notes:
- The only objects that belong in these VDA OUs are the VDA computer accounts.
- There’s no need to put any user accounts in these VDA OUs since Group Policy Loopback Processing mode will handle user settings.
- The computer objects for the Citrix brokering infrastructure machines (Controllers, StoreFront, Director, etc.) should go in normal server OUs, and not in the VDA OUs.
- Separate VDA sub-OUs for each Delivery Group lets you apply different GPO settings to each Delivery Group.
- Grant Citrix Admins the permission to add computer objects to the VDA OUs.
- Grant Citrix Admins the permission to link GPOs to the VDA OUs.
- Master images should be placed in the VDA OUs so the VDA GPO Computer Settings can be burned into the master image. This avoids timing issues when non-persistent machines reboot and GPO settings haven’t applied yet.
- The only objects that belong in these VDA OUs are the VDA computer accounts.
- Move the VDAs from the Computers container to one of the Delivery Group OUs.
- Within Group Policy Management Console (gpmc.msc), create a Group Policy Object (GPO) called Citrix VDA Computer Settings, and link it to one of the Citrix OUs. This particular GPO usually applies to all Delivery Groups, and thus should be linked to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.
- On the left, click the new VDA Computer Settings GPO to highlight it.
- On the right, switch to the Details tab.
- Change the GPO Status drop-down to User configuration settings disabled. This GPO will only contain computer settings.
- Create and link two new Citrix-specific GPOs (in addition to the Citrix VDA Computer Settings GPO).
- One of the GPOs is called Citrix VDA All Users (including admins), and the other is called Citrix VDA Non-Admin Users (lockdown).
- Modify the Details page of both of these GPOs, and set GPO Status to Computer configuration settings disabled. These GPOs will only contain user settings.
- On the left, click the Citrix VDA Non-Admin Users GPO to highlight it.
- To delegate administration of this GPO to Citrix Admins:
- On the right, switch to the Delegation tab, and click Add.
- Find your Citrix Admins group, and click OK.
- In the Add Group or User window, change the Permissions to Edit settings, and click OK.
- On the right, switch to the Delegation tab, and click Add.
- To prevent the user lockdown GPO from applying to administrators:
- On the Delegation tab, click Advanced.
- On the top half, click the Citrix Admins group to highlight it.
- Scroll down to reveal the Apply Group Policy row, and then place a check mark in the Deny column.
- If desired, you can also deny the GPO to Domain Admins and Enterprise Admins.
- Click OK to close the Security Settings window.
- Click Yes when asked to continue.
- On the Delegation tab, click Advanced.
- To delegate the other two GPOs, add the Citrix Admins group with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.
Windows 1909 Group Policy Templates
- Download the Administrative Templates (.admx) for Windows 10 November 2019 Update (1909). 💡
- Run the downloaded Administrative Templates (.admx) for Windows 10 November 2019 Update.msi file.
- In the Welcome to the Administrative Templates (.admx) for Windows 10 November 2019 Update Setup Wizard page, click Next.
- In the End-User License Agreement page, check the box next to I accept the terms and click Next.
- In the Custom Setup page, record the Location field since you’ll need to go there later.
- Click Next.
- In the Ready to install Administrative Templates (.admx) for Windows 10 November page, click Next.
- In the Completed the Administrative Templates (.admx) for Windows 10 November 2019 Update Setup Wizard page, click Close.
- In File Explorer, go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909).
- Open the PolicyDefinitions folder.
- Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files and folders to the clipboard.
- Go to your domain’s sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the files in the PolicyDefinitions folder. If you don’t have this folder, then you can create it. Or copy the files to C:\Windows\PolicyDefinitions as detailed next.
- If prompted, replace the existing files.
- If prompted, replace the existing files.
- If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files. Overwrite the existing files.
See Group Policy Settings Reference Spreadsheet Windows 1809 for a spreadsheet containing all GPO settings in Windows.
The spreadsheet can be filtered to only show the newest settings.
OneDrive ADMX Template
Microsoft is previewing a per-machine installation of the OneDrive sync client. The per-machine install is strongly recommended over the normal per-user install of OneDrive.
To enable Files-on-demand, you’ll need the OneDrive ADMX Template.
- Go to a Windows 10 1709 or newer machine that has OneDrive installed.
- Go to %localappdata%\Microsoft\OneDrive. Double-click the latest version. Then open the adm folder.
- Right-click the OneDrive.admx file and copy it.
- If your domain has PolicyDefinitions in SYSVOL (\\corp.local\sysvol\corp.local\Policies\PolicyDefinitions), paste the .admx file there.
- If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the .admx file.
- If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the .admx file.
- Go back to the OneDrive files and copy OneDrive.adml.
- If your domain has a PolicyDefinitions central store in SYSVOL, paste the .adml file to the en-us folder in PolicyDefinitions in SYSVOL. en-US is a subfolder of the PolicyDefinitions folder.
- If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the .adml file. en-US is a subfolder of the PolicyDefinitions folder.
- If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the .adml file. en-US is a subfolder of the PolicyDefinitions folder.
Group Policy Computer Settings
Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.
Some of the settings in this section might require the newer Windows Group Policy Templates.
Idle Time to Lock Session
- Security Options – Computer Configuration | Policies | Windows Settings| Security Settings | Local Policies | Security Options
- Interactive logon: Machine inactivity limit – Windows 8/2012 and newer – published desktops only – seconds of idle time before session locks
Control Panel
- Settings Page Visibility – Computer Configuration | Policies | Administrative Templates | Control Panel
- Settings Page Visibility
- Windows Server 2016 and Windows 10 1607 support was added with the September 2018 Windows patches. Otherwise, it’s only available in Windows 10 1703 and newer.
- Also with the September 2018 patches, the Settings Page Visibility setting is added to the User half of the GPO. See https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#settingspage for details. Before September 2018, this setting is Computer half only, which means it applies to all users, including administrators.
- Winaero How To Hide Settings Pages in Windows 10 describes this new setting. Also see TechNet Hiding pages in Settings with Windows 10 1703.
- Settings Page Visibility
Network
- Network – Computer Configuration | Policies | Administrative Templates | Network | Network Isolation
- Subnet definitions are authoritative = enabled – Windows 10 setting – Source = CTX232340 Windows 10 PVS target devices experience poor performance
OneDrive Files-on-demand
For Windows 10 1709 and newer. Make sure the OneDrive .admx file is installed first.
- OneDrive – Computer Configuration | Policies | Administrative Templates | OneDrive
- Enable OneDrive Files On-Demand = enabled
Verbose Messages
- System – Computer Configuration | Policies | Administrative Templates | System
- Display highly detailed status messages = enabled. Windows 10. Shows what’s happening during logon.
Group Policy Settings
- Group Policy – Computer Configuration | Policies | Administrative Templates | System | Group Policy
- Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
- Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer setting.
- Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result
User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.
Logon Settings
To get rid of the Windows 10 “we’re happy you’re here” message:
- Logon – Computer Configuration | Policies | Administrative Templates | System | Logon
- Show first sign-in animation = disabled
DelayedDesktopSwitchTimeout. Create a Group Policy Preferences Registry Item (Computer Configuration | Preferences | Windows Settings | Registry) to set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DelayedDesktopSwitchTimeout (REG_DWORD) = 2. On Windows 10, this might cause the desktop to appear sooner. (Source = VMware Communities)
Sven Huisman Windows 10 in non-persistent VDI – Login speed – part 1 has some additional group policy settings to speed up Windows 10 logon. Scroll down to the Group Policy section.
Power Settings
The following are more applicable to virtual desktops than session hosts:
- Hard Disk Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
- Turn Off the hard disk (plugged in) = enabled, 0 seconds
- Sleep Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
- Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
- Specify the system sleep timeout (plugged in) = enabled, 0 seconds
- Turn off hybrid sleep (plugged in) = enabled, 0 seconds
- Video and Display Settings – Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
- Turn off the display (plugged in) = enabled, 0 seconds
Remote Assistance Settings
Configure the following so you can shadow users using Director:
- Remote Assistance – Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
- Configure Solicited Remote Assistance = disabled
- Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance
User Profiles Settings
- User Profiles – Computer Configuration | Policies | Administrative Templates | System | User Profiles
- Add the Administrators security group to roaming user profiles = enabled
- Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
- Do not check for user ownership of Roaming Profile Folders = enabled
- Set maximum wait time for the network if a user has a roaming user profile or remote home directory = enabled, 0 seconds
- Source = MasterXen at “Please wait for User Profile Services” – Logon delay
Cloud Content
- Cloud Content – Computer Configuration | Policies | Administrative Templates | Windows Components | Cloud Content (Windows 10 1511 and newer)
- Turn off Microsoft consumer experiences = enabled
File Explorer Settings
Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100 – Windows 8 and newer
- File Explorer – Computer Configuration | Policies | Administrative Templates | Windows Components | File Explorer
- Allow the use of remote paths in file shortcut icons = enabled
Event Viewer Settings
If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.
- Application – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
- Control the location of the log file = enabled, D:\EventLogs\Application.evtx
- Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
- Control the location of the log file = enabled, D:\EventLogs\Security.evtx
- System – Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
- Control the location of the log file = enabled, D:\EventLogs\System.evtx
- Folder – Computer Configuration | Preferences | Folder
- Action = update
- Path = D:\EventLogs
Microsoft Account – Windows 10 (1703 and newer)
- Microsoft account – Computer Configuration | Policies | Administrative Templates | Windows Components | Microsoft account
- Block all consumer Microsoft account user authentication = Enabled
OneDrive Settings – Windows 10
- OneDrive – Computer Configuration | Policies | Administrative Templates | Windows Components | OneDrive
- Prevent the usage of OneDrive for file storage = enabled
Remote Desktop Services Settings
- Connections – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
- Restrict Remote Desktop Services users to a single Remote Desktop Services session = disabled
- More details at http://support.citrix.com/article/CTX131245
- Device and Resource Redirection – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
- Allow time zone redirection = enabled
- Do not allow smart card device redirection = enabled
- Licensing – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
- Set the Remote Desktop license mode = enabled, Per User
- Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers (e.g. the XenDesktop Controllers)
- Remote Session Environment – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Remote Session Environment
- Use the hardware default graphics adapter for all Remote Desktop Services sessions = Enabled
- Source = Marco Hofmann Basic XenApp HDX 3D Pro Proof of Concept – What I missed
- Security – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
- Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
- Session Time Limits – Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
- Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
- Set time limit for disconnected sessions = enabled, 3 hours or similar
Search Settings – Windows 8.1 / 2012 R2, Windows 10
- Search – Computer Configuration | Policies | Administrative Templates | Windows Components | Search
- Allow Cortana = disabled (Windows 10)
- Don’t search the web or display web results in search = enabled
- Additional search settings can be found here
Store Settings – Windows 8.1 / 2012 R2, Windows 10
- Store – Computer Configuration | Policies | Administrative Templates | Windows Components | Store
- Turn off the Store application = enabled
Windows Update Settings
- Windows Update – Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update
- Allow non-administrators to receive update notifications = disabled
- Windows Update for Business – Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update | Windows Update for Business
- Select when Preview Builds and Feature Updates are received = Enabled, Semi-Annual Channel, 365 day deferral
Additional Settings
Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at Microsoft Technet Manage connections from Windows operating system components to Microsoft services.
James Rankin Five tips for dealing with Windows 10 telemetry: disable Modern apps, disable Cortana, disable services, block DNS domains.
After modifying the GPO, use Group Policy Management Console to update the VDA machines.
Or run the command gpupdate /force. Or wait 90 minutes.
Citrix Receiver
If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, use receiver.admx to enable pass-through authentication.
- See the instructions at https://www.carlstalhood.com/receiver-for-windows/#admx to copy the receiver.admx file to PolicyDefinitions.
- Edit the Citrix Computer Settings GPO.
- Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
- Enable the setting.
- Check the top two boxes and click OK.
Hi Carl – so we are running into an issue with session lock ups. This seems to happen when only accessing Citrix from external network sources. I am running XenApp 7.15 LTSR on Windows 2016 VDA’s We are utilizing F5 LB but right now they are not hitting the F5 externally.
User seem to be working fine for 5 to 10 minutes then sessions lock and they are no longer able to access the published application. Only resetting session clears.
Wondering if there is something you know of that could be causing session locks or somewhere to check to see what could be the issue.
Can you run other applications (e.g Notepad) in the same session? Need to determine if the whole session is locked, or just the app.
According to the users experiencing these issues is the whole session. So if user has two applications running both applications are in a locked state
I was able to reproduce this issue. Seems sessions lock up after 2 to 3 minute period of idle time. It locks up all applications I have open. Is there a policy I do not have set correctly? I followed your policy setting almost to the letter with regard to time out session. I followed the settings for Application presentation that applied to my environment.
Is there any NAT or other security device between the user and the Horizon Agent? Maybe one of those devices has a short timeout for TCP/UDP connections.
For external users, how are you proxying the ICA connection?
Hi Carl,
When the user session is idle for 15 mins application went locked state,Citrix session is locked not the local machine,can you helpe to fix it?
Iam using 7.15 CU2 environment
Hi Mat,
Iam facing the same issue ,do u have the solution
Hi Mohanraj -I believe the issue to be a Network driver on our particular laptops. We have Dell Lattitude E4740’s. We don’t have issues with other types of hardware like Microsoft Surface laptops. If you do use Dell laptops update the Wireless drivers to latest Intel driver. (Also use the INTEL driver). Also make sure the following
Wireless Properites
Advanced Tab
802.11a/b/g Wireless Mode – 5. Dual Band 802.11a/g/\
Preferred Band – 3 Prefer 5GHZ
Also
Power Management Tab
Uncheck “Allow the computer to turn off this device to save power”
Great article(s) – you are a true lifesaver! Maybe you can help me one more time 😉 Sometimes my users get an error saying they need the right to sign in through remote desktop services when starting an app on VDA 7.15. My delivery controllers are both configured and activated Windows Server 2016 licensing servers, even the GPO is configured to contact them for per User CALs. Basic troubleshooting and license diagnosing says all fine and it doesn’t happen all the time, just sometimes and on different servers. We don’t use MCS or PVS, all servers are running Windows Server 2016 and VDA 7.15LTSR is in use. Do you have any idea how to get this right?
If it’s an RDS Licensing problem, then there are normally events in Event Viewer when licensing is not working.
The same symptom might happen if you run out of Citrix licenses.
Hello Carl, we are still in the build phase of our new environment and made the decision to move the Citrix Computer and User policies in Active Directory instead of storing them in the SQL Database. The problem I can’t seem to figure out is that I do not see those policies in the registry or on the linked clones. Where would those be written to in the VDA and Master templates’ registry?
I think they only apply when you perform a Citrix connection. Then you should see them under HKLM\Software\Policies\Citrix. Some will be under HDX nodes. Others will be under the nodes that are numbered based on session ID.
I do know about the registry key that would show under .\Policies\Citrix then folders named after the session ID but nothing of the sort matches up. I did find a folder named “2” that had my session info but on the server I am session 12. Either way, I do not see any of our policies applying in the folder.
Does the Group Policy Management console need to be installed on a delivery controller for managing the Citrix policies in Active Directory? In Active directory using GPMC, I picked the user portion of Citrix Policies and wanted to apply a Citrix policy to a delivery group using the Delivery Group filtering. When I attempted to do that, I typed in the name of the DDC and it prompted me for Citrix Cloud credentials. After getting passed that, I got a drop-down box to see the names of the Delivery Groups. Nothing is listed and I cannot manually type it in. Is what I am attempting to perform a supported operation?
We have opened a case with Citrix on this issue. Policies are not applying to the VDAs using GPO. If we set the policies in the Studio console to store in the SQL Database, that works. According to Citrix , we have everything setup correctly and meeting the criteria. We have a single GPO that only contains Citrix policies only. We have full control to that policy as well as Group Policy Modeling permissions and they do not seem to apply. We have confirmed the permissions are set correctly on the policy itself for delegation and scope. Now it is just trying to figure out how to capture the logging in process to see where it skips the policy or refuses to apply it. BTW – this is not even working for the Unfiltered policy set in the GPO.
I was able to figure it out as to why the policies set in GPO were not applying. At our top level Citrix OU, we have inheritance turned off. The users reside in a different OU not in the Citrix OU’s. We forgot to enable Group Loopback Processing in the GPO and that corrected our issue.
Hi Carl,
Can the Remote Desktop Services settings apply to Windows 10 too?
I am also doing dedicated full desktop for Windows 10, any specific settings from there that could help for that setup?
Would this work – Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts) as I plan to use Appsense and Local Profiles and Personalization on Persistent Desktop.
Many thanks in advanced.
Hi Carl. I have XenApp 7.15 with Windows 2016 VDA Shared Desktops. I configured the GPO Interactive logon: Machine inactivity limit, but only works if the conection is via RDP. No works over ICA.
Any suggest?
Interesting. Here’s another option – https://msfreaks.wordpress.com/2018/01/13/enforcing-lock-screen-after-idle-time-windows-server-2016-rds-session-host/
Hi Carl,
I have a scenario in my VDI environment. I uninstalled OneDrive 17.x and installed 18.x version in my master image and when publishing a non-persistent desktop pool using it, on every user launch, version 17.x gets installed again in it as a fresh setup.
It starts automatically and I noticed in the Windows startup “Microsoft OneDrive Setup” on user session launch under Task Manager -> Startup.
I need version 18.x for on-demand feature and be available to take the user login configuration automatically on launch.
Your inputs will surely help.
Regards,
Pravin
What version of Windows?
hi carl,
I have Xenapp 7.13 with one controller and three separate VDAs. there is a problem with the VDA server. every user accesses the published application, the user automatically becomes the local administrator group on the VDA server so that the user can remote desktop the VDA server. please help me..
If you run Group Policy Results, it should show you which GPO is adding users to the local administrators group. Citrix does not do that, so it has to be something else.
Carl and others,
Does the event log policy create the folder or does that need to be pre-created. Also how does this work for custom logs from an application under application logs. For example if I have an app that writes its log under applications and services (win2k16) How do I redirect that? Does the policy allow me to create a custom entry. Forgive me if these are newbie questions.
Hi Carl,
is it possible to save or store the event logs to some kind of persistent storage (like a persistent disk for PvS, for example) when I want to provide non persistent VDAs (Server VDAs in my case) with MCS?
In case it is possible, how should I do that?
Thanks
Ewald
Unfortunately no. I think you’ll need some kind of monitoring agent to collect event logs.
https://support.citrix.com/article/CTX231757
Hey Carl, pasting the Win10 1803 objects to C:\Windows\Policy Definitions won’t allow overwrite even logged in as the default admin and running Explorer as an admin. The individual policy objects in the folder do not inherit parent permissions. I am assuming that I would need to do this on any domain controller or build a central store. What do you recommend? Thanks.
Hello carl, digging through my huge mess of GPO’s and seems like my event log redirection GPO is not working correctly, seems like every night the logs get refreshed, I have a GPO that creates the folder on E:\ and then redirects the event logs, Every night when the machine reboots that’s when the logs get created for the first time so I only have one days worth of logs. Do have an idea of what to check? thanks in advance
Carl,
Don’t see any mention this this issue for Windows 10/2016 server OS VDA’s in regards to XenApp 7.XX;
https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
Seems with latest updates to 2016, Microsoft has created per user Services, which flood the event log and show pop-up errors to users on XenApp on occasion.
“Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account – this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks”
There a best practice for this yet?
Excellent post.
So I found this post as I was facing issues with XA7.13 running on Windows 2016.
Cortana and SearchUI are filling the event logs full of errors when a user log into the Desktop.
Event ID’s 1000, 5973, 10, are showing numerous times.
Also, left clicking on the start menu brings up nothing which of course is a problem but right clicking does bring up the context menu.
I have disabled redirecting the start menu but that didn’t seem to help.
So far I haven’t found much. Any ideas?
Thanks!
Start Menu is quite the challenge. My Profile Management article has info on how to roam it. https://www.carlstalhood.com/citrix-profile-management/
Thank you very much for this Carl and all the excellent articles on your site, you should include a Donate button somewhere on your front page as you are making a lot of peoples lives a lot easier….
Hi Carl,
Now that I solved my issue with a parent domain policy not applying in a XA76/2012R2 context, I find that your advice “make sure the VDA computer has read permission on the policy” is clear and sufficient but at first glance I must admit I did not see it as clearly as now 😉
The issue I had led me to this article https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which describes in details why in a certain scenario, some policies may no longer apply after having installed a security patch.
Have a great day !
Yvan
Hello Carl,
Hope you are doing well and thanks for the instructions.
I just want to know if three policies above will be the same to all the OU’s? I.E. RDSH as well as VDI’s?
Thanks,
Pavan
For the most part, yes. There are some minor differences (e.g. delete cached profiles on logoff). If a setting doesn’t apply to a particular VDA, there’s usually no harm in applying it. I usually have a parent OU for common settings (everything in this article) and sub-OUs for Delivery Group-specific settings.
Thanks Carl. The GPO applied to the parent OU applies to all the sub OU’S as it has been applied at the top level? If you say delivery group specific settings will that be application related?
Yes.
Great Article . I dont know how I would survive without these easy to use guides. One question though.. do we have a tuning/optimization GPO for Xenapp 7.6 like we have had in the past ie. 6.5? setting like TCPMasDataRetransmissions etc for windows server 2012/R2
I usually just do the optimizations built into the VDA. I have a colleague that tested many optimizations and noticed no difference in performance. Also see https://labs.vmware.com/flings/vmware-os-optimization-tool
Known issue after updating the Windows 10 ADMX templates https://support.microsoft.com/en-us/kb/3077013
Added. Thanks.