Group Policy User Settings for VDAs

Last Modified: Jul 11, 2023 @ 3:50 am


ūüí° = Recently Updated

Change Log

User Lockdown

The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings are located at User Configuration > Policies.

This page assumes the GPOs have already been created and Loopback Processing has already been enabled.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Control Panel GPO Settings

  • User Configuration | Policies |¬†Administrative Templates | Control Panel
    • Always open All Control Panel Items when opening Control Panel = enabled
    • Show only specified Control Panel items = enabled, canonical names =
      • Microsoft.RegionAndLanguage
      • Microsoft.NotificationAreaIcons
      • MLCFG32.CPL
      • Microsoft.Personalization
      • Microsoft.Mouse
      • Microsoft.DevicesAndPrinters
      • Microsoft.System (lets users see the computer name)
  • User Configuration | Policies | Administrative Templates | Control Panel | Programs
    • Hide the Programs Control Panel = enabled

Settings Page Visibility

The September 2018 patches for Windows 2016 and Windows 10 add control of Settings Page Visibility in both the Computer half of the GPO (applies to all users), and now in the User half of the GPO (can apply to non-admin users).

  1. Make sure the Windows 10 and Windows 2016 VDAs are patched to at least the September 2018 Cumulative Update.
    • For Windows 2016,¬†winver should show¬†OS Build 14393.2515 or higher.
    • For Windows 10 1803,¬†winver should show OS Build 17134.320 or higher.
  2. Go to your \\\sysvol\\Policies\PolicyDefinitions and find the file¬†ControlPanel.admx. If it is not dated August 30 or later, then you’ll need to copy the updated version.

    1. On one of these newer VDAs, go to C:\Windows\PolicyDefinitions and copy the file ControlPanel.admx. The September 2018 patch updated this file.
    2. Go to your \\\sysvol\\Policies\PolicyDefinitions and paste the .admx file. Overwrite the existing file.
    3. On one of these newer VDAs, go to C:\Windows\PolicyDefinitions\en-US and copy the file ControlPanel.adml.
    4. Go to your \\\sysvol\\Policies\PolicyDefinitions\en-US and paste the .adml file. Overwrite the existing file.
  3. Edit the Non-Admin Users GPO.
  4. Go to User Configuration | Policies | Administrative Templates | Control Panel.
  5. On the right is Settings Page Visibility.
  6. Winaero How To Hide Settings Pages in Windows 10 describes this new setting. Also see TechNet Hiding pages in Settings with Windows 10 1703. A sample configuration is: showonly:printers;colors. According to Server 2016 & PC Settings/Immersive Control Panel at Citrix Discussions, the maximum length for this field is 255 characters.
  7. When the non-admin user logs into a Windows 10 or Windows Server 2016 VDA that has the September update installed, the Settings pages are restricted based on the GPO configuration. Since this GPO setting is in the user half of the Non-admin users GPO, admins can still see all Settings pages.

Desktop GPO Settings

  • User Configuration | Policies | Administrative Templates | Desktop
    • Hide Network Locations icon on desktop = enabled
    • Remove Properties from the Computer icon context menu = enabled
    • Remove Properties from the Recycle Bin icon context menu = enabled

If you prevent access to the Properties of the Computer icon then users might not be able to determine the name of the machine they are connected to.

On Windows Server 2016, screen saver idle time does not work. Arjan Mensch developed a tool to lock the screen after a period of idle time. Launch the tool from a Group Policy login script. Download the tool from Enforcing lock screen after idle time Windows Server 2016 RDS Session Host.

Start Menu and Taskbar GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†Start Menu and Taskbar
    • Clear the recent programs list for new users = enabled
    • Do not allow pinning Store app to the taskbar = enabled
    • Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled
      • In Windows 10 1709, if you want to remove the Power Button, in the VDA, set¬†HKLM\Software\Microsoft\PolicyManager\current\device\Start\HidePowerButton (DWORD) = 1. Source =¬†Power Button Windows 10 VDI at Citrix Discussions.
    • Remove common program groups from Start Menu = enabled (only if you have some other means for putting shortcuts back on the user‚Äôs Start Menu/Desktop.¬†Also, enabling this setting¬†might prevent Outlook desktop alerts. Microsoft¬†3014833)
    • Remove Help menu from Start Menu = enabled (Windows 7 / 2008 R2 only)
    • Remove links and access to Windows Update = enabled
    • Remove Network icon from Start Menu = enabled¬†(Windows 7 / 2008 R2 only)
    • Remove Run menu from Start Menu = enabled (not recommended)
    • Remove the Action Center icon = enabled (not in Windows 10)
    • Remove the networking icon = enabled
    • Remove the People Bar from the taskbar = enabled (Windows 10 1703 and later)
    • Remove the Security and Maintenance icon = enabled (Windows 10)
    • Remove user folder link from Start Menu = enabled (Windows 7 / 2008 R2 only)

If you hide common program groups, then you will need some other method of creating application shortcuts for each user. Group Policy Preferences Shortcuts is the typical method.

Removing the Run menu prevents users from entering UNC paths or drive letters in Internet Explorer.

Start Menu pinned tiles

  • Configure Start Menu pinned tiles as desired
    • Remove Server Manager
    • Remove PowerShell
    • Etc.
  • Use Export-StartLayout to save to an .xml file.
  • Use Import-StartLayout to import to the Default User profile. All new users (new profiles) will get the customized Start Menu layout.

CTP James Rankin Dynamic Start Menu on Server 2016/2019 and Windows 10 using FSLogix App Masking

CTP James Kindon AppMasking The Windows Start Menu using FSLogix

Kasper Johansen The Windows Server 2019 Start Menu Is Playing Nice:

  • Clean up the default Start Menu
  • Use AppLocker to prevent access to Windows Security

CTP James Kindon Windows 10 Start Menu: declutter the default:

  • To eliminate the Start Menu tiles, remove Store apps, and Edge.

CTP James Rankin Management of Start Menu and Tiles on Windows 10 and Server 2016, part #1 contains the following:

  • LayoutModification.xml in Default User Profile
  • Start Screen Layout Group Policy setting
  • Partially-locked layout
  • FSLogix to apply a custom default layout for different user groups on the same device, and allowing users to customize all of it

CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Density contains the following:

  • Lock down a section of the Start Menu
  • Configure Citrix Profile Management to roam the Start Menu
  • Remove Provisioned Apps
  • Tune Windows using OS Optimization Tool
  • Disable Telemetry services

Microsoft Technet Customize Windows 10 Start with Group Policy.

System GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†System
    • Prevent access to registry editing tools = enabled, Disable regedit from running silently = No
    • Prevent access to the command prompt = enabled, Disable command prompt script processing = No

Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.

Explorer GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†Windows Components | File Explorer (Windows 8+) or Windows Explorer (Windows 7)
    • Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only
    • Hides the Manage item on the File Explorer context menu = enabled
    • Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you can‚Äôt use Start Menu‚Äôs search to find programs.
    • Prevent users from adding files to the root of their Users Files folder = enabled
    • Remove ‚ÄúMap Network Drive‚ÄĚ and ‚ÄúDisconnect Network Drive‚ÄĚ = enabled
    • Remove Hardware tab = enabled
    • Remove Security Tab = enabled
    • Turn off caching of thumbnail pictures = enabled

Borders – Windows Server 2019 File Explorer does not show borders around File Explorer. To add borders, see Geir Dybbugt Microsoft Server 2019: No window border/allwhite issue

To hide specific drive letters:

  1. User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive
  2. Choose Action Update => Drive Letter Existing C => Hide this drive
  3. Common Tab: Run in logged-on users’ Security

Windows Update GPO Settings

  • User Configuration | Policies | Administrative Templates | ¬†Windows Components | Windows Update
    • Remove access to use all Windows Update features = enabled, 0 ‚Äď Do not show any notifications

File Explorer

Hide Favorites, Libraries, Network and redirected local drives

Winhelponline Removing ‚ÄúQuick access‚ÄĚ from Windows 10 File Explorer details the following registry value to remove Quick Access from File Explorer in Windows 10, or Windows Server 2016 and newer. (h/t Sean Bolding)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    • DWORD value HubMode = 1

Terence Luk Hide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these items. Similar instructions are provided by David Wilkinson at Remove Quick Access from File Explorer in Windows Server 2016.

Explorer Notifications

From TenForums How to Hide or Show Sync Provider Notifications within File Explorer in Windows 10: Windows 10 1607 adds notifications inside File Explorer.

To stop these, use Group Policy Preferences to set the following registry value:

  • Key =¬†HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • Value =¬†ShowSyncProviderNotifications (DWORD) = 0

Windows Spotlight

Windows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows (Start Menu, lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration | Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard Hay Windows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating System and Chris Hoffman How to Disable All of Windows 10’s Built-in Advertising.

Explorer Replacement

Instead of locking down Windows File Explorer, you can run a 3rd party Explorer like Tablacus Explorer. The tool is detailed by Marco Hofmann at Tablacus Explorer is an awesome replacement for explorer.exe as a #XenApp published Application!.

Flickering Icons

If you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network share, then desktop icons might flicker. Helge Turk at XenApp 7.12/13, Server 2016 desktop icons flickering at Citrix Discussions resolved it be creating the following Registry Key using Group Policy Preferences:

  • HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}


Use Chrome Group Policy to push the Chrome plug-in for Citrix’s Browser Content Redirection feature in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer.

Chrome 77+ Audio Issue

No Audio on Google Chrome version 77.x and newer inside ICA session.

Newer Google Chrome ADMX templates let you disable the audio sandbox. User Configuration | Policies | Administrative Templates | Google | Google Chrome | Allow the audio sandbox to run = Disabled.

Another workaround is to use Group Policy Preferences to deploy the following registry value: (source = CTX261992 Citrix Virtual Apps and Desktops: No Audio on Google Chrome version 77.x inside ICA session)

If the new Chrome-based Microsoft Edge consumes 100% CPU, then CTP James Kindon Deploying Brave and Microsoft Edge Dev Browsers in Citrix CVAD environments says a similar registry value is needed for the new Edge.

  • Key = HKLM\SYSTEM\CurrentControlSet\services\CtxUvi
    • Value (String) = UviProcessExcludes = chrome.exe;msedge.exe;

GPO ADMX Templates

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\\sysvol\\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Roam Chrome Settings

You can optionally enable Chrome’s roaming profile support. For details, see¬†Use Chrome Browser with Roaming User Profiles at Google Help.

  1. Edit the Citrix All Users GPO.
  2. Go to User Configuration | Policies | Administrative Templates | Google | Google Chrome.
  3. On the right, double-click Enable the creation of roaming copies for Google Chrome profile data and Enable it.

Browser Content Redirection Extension

To force install the Chrome Extension needed for Browser Content Redirection in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer:

  1. Edit the Citrix All Users GPO.
  2. Go to User Configuration | Policies | Administrative Templates | Google | Google Chrome | Extensions.
  3. On the right, double-click Configure the list of force-installed apps and extensions.
  4. Enable the setting and click Show.
  5. In the box, enter the following text and click OK.

  6. When a user opens Chrome from inside a VDA, the Citrix Browser Content Redirection Extension is automatically installed.
  7. Configure the Citrix Policy settings detailed at Browser Content Redirection.
  8. Redirection of websites from Chrome requires Workspace app 1809 or newer on the client device.
  9. When you visit a whitelisted (ACL) website, on the client side, you should see HdxBrowserCef.exe processes. These processes come from Workspace app, and does not use Chrome on the client side.

Edge / Internet Explorer Settings

This section assumes the GPOs have already been created.


When a new user launches Edge, the first run wizard appears.

To prevent this from occurring, edit the Citrix VDA All Users GPO.

Edge First Run GPO Settings

  • User Config | Policies | Administrative Templates | Microsoft Edge
    • Hide the First-run experience and splash screen = enabled

Internet Explorer First Run Wizard

When a new user launches Internet Explorer, the first run wizard appears.

To prevent this from occurring, edit the Citrix VDA All Users GPO.

Internet Explorer First Run GPO Settings

  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer
    • Prevent managing SmartScreen Filter = enabled, on
    • Prevent running First Run Wizard = enabled, Go directly to home page
    • Specify default behavior for a new tab page = enabled, Home page
    • Turn on Suggested Sites = disabled
  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Compatibility View
    • Include updated Web site lists from Microsoft ¬†= enabled
  • User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page
    • Turn on Enhanced Protected Mode ¬†= disabled

Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should be disabled.

Users might see a message that Protected mode is turned off for the Local intranet zone.

To prevent this message, do the following:

  1. Edit the Citrix VDA All Users GPO.
  2. Go to User Configuration > Preferences > Windows Settings > Registry.
  3. Create a new Registry Item.
  4. Set the Hive to: HKEY_CURRENT_USER
  5. Set the Key Path to: Software\Microsoft\Internet Explorer\Main
  6. Set the Value name to: NoProtectedModeBanner
  7. Set the Value type to: REG_DWORD
  8. Set the Value data to: 1
  9. Click OK.

IE 11 in Windows 10 1703 and newer has a new button to open Edge.

  • To hide this button, edit¬†a Group Policy that applies to users, go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Settings | Advanced Settings | Browsing, and enable the setting¬†Hide the button (next to the New Tab button) that opens Microsoft Edge. Source =¬†Ren√© Bigler on Twitter.

4SysOps Disable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607: registry keys and PowerShell script to disable it.

Published Internet Explorer Settings – Runonce

If a user launches Internet Explorer as a published application, then Internet Explorer¬†might not be fully configured and thus some websites won’t work. By default, Windows runs per-user configuration (ActiveSetup) of Internet Explorer only when the user connects to a full desktop, which doesn’t happen when only launching published apps. To override this behavior so it works with published IE even¬†if the user never connects to a full desktop, do the following:

  1. Edit the Citrix VDA All Users GPO.
  2. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
  3. Double-click Logon.
  4. Click Add.
  5. In the Script Name field, enter runonce.exe.
  6. In the Script Parameters field, enter /AlternateShellStartup. Click OK.
  7. Note: running runonce.exe /AlternateShellStartup might cause black borders around windows in published applications.
  8. Runonce.exe /AlternateShellStartup also causes the items in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to be executed when a published app is launched. Consider deleting the items (e.g. VMware Tools icon), or they might keep sessions open after users close their apps. Also see CTX891671 Graceful Logoff from a Published Application Renders the Session in Active State.
  9. An alternative to runonce.exe /AlternateShellStartup is to run the following commands provided by Steve Washburn at Active Receiver connection after app is closed at Citrix Discussions.
    @echo off
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenUser
    start "" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"


Windows 8.1/2012 R2 might not run the script at logon. Configure the following GPO computer settings to enable the script (configure these in the Citrix VDA Computer Settings GPO):

Logon Script GPO Settings

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

Internet Explorer Group Policy Preferences

The Internet Explorer Maintenance settings in group policy (User Configuration > Windows Settings > Internet Explorer Maintenance) have been removed in Internet Explorer 10 and Windows Server 2012.

If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or Internet Explorer 10.

If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option.

If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10. When configuring a setting, notice the red or green lines (and red or green circles). Only green settings are applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your keyboard.

As you look through the tabs, you’ll see a bunch of green items. These green items will be applied and might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them back on, press F5.

On the Common tab you can check the box to Apply once and do not reapply.

Internet Explorer Security Zone Configuration

There is a group policy setting at User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page |  Site to Zone Assignment List that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their own sites (the user interface in Internet Explorer is grayed out).

This section details an alternative procedure for administrator-configured zones while allowing users to add their own Trusted Sites.

Note: Zones can’t be configured using a Group Policy Preferences Internet Settings object so instead you’ll need to configure registry keys as detailed below.

  1. Run Internet Explorer and configure security zones as desired.
  2. If you are using Workspace Control in Receiver for Web or need pass-through authentication, make sure you add StoreFront as a Local Intranet Site.
  3. Run Group Policy Management Console on the same machine where you have security zones configured.
  4. Edit the Citrix VDA All Users GPO.
  5. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Collection Item. Name it IE Zones or similar.
  6. Right-click the collection and click New > Registry Item.
  7. Click the … button next to Key Path.
  8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Click the key corresponding to the FQDN you’re adding. Then select the registry value on the bottom that corresponds to the protocol (e.g. * or https). Click Select. Note: 1 indicates Local Intranet zone.
  9. Then click OK. Note: 1 indicates Local Intranet zone.
  10. Feel free to rename the Registry Item to reflect the actual zone.
  11. Repeat these steps for additional zones.

Internet Explorer Home Page

If you don’t have access to Windows 8/2012 group policy editor, configure the default home page using a registry key.

  1. Run Internet Explorer and configure home page as desired.
  2. Run Group Policy Management Console on the same machine where you have the home page configured.
  3. Edit the Citrix VDA All Users GPO.
  4. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Registry Item.
  5. Click the … button next to Key Path.
  6. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. On the bottom, select Start Page. Then click Select.
  7. On the Common tab, you can select Apply once and do not reapply. Then click OK.

Proxy Settings

If you don’t have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. Use Group Policy Preferences or similar to distribute the registry keys.

To prevent users from changing proxy settings, also configure the following group policy setting.

  • User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel
    • Disable the Connections page = enabled

Internet Explorer Performance

Julian Mooren at XenApp & Internet Explorer ‚Äď Improving User Experience details how to enable Tracking Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set registry keys, and adds a folder to Citrix Profile Management synchronization.

Microsoft 365 Apps / Office 365 / Office 2021 / Office 2019 / Office 2016

Microsoft 365 Apps (aka Office 365) Planning

Microsoft 365 Apps ProPlus is supported on Windows Server 2019.

Microsoft FSLogix can roam Office cache files (e.g. Outlook .ost file) and Search Index. FSLogix is free for most customers.

CTP Marius Sandbu Guide to Deploying Office 365 in RDSH and VDI Enviroment contains:

  • Common best-practices and guidelines
  • Identity Federation and sync
  • Licensing and Roaming
  • Deployment and managing updates
  • Vendors and Office 365 Optimization
  • Skype for Business
  • Teams
  • Outlook
  • OneDrive
  • Group Policy
  • Troubleshooting and general tips for tuning
  • Remote display protocols and when to use when.
  • Server 2019 and Office 365
  • Office 2019 / Office 365 ProPlus

Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:

  • Considerations for Outlook Cached Mode
  • Group Policy settings for Outlook Cached Mode
  • For Lync Audio/Video ‚Äď various options for delivering the Lync client
  • Caveats for OneDrive for Business
  • Licensing ‚Äď shared computer activation

VMware Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 contains:

  • Requirements for Using Nonpersistent VDI and RDS with Office 365 ProPlus
  • Using the Office 2016 Deployment Tool to download and install Office
  • Enabling Shared Computer Activation on Nonpersistent VDI and RDS
  • Considerations for Deploying Office 365 ProPlus to a Horizon Environment – OneDrive, Outlook
  • Office Group Policy Settings

Office 2021 / 2019

Office 2021 and Office 2019 are Perpetual version of Office, which means no new features until the next Office LTSC is released.

  • By contrast, Microsoft 365 Apps ProPlus receives new features periodically (every few weeks).

Office 2021 and Office 2019 require volume licenses. See Microsoft Office 2019 Volume License Pack for KMS server or Active Directory activation.

There is no MSI installer for Office 2021 or Office 2019. Instead, you use Office Deployment Tool to download and install the Click-to-run version of Office 2021/2019 Volume License. See Deploy Office LTSC 2021 or Deploy Office 2019 (for IT Pros).

The Office 2021/2019 icons/shortcuts do not say 2021 or 2019 on the end. There’s no year designation.

File > Account shows the version info. As does Apps and Features.

Office Group Policy Templates

Download the Microsoft 365 Apps / Office LTSC 2021 / Office 2019 / Office 2016 group policy templates. The same templates are used for all Office versions 2016 and newer.

Microsoft renamed Office 365 to Microsoft 365 Apps.

Choose the bitness that you installed. The default for Microsoft 365 Apps is x64.

Microsoft 365 Apps, Office 365, Office 2021, Office 2019, Office 2016

  1. Go to the downloaded Microsoft 365 Apps / Office 365 / Office 2021 / Office 2019 / Office 2016 group policy templates and run admintemplates_x64_5077-1000_en-us.exe.
    Note: Office 2016, Office 2019, Office 2021, and Office 365 use the same group policy templates.

  2. Check the box next to Click here to accept and click Continue.
  3. Specify a folder to place the extracted templates in.
  4. Click OK to acknowledge that files extracted successfully.
  5. Go to the folder where you extracted the files, and open the ADMX folder.
  6. Copy all .admx files, and the en-us folder, to the clipboard.
  7. Go to \\\sysvol\\Policies\PolicyDefinitions and paste the files.

    • If you do not have PolicyDefinitions in your Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files.

Group Policy and Tweaks

This section assumes the Group Policy Objects have already been created.

For Teams, edit the Citrix VDA Computer Settings GPO and enable the Group Policy settings shown below.

Prevent the per-user version of Teams from installing with Office 365 (aka Microsoft 365 apps). Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.

  • Updates – Computer Configuration | Policies | Administrative Templates | Microsoft Office 2016 (Machine) | Updates
    • Don’t install Microsoft Teams with new installations or updates of Office = enabled
    • Update Channel – for Microsoft 365 Apps (aka Office 365) only

Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under User Configuration > Policies.

Office 2013 group policy settings are different than the group policy settings for Office 2016, Office 2019, Office 365, and Microsoft 365 Apps. If you want to copy Office 2013 settings to Office 365 / 2019 / 2016 settings, see Microsoft’s Copy-OfficeGPOSettings¬†PowerShell¬†script.

Microsoft 365 Apps, Office 365, Office 2019, and Office 2016 are all version 16.0, thus the same GPO settings work for all of these versions. In Group Policy Editor, the GPO settings are under the Office 2016 folders.

  • Disable Office Telemetry
    • Key = HKCU\Software\Microsoft\Office\Common\ClientTelemetry
      • Value (DWORD) DisableTelemetry = 0xffffffff
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | First Run
    • Disable First Run Movie = enabled
    • Disable Office First Run on application boot = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Global Options |Customize
    • Allow roaming of all user customizations = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Miscellaneous
    • Block signing into office = enabled, Org ID only ¬†Source = Microsoft Answers
    • Disable Office Animations = enabled
    • Do not use hardware graphics acceleration = enabled (if no GPU)
    • Hide file locations when opening or saving files = enabled, Hide OneDrive Personal
    • Suppress recommended settings dialog = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Privacy | Trust Center
    • Automatically receive small updates to improve reliability = disabled
    • Disable Opt-in Wizard on first run = enabled
    • Enable Customer Experience Improvement Program = disabled
  • User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Tools | Options | General | Service Options‚Ķ | Online Content
    • Online Content Options = enabled,¬†Allow Office to connect to the Internet
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Account Settings | Exchange
    • Automatically configure profile based on Active Directory Primary SMTP address = enabled
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Account Settings | Exchange | Cached Exchange Mode
    • Use Cached Exchange Mode for new and existing Outlook profiles = disabled
    • If you prefer to use Cached Exchange Mode, set the above setting to enabled, and add below:¬†Source =¬†Citrix’s Office 365 Implementation Guide
      • Cached Exchange Mode Sync Settings = enabled, time-window of downloaded content
      • Install FSLogix to assist with roaming of the OST file.
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Miscellaneous | PST Settings
    • Default location for PST files = enabled, user‚Äôs home directory
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Outlook Options | Other | AutoArchive
    • AutoArchive Settings = enabled, uncheck box next to Turn on AutoArchive
  • User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Outlook Options | Preferences | Search Options
    • Prevent installation prompts when Windows Desktop Search component is not present = enabled
  • Computer Config | Policies | Administrative Templates | Windows Components | Search |
    • Prevent indexing Microsoft Office Outlook = enabled (see below)

Office Click-to-Run Accept EULA Window

To get rid of the Accept Office License Agreement button/window…

Use Group Policy Preferences to set the following registry values:

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Registration
    • AcceptAllEulas (DWORD) = 1
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Registration
    • AcceptAllEulas (DWORD) = 1

Office temp file errors

To prevent Office temp file errors:

  • User Configuration | Preferences | Window Settings | Folders |¬†New Folder
    • Action = Create
    • Path =¬†%Localappdata%\Microsoft\Windows\INetCache

Outlook and Windows Search

When launching Outlook, you might see the message “Please wait while Windows configures Microsoft Office 64-bit Components”.

To fix the Outlook search problem, you can either install Windows Search Service (Windows Feature).

Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components | Search | Prevent indexing Microsoft Office Outlook.

Office VL Activation not working

If Office 2016+ Volume License is not activating correctly, set the following registry value as detailed at Microsoft Office can’t find your license for this application at Citrix Discussions:

  • Key =¬†HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CtxUvi
    • Value =¬†UviProcessExcludes (REG_SZ) = sppsvc.exe

Adobe Reader

Adobe Reader Group Policy

  1. Download the Adobe Reader XI Policy Templates from Reader XI Administrative Template
  2. Copy the .admx file and the en-us folder.
  3. Go to \\\SYSVOL\\Policies\PolicyDefinitions and paste the files. If this folder doesn’t exist, go to C:\Windows\PolicyDefinitions instead.
  4. Click Yes when asked to replace files.
  5. Now open a group policy that applies to all Citrix users.
  6. Go to User Configuration > Administrative Templates > Adobe Reader > Preferences > General.
  7. Open the setting Accept EULA and Enable it.
  8. Then open the Display splash screen at launch setting and Disable it.

Disable Repair

In Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation.

Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.

  1. In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\Installer.
  2. Add the DWORD DisableMaintenance and set it to 1.
  3. Now the Repair option is grayed out on the Help menu.

Disable Updates

For Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe ARM\Legacy\Reader\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
    • Mode = 0 (disables updates)


In Adobe Reader XI, there is a GUI method of disabling updates:

  1. Run Adobe Reader from the Start Menu.
  2. Open the Edit menu and click Preferences.
  3. On the Updater page, change the selection to Do not download or install updates automatically and click OK.

Other Optimizations

Rick van Soest Removing ‚ÄúThe Cloud‚ÄĚ from Adobe Acrobat Reader DC:

  • To remove tools, delete them from C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU
  • To remove the welcome screen, add the following registry dword value: HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
    • bUsageMeasurement (REG_DWORD) = 0
  • To remove the ‚Äúadd account‚ÄĚ button, HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint
    • BDisableSharePointFeatures (REG_WORD) = 1
  • To remove the ‚ÄúCheck for update‚ÄĚ button, HKLM\Software\Adobe\Acrobat Reader\DC\Installer
    • DisableMaintenance (REG_DWORD) = 1 – Citrix Deployments: Before deployment, the product should be configured as needed. In particular, you will want to disable features and behaviors that should not be accessible to end users in an IT-managed environment. For example:

  • The Updater should be disabled as described in this guide and the¬†Preference Reference.
  • Accept the EULA on behalf of all users by setting the appropriate registry key.
  • For multilanguage installations (MUI), set the preferred language for all users via the SUPPRESSLANGSELECTION property or registry settings described in the¬†Preference Reference.
  • Deploy enterprise files to the product‚Äôs directories (rather than per-user directories) so they are available to all users.
  • There are over 500 documented settings. Refer to the¬†Preference Reference¬†for complete registry and plist details.


Scrolling performance

If scrolling performance is poor in graphic intensive documents, try the following:

  • Go toEdit > Preferences > Rendering.
  • UncheckSmooth line¬†art and¬†Smooth images. Alternatively, you can set these preferences during pre-deployment configuration:
    • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasGraphics: 0x00000000
    • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasImages: 0x00000000


Distiller performance

  • In some environments, Distiller performance may suffer if the messages.log file becomes too large after a number of Distiller operations. Delete this file periodically. It is located at \Application¬†Data\Adobe\Acrobat\Distiller<version>\messages.log.
  • Remove unused fonts from the Windows installation.

Citrix Files

Citrix Files allows you to access your files in ShareFile directly through a mapped drive providing a native Windows Explorer experience. Citrix FIles replaces ShareFile Drive Mapper.

Citrix Files instructions:

To install Citrix Files:

  1. If Citrix ShareFile Drive Mapper is installed, uninstall it. Also see CTX238202 Upgrading from ShareFile Drive Mapper to Citrix Files for Windows.
  2. In VDA 1808 and newer, Citrix Files is bundled with the VDA installer.
  3. Or, download Citrix Files. The downloaded version might be newer than the version included with the VDA installer.
  4. On a VDA, run CitrixFilesForWindows-v.exe.
  5. Check the box next to I agree to the license terms, and click Install.
  6. In the Setup Successful page, click Close.

Session Lingering:

  • Citrix recommends editing your Delivery Group and enabling Application Lingering for a couple minutes so Citrix Files has time to upload files.

To configure Citrix Files:

  1. Go to C:\Program Files\Citrix\Citrix Files\PolicyDefinitions, and copy the file and folder.
  2. Go to \\\SYSVOL\\Policies\PolicyDefinitions and paste the files and folder. If this path doesn’t exist, then paste the files in C:\Windows\PolicyDefinitions on your Group Policy editing machines instead.
  3. Edit a GPO that applies to all users.

    1. Go to User Configuration > Policies > Administrative Templates > Citrix Files.
    2. Citrix Files is enabled by default. If you only want some users to use Citrix Files, then you can configure a GPO to disable Citrix Files, and then configure a different GPO that re-enables it. The GPO that enables Citrix Files would be targeted to an AD group, and the GPO would be higher priority than the GPO that disables it. The setting to disable and enable Citrix Files is called Enable Application.
    3. Edit the Account setting.
    4. Enable the setting, and enter your ShareFile URL. Click OK.
    5. The Mount Point settings let you map different parts of Citrix Files to different drive letters.
  4. Edit a GPO that applies to the computers that have Citrix Files installed.

    1. Go to Computer Configuration > Policies > Administrative Templates > Citrix Files.
    2. The default Cache Location is AppData\Local\Citrix\Citrix Files\PartCache.
    3. Default Cache Size is 256 MB.
    4. Delete Cache on Exit is not needed on non-persistent machines, and not needed if the roaming profile cache is deleted on logoff. Make sure the Citrix Files cache is excluded from roaming profiles as detailed later.
    5. Auto Check-out of Office files can be enabled here.
    6. Auto-Update does not apply to Remote Desktop Session Host, so you’ll have to update those machines manually.
    7. Offline Access is enabled (allowed) by default.
    8. Personal Cloud Connectors (e.g. OneDrive) and On-Premises Connectors can be enabled from here.
  5. Edit your Citrix Profile Management GPO.
    1. Go to Computer Configuration > Policies > Administrative Templates > Citrix > Profile Management > File system.
    2. Edit the setting Exclusion list ‚Äď directories.
    3. Add AppData\Local\Citrix\Citrix Files\ to the list.
  6. If you have on-premises StorageZones Controllers, you can enable Single Sign-on by enabling Windows Authentication. On the StorageZones Controllers, run IIS Manager.

    1. Navigate to Default Web Site > cifs.
    2. In the middle, double-click Authentication.
    3. Right-click Windows Authentication and Enable it. If you don’t see Windows Authentication in your list, you might have to install it using the¬†Roles and Features wizard.
  7. After logging into Citrix and logging into Citrix Files, when you launch File Explorer, you’ll see¬†Citrix Files on the left.
  8. If the Login Window doesn’t appear, the look for the icon in the system tray.

File Type Association

For the official Microsoft method of handling file type associations in Windows 10 and Windows Server 2016, see¬†Windows 10 ‚Äď How to configure file associations for IT Pros? at TechNet Blogs. This article details DISM, XML, and Group Policy.

Christoph Kolbicz at SetUserFTA: UserChoice Hash defeated ‚Äď Set File Type Associations per User or Group on Windows 10 and 2016 developed a tool to set specific File Type Associations. No DISM or XML needed.

Also see the following:

Next Steps

85 thoughts on “Group Policy User Settings for VDAs”

  1. We have RDS environment with Microsoft Outlook Shared Activation where Outlook Advanced Search features disabled for all users. Does anyone knows what causes this and how can we enabled it?

  2. As always, a gret article Carl. I have a very specific problem regarding lock down of access to the C: drive and access to run apps like powershell :(.
    Although we dont allow direct access to explorer, users are able to get to it through Edge>Downloads.. that in itself isnt the end of the world, as other lockdowns prevent access to c:. however, what we have now seen is if they simply enter ‘shell:windows’ into the path in explorer it ignores the lockdown and takes them straight into the c:\windows folder, allowing them access to all the things we dont want! ūüôĀ
    I have been searching for a way to prevent users running shell commands in file explorer but so far found nothing helpful….

    1. Many security products have a whitelist feature that prevents users from running unauthorized processes. Ivanti used to be able to block functionality within applications.

      1. problem here, i think, is that they are just using win32 shell commands – which i dont think we can block the process. It’s such a simple bypass to access restrictions set on the C drive ūüôĀ But i cant see how to block it

        1. Just an update, I was able to solve this! ūüôā It seems that the standard GPO setting to ‘Hide’ the C drive does not prevent the use of shell:windows to easily circumvent. What i have found is you have to also apply the reg setting HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
          NoViewOnDrive DWord = 4
          Tested and now not able to run the shell command ūüôā

  3. trying to have MSEdge browser log into online sharepoint using SSO thru Citrix, but not as a published app, it opens thru a link in another app. If this possible? If so what GPOs or reg. entries would we apply/change.

    Citrix 7.2203 LTSR CU3
    Windows 2019

  4. Hello Carl,
    as always thank you for such great content.

    I have a specific horizon effort and have looked through a lot of the pages.
    Many that are close seem to be citrix specific.

    Platform: VMware Horizon Cloud Service on Azure
    Hypervisor: AVD
    DEM: 2212
    Horizon Client: 2212 (windows)
    EUC Device: Windows BYOD (not on my domain)

    Goal to accomplish———-
    I am assessing the feasibility of using Horizon Client on External BYOD Devices to access my Horizon Cloud on Azure environment
    with BYOD Devices I don’t have control over how the client is installed and configured
    Since EUC devices are external I cannot use the Horizon Client GPO policies to control behavior.
    I am mainly wanting to Secure the perimeter of the Horizon Software Client from the BYOD Windows host computer.
    I Must DENY copy/paste, host drive & Folder sharing, USB Mass Storage, Printer Redirection, Scanner Redirection.
    … however would like to allow USB periferals such as Headsets / Speaker Pucks.
    I am trying to completely eliminate sensitive data transfer between the EUC Host computer and the VDI Running inside the Horizon Client.

    Thoughts on the feasibility of such?
    Are my only options for compensating security controls going to be DEM policies, VDI Windows GPOs, and Horizon “Agent” GPOs?
    Are there other tools, policies for such since I don’t have thin clients for this effort?

    1. Yes. You can also not install the features when you install the Horizon Agent.

      Opswat is another tool, but I don’t think it’s supported in Horizon Cloud yet.

  5. Hi Carl,
    First thanks for the great documentation.
    When I use the windows the windows group policy managemant with the citrix adm/admx files loaded I can create policies but when I will create a filter then I can not choose the delivery groups. It seems like the contoller can not be accessed to load the delivery groups. Do you have any idea how to fix it?
    For the controller I used the fully quallifed domain name but no delevery groups are shown it’s empty.

  6. Hi

    i use this way into GPO registry preference for redirect Personal to a Drive letter

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

    This Drive letter is a mapping to a network path, when people open the remote app and call explorer fonction, they see complete network patch into windows file explorer adsresse bar and not just the letter

    Can someone have a tips ?


  7. We have setup RDSH Server in our environment (backed by App volume) to provide published applications to user.

    We are facing here different issues with different apps which are mentioned below:

    1. Documents which we try to save, they are actually saved in RDSH server user profile which we want to save in roaming profile. we have setup roaming profile path for the user in AD on the following path:
    (user -> properties -> Remote Desktop Services Profile -> profile path and Home folder path), but still when we try to save a document it sees RDSH Server user profile in Save As rather than roaming profile.
    so please let me know We can see roaming profile path in document “Save As” rather than RDSH Server local profile path?

    2. we have redirected chrome (published by RDSH) to a specific url using GPO successfully which is working fine. Every user for this web page has his login user ID. what we want to achieve here, when a user login to thin client with smart card authentication and he will launch chrome, he should not get prompt for login again and should auto login to webpage with his thin client authentications (Single Sign-on).
    We have applied GPO policy for autologin with current username and password, but we launch chrome it asks for RDSH Server Credentials and after providing it, user get login on webpage. so why here RDSH credentials?

    3. MS Outlook, which is installed in instant clone golden image and we providing to user in instant clone session but on every next login, user has to register his outlook account again, how we can retain outlook user account settings in multiple sessions?

    user oxt file should be save in user roaming profile.

    1. 1. You want Folder Redirection. Profiles are always on C: drive. With Roaming Profiles, at logoff, the C: drive profile is backed up to a file share. At logon, the C: drive profile is restored. Folder Redirection permanently removes one of the profiles from C: drive and instead stores it on the file share. The redirected folder is not backed up or restored at logon.

      2. Check Maybe something missing in your configuration.

      3. You should use a different roaming profile tool. I recommend Microsoft FSLogix.

  8. Hi Carl,

    First of all, thank you for sharing your experience and your site which is a real mine of information.
    I want to combine the following parameters:
    – “Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only”
    – “Folder redirect” option in StoreFront setting

    But when I open a file explorer (for example by doing file / open in a published notepad) I have the error message “This operation has been canceled due to restrictions in effect on ths computer. Please contact your system administrator .”

    Do you have a trick to make these parameters cohabit?

    1. Instead of doing “Prevent access”, I usually just hide the drives. The idea is to discourage users from saving stuff on the C: drive. If you need security, then configure NTFS permissions, and/or use a whitelisting tool, like AppLocker.

  9. Hi Carl,

    The Policy Setting ” Prohibit user from manually redirecting Profile Folders” found in User Config\Admin Templates\Desktop should be set to Disabled or Not Configured.

    When enabled, this causes issues in combination with FSLogix, where FSLogix can’t redirect the INetCache Folder.
    This produces the error “SHSetKnownFolderPath failed with access denied”.

    I’ve seen various issues with this setting enabled, including Office errors and presumably the cause of some Profile Locks

    1. The cloud version of WEM when combined with Citrix Endpoint Management can push GPO settings to WEM Agents.

      1. So if I have only a on-premise infrastructure the only way to push those IE settings is with GPO. Thanks for the info!

  10. hi carl, i have this issue

    I have published internet explorer 11, access to a web page of the bank to see the transaction history, I copy that data, but when pasting in Microsoft Excel (Local, end user device) paste them as plain text and not as special paste.

    Citrix Virtual Apps 7.15.3000
    Windows server 2016
    Internet Explorer 11
    Microsoft Excel (Local, Client device)

    best regards

    1. I’d be curious if VDA 1903 experiences the same problem since VDA 1903 now supports copy/paste of files.

      1. yes carl, I tried it and it has the same symptom, it should be noted that I tried with mozilla firefox and google chrome and they work fine, but with internet explorer 11 no

  11. Carl,

    Do you know how to attack this issue we are having where Adobe Reader is prompting the user each time to enable protected mode? “Adobe Acrobat Reader cannot open in Protected Mode due to an incompatibility with your system configuration. Would you like to open Adobe Acrobat Reader DC with Protected Mode Disabled?”

    We are using Windows 10 LTSB in VMWare Horizon. Maybe that is the cause…?

  12. HI,
    Hoping someone out there has idea how fix this.

    We have XenDesktop 7.15 non persistan environment with O365 all setup with Share Activation setup with office, however we are randomly seeing users where Share Activation does not kick in and uses one of the users liceses. So over length of time aprox 2 to 3 weeks users would fill up 10 activation machine limit and we have walk the users to delete out previous 10 vdi machines in their account. Obviously once a user hit the 10 limit it locks them out, so we are getting a lot of calls from users are not licenced and have to walk them through this to delete out 10 machines. This is now become our number 1 help desk calls.

    So this doesn’t happen all the time, we login desktop and share activation working. But if we try over and over we get this happen where on 1 in 25 machines share activation isn’t working. And is not machine specific as we reboot this one machine get back on it and working.

    We are at lost why this is happening randomly, any ideas?

    1. Was Shared Computer Activation enabled when you installed Office? Or are you using a group policy to enable it?

      1. Hi Carl, yes we have the shared computer activation enabled via xml policy when we installed office onto the VDA image; we have uninstalled and registry wiped it and reloaded it a few times as per Microsoft as they keep pointing it as a Citrix issue. We also have the group policy on in GPO.

    2. I too am facing the same issue. What version of Office you are using? Office 2016 ProPlus/ and what license are assigned for each user?

  13. Hello Carl,

    We have an environment with Turn on Enhanced Protected Mode = enabled. We are unable to turn to this off. have you worked with an environment you needed to leave this enabled? Did you have to create an additional policies? once we turn on UPM IE starts to have issues like opening a new tab will cause the browser to crash.

  14. Hi Carl. Love your site. Do you know of a way to hide Network/Libraries/Favorites when using published apps? It appears the documentation you provided only works when delivering full desktops.

  15. Hello Carl, I noticed ShareFile Desktop isn’t available to download in the Citrix downloads page. Only ShareFile Drive Mapper and Sync are available for client downloads. Is ShareFile Desktop end of life? Know the best way to configure ShareFile for XenApp 7.x hosted shared desktops? Using UPM.

      1. Any eta on Citrix Files being ready? Should I even use ShareFile Desktop? Thank you for the information Carl. I appreciate it.

  16. Nice to look at this, great tips. I have also a problem when I try to login in my user account, after giving password it show “Fail ti accept by registry policy”. But my administrator is running.How can I check this?

  17. Hi Carl,
    Thanks for these guides they really are awesome…. BUT ūüôā
    I’m having issues with the start tiles. I have none click start get just the blue screen no tiles. I have created an XML of working start menu and put it in a GPO pointing it to the DC\Netlogon folder to try and force the tiles but nothing. If I pin or unpin something to the start menu I get them back for this session but logoff and back on again and they go until i pin / unpin an item. Do you have any ideas as to what I have done?

    just upgraded from 7.11 to 7.15LTSR using the same GPOs as the 7.11 build.

    Nick James

  18. Environment = Server 2012 R2 and XenApp 7.6.3000 LTSR
    I am having an issue where our EMR system is trying to launch an IE session in order to display a PDF but it throws a File Association dialog asking to Choose between Citrix Server FTA and Internet Explorer. I was given a link to

    but following these directions do not work. Or at least the way we think we followed them did not work. Are those double back slashes legit or are we supposed to know to change them to single or are these instructions totally out of date now? Is there any other way to set the file association for this?

    Thanks for all you do for the Citrix Community.

  19. HI Carl,

    Is there anyway that we can make sure that user gets a specific mouse cursor(black color large) while accessing citrix applications from XA 7.14?

  20. Hi Carl,

    Is there anyway to set Google Chrome as standard browser in Xendesktop 6.5 environment (with/without UPM)? We don’t use any UPM in our environment. and our Xendesktop servers are win2k8.

      1. Thanks Carl. I found it before. I tested Microsoft Solution. It doesn’t work because It is for computer setting and not the User. I need to apply this setting for specific users only.

  21. Hi Carl,

    great article! I have problems to lock down the settings app in Windows Server 2016 for the use with XenApp. Maybe you or someone in the community have a idea for a solution.

    It is still possible to restrict the access to specific control panel items via GPO, but there is no way for doing this with the settings app. The only setting which ca be configured per GPO is “Prohibit access to Control Panel and PC setting”. But this is no solution for my case. The users have to access to some settings.

    With the ADMX-Templates for Windows 10 Release 1703 there is a new option in the computer configuration node: “Settings Page Visibility” (you mentioned this in your post “GPO VDA Computer Setting”). This was the solution I was searching for. So I tried this for my Windows Server 2016 setup. You can see that the key “SettingsPageVisibility” is created under “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer”. But this has no effect.

    I also read some posts in Microsoft forums, but there is no final solution. It seams that the MS support doesn’t care about this.


    1. Hi Carl,

      I am having a strange issue with creating MAPI profiles on the fly for XenApp users. I used the Office transform file to install Office 2012 SP1.

      When a new user launches Outlook published app, it fails to connect to Exchange and pops up a message

      Cannot start Microsoft Outlook. Cannot open the Outlook Windows. The set of folders cannot be opened. Your Profile is not configured.

      If I logon as a user on the XenApp server console I also get the same error message. I checked the Mail MAPI profile and it seems to have all the correct entries for connecting to the exchange server but when I check the name it fails.

      If I delete the mapi profile and launch Outlook on the console I can complete the profile creation wizard and successfully logon to Outlook. I have checked everything but just can’t seem to figure out why the profile is not being created automatically. Any ideas!


  22. Hi Carl,

    Another note:
    I don’t know how or when enabling the Windows Authentication helps but for me enabling this leads to the problem that our non-domainadmin testuser has to logon everytime the drive mapper starts. Even in the same session! We have activated SAML via NetScaler for our ShareFile account.


  23. Hi Carl,

    As always well done!
    Regarding Exclusion List for UPM: What is the difference between !ctx_localappdata! and AppData\Local? I’ven noticed Citrix uses both but I haven’t seen any explanation about the difference.


  24. Thanks again Carl for creating and collating this information so thoroughly.
    Why do you set “Allow Office to connect to the Internet”? For non-persistent clients, can the downloaded content be stored on a UNC path shared by all users, or on user redirected folders? Or is the content so tiny that we can happily dump it to the temporary cache?

    1. “Allow Office to connect to the Internet” is one of the settings that older Office used to ask you the first time you run Office. I’m not sure about your other questions.

  25. Great article.

    Question – me and my citrix partner are trying o fix outlook 2016 from popping up with ‘windows search engine is currently disabled etc” and the “Search performance will be impacted because windows search service is turned off”
    We have enabled this GPO:
    User Configuration | Policies | Administrative Templates | Microsoft Outlook 2013 (or 2016) | Outlook Options | Preferences | Search Options
    Prevent installation prompts when Windows Desktop Search component is not present = enabled

    Confirmed its on in the registry and local policy – but the prompts still appear. the above GPO does not work.
    We are XenDesktop 7.6.300 and outlook 2016.

  26. Carl I must say that this is by far the best summary I have seen for customising Citrix / RDS since I did my first deployment in 1999. There are good guides on other sites, but hands down, this page is the best and most complete.

    What an excellent community resource, thank you.

  27. Hello,
    I was wondering how much of this information could be applied to VMWare Horizon 6?
    I have read some of your View 6/7 posts and wondered if this info could apply or is it somewhere for View 6?

  28. Hi Carl, would you happen to know a way to not apply a GPO for the members of the local Admins group? In my case the local admins group on multiple servers are different and we do not want the admins on server A to not have the GPO applied on server B. So in this case I do not see how Deny GPO setting would work. Any ideas?

    1. I don’t think that’s possible. You can exclude AD groups, of course, but I don’t see any way to add local groups. If you add users to an AD group and then add that AD group to local Administrators group, then you can exclude that AD group. But you’d need a different OU, different GPO, and different AD group for each group of servers.

  29. Hi Carl,

    Your site has been an incredible resource to get my new XenApp 7.9 (2012R2 session hosts) with NetScaler 11 environment up and running.

    I did run into one setting that caused some strange behavior. The following GPO caused the active application to have a black border when in focus. For example, notepad turned black instead of gray when selected.

    User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff). Script Name field, enter runonce.exe. Script Parameters field, enter /AlternateShellStartup

    I did follow your suggestions and added the three recommended computer policies in my VDA computer settings GPO, but still had this problem.

    Just wanted to share in case case anyone else ran into this issue.


    1. I’ve seen problems caused by it. But I’ve also seen problems fixed by it. It depends on what’s in the ActiveSetup and Run registry keys.

  30. Hi Carl
    First thank you I use allot your site guides
    Our organization moving for windows 10
    we use folder redirection for appdata roaming for couple of reasons like IOPs and logon time.
    After windows 10 Migration we noticed that the pinned taskbar icons are not saved after logoff \ reboot.
    When we open the Appdata Roaming UNC path manually, we can see that the Pinned Icons are created successfully.

    We tested different permissions for the folder redirection UNC path ‚Äď With no luck.
    (on windows 7 machine with the exact same policy everything works)

    Have you experienced that issue? Did you manage to solve or find a workaround?

    Thanks you very much.

    1. I’ve also found problems on Windows 10 with taskbar icons disappearing, even without redirection.

      Can you reproduce it without redirection?

      1. Yes. if i manage upm policies from the studio only (not from GPMC). i can reproduce it to works without folder redirection. (UPM 5.4 on XENDESKTOP 7.6.1000)

  31. Hi Carl,

    First off, thank you for tis wonderful blog post. A very nice list to get started.
    I do have a couple of thoughts though:
    Prevent access to drives from My Computer = enabled –> careful with ShareFile, wasn’t able to set the sync folder to %userprofile%\ShareFile due to that setting.
    Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled –> This removes the disconnect button from 2012R2 (don’t know who came up with the idea to put it behind the power button….)
    runonce.exe /AlternateShellStartup –> the disadvantage is that this starts all apps that are in the Run key, meaning that a user will get double Receiver icons etc and possible other strange behavior (you have to put a lot in logoffchecksysmodules I think). An option is to only run it once (GPP in RunOnce or something), so far I’ve opted to set some of the things the alternateshellstartup does with a GPP, but that tends to be a PITA.
    I prefer using the NoDrives registry key as opposed to “Hide these specified drives”, gives you some more flexibility.

    Thanks again.

  32. Any working around the new email alert not appearing and whilst also have the Remove Common program groups from Start? Got a 2012r2 RDS with redirected start and desktop, new email alerts don’t appear because I have enabled this setting? Seems mad to have one or the other?

    1. Found a fix myself after some playing about.

      Redirected Start Menus and Desktop on 2012R2.
      Remove Common program groups from Start Enabled.
      Outlook notifications fail to appear.

      The shortcuts on my Start Menu and Desktop are taken direct from C:\Program Files(x86)\…. From what I’ve found Windows will only display notifcations from programs listed within C:\ProgramData\Microsoft\Windows\Start Menu\Programs. Because we are removing this area and replacing it with our own, Windows does not recognise that any notifications should appear at all. Its not a case of it suppressing the popup, it never see’s it!

      Solution: Replace all shortcuts on desktop and start menu with Outlook shortcut taken from C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\….

  33. HI carl,
    We are using XenDesktop 7 and we have applications that need to be run from Windows 7 32bits, when we launch the applications using the Windows 7, we get a full screen showing the Windows 7 welcome Splash screen.
    You can hide the Windows Welcome screen when starting the application?

    Thank Carl.

    Alex form Chile.

  34. Hi Carl,
    About the Disable SharePointFeatures, it should be set to 1 instead of 0:
    BDisableSharePointFeatures (REG_WORD) = 1

    Congrats for your blog. Every single line here is pure gold!

  35. Hi Carl,

    First of all: kudos for your great site!
    Doing exactly what the tagline suggests (and more).
    Thanks a million!

    I’m a bit confused about the Group Policy sections though
    Here you suggest to create
    – Citrix VDA All Users (including admins) and
    – Citrix VDA Non-Admin Users (lockdown).
    Both with disabled Computer Configuration portion.

    However, section “Logon Script GPO Settings” refers to 3 settings under Computer configuration.

    Wouldn’t those be filters (given that the computer configuration portion is disabled).
    Can this section be ommitted?

    Citrix VDA All Users (including admins)
    This GPO is created, but not used/mentioned afterwards.
    Is this deliberate?
    (Adapt to your own situation, e.g. only a subset of the settings applies to All Users?).

    Can I use the receiver.admx template mentioned here:
    instead of icaclient.adm mentioned under:

    1. LOL. I guess I have a few things to fix. Thanks for pointing these out.

      1. For people that read the IE section without reading the other sections, my intent was remind them of the other GPO settings that might prevent the script from working. I just updated the text to clarify which GPO those settings belong in.

      2. There are several references to Citrix All Users. I fixed their names in the text so it matches the GPO name. I keep changing my mind on what to name that GPO.

      3. I must have missed that one. I’ll fix it.

      Let me know if you find any other issues with the content. Thanks.

    2. Regarding the All Users GPO, I use it for application configurations (e.g. Office setting, Internet Explorer settings). Every environment has different applications so usage of that GPO will vary.

  36. Hi Carl,
    first of all, thanks for the great work you are doing with your blog.
    There is something not clear to me about the GPO settings. If you disable the ‘Computer configuration settings’ for the Users GPO, does the ‘Configure User Group Policy loopback processing mode’ setting (stored in the computer settings) still apply in that GPO?


    1. Not if that setting is in the same GPO. I usually put it in a separate Computer Settings GPO. The loopback setting only needs to be enabled once since it is an HKLM registry key.

Leave a Reply

Your email address will not be published. Required fields are marked *