How Can an Administrator Mount an Image to Install a Hot-fix Containing an Updated Security Patch?

Navigation

• Alter Log
• VDA Virtual Car Hardware
• Windows Configuration
• Install – Virtual Commitment Agent 1912 LTSR CU4
  • Install – Multi-session VDA 1912 CU4 Hotfix 1
  • Install – Contour Management 19.12.3000 Hotfix iii – security fix
  • Install – Microsoft FSLogix – Outlook OST, OneDrive, etc.
  • Citrix Desktop Service
  • Customer Experience Improvement Plan (CEIP)
  • Connexion Quality Indicator
  • Adaptive Transport
  • Slow Logons
  • Modify Controller VDA Registration Port to something other than port 80
  • Verify VDA Registration with Controller
•  Workspace app:
  • Workspace App 2109 or Workspace app 1912 CU6
  • Citrix File Admission 2.0.4 for Workspace app for Chrome
• Remote Desktop Licensing Configuration
• Reduce C: Drive Permissions
• Configure Pagefile for Citrix Provisioning
• Directly Access Users Grouping – allow non-administrators to RDP to the VDA
• Enable Windows Profiles v3/v4 – Windows 2012 R2 only
• Registry Settings – EDT MTU, blackness screen, faster login, published Explorer, Screen Saver, Smart Card, HTML5 Clipboard, HTML5 Upload Folder, 4K Monitors, COM Ports
• Restore Legacy Client Bulldoze Mapping
• Print Commuter for Mac and Linux Clients
• HTML5 Workspace app – SSL for VDA
• Bearding Accounts
• Antivirus
• Optimize Performance
• Applications
• Seal and Close Down
• Uninstall VDA

💡 = Recently Updated

Change Log

• 2022 Feb 16 – Hotfix 1 for multi-session VDA – ghost sessions
• 2021 Dec 22 – Workspace app – upgrade to Workspace app 1912 CU6 LTSR
• 2021 Nov iii – Updated VDA Install for VDA 1912 LTSR Cumulative Update 4
• 2021 Aug eleven – Workspace app – upgrade to Workspace app 1912 CU5 LTSR
• 2021 July 28 – Profile Management xix.12.3000 Hotfix three – gear up for the security fix
• 2021 July 16 – Profile Direction xix.12.3000 Hotfix two – fix for the security fix
• 2021 July 13 – Contour Management 19.12.3000 Hotfix i – security set
• 2021 July half dozen – Windows Defender– Disable Network protection and configure Citrix's antivirus exclusions (source = Citrix CTX319676 Users sessions are getting asunder – Connection Interrupted)
• 2021 July six – DelayedDesktopSwitchTimeout registry value (source = CTP James Rankin The ultimate guide to Windows logon time optimizations, part #6)
• 2021 May 29 – Apps – added listing of special VDI installers
• 2021 May 13 – Updated VDA Install for VDA 1912 LTSR Cumulative Update 3
• 2021 May ten – Workspace app – upgrade to Workspace app 1912 CU4 LTSR
• 2021 Feb 2 – Print Driver for Mac/Linux clients – added info from CTX283355 Client Press from Linux/MAC is not working on Windows Server 2022 and 2019
• 2020 Nov nineteen – Updated VDA Install for VDA 1912 LTSR Cumulative Update 2
• 2020 Nov 10 – 1912 CU1 Security Updates
• 2020 Oct 15 – Workspace app – upgrade to Workspace app 1912 CU2 LTSR
• 2020 July 15 – Workspace app – upgrade to Workspace app 1912 CU1 LTSR
• 2020 Jun 25 – Antivirus – added link to Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog
• 2020 May 7 – Updated VDA Install for VDA 1912 LTSR Cumulative Update one

Hardware

Hypervisor Host Hardware

• G0-EUC Moore's law of Windows ten 1903 – Newer versions of Windows 10 accept lower density than older versions
  
• Citrix Blog Mail service Citrix Scalability — The Rule of five and 10: Simply take the number of physical cores in a hypervisor host, multiply it by 5 or 10, and the result volition exist your Unmarried Server Scalability. Utilise 5 if y'all're looking for the number of Virtual Desktop VMs you lot tin host on a box, and utilize ten if yous're looking for the number of Virtual Apps user sessions you can host on a box.

Virtual Automobile Hardware

1. Operating system version back up: VDA 1912 LTSR Cumulative Update 4 supports Windows 10 64-bit (1607 and newer), Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2.
   • Windows xi is non supported in CVAD 1912, simply it is supported in CVAD 2109 and newer.
   • For older operating systems (e.g Windows 7 or Windows Server 2008 R2), install VDA 7.15 with the latest Cumulative Update. VDA 7.15 will work with newer Delivery Controllers (due east.one thousand. Commitment Controller 1909 and 1903).
2. Microsoft TechNet Blog – Say No to Windows ten Long Term Servicing Channel (LTSC)
   • No Edge
   • From Jan 2020, Microsoft Part 365 volition not exist supported on LTSC
   • Non-security operating system fixes and enhancements may not become back-ported to LTSC
3. CTX224843 Windows ten compatibility with Citrix Virtual Desktops (XenDesktop)
   
   • CTX238758 Windows 10 v1903 and v1909 – Citrix Known Issues
   • CTX234973 Windows 10 Oct 2022 Update (v1809) – Citrix Known Issues
   • CTX231942 Windows 10 April 2022 Update (v1803) – Citrix Known Issues.
   • CTX229052 Windows ten Fall Creators Update (v1709) – Citrix Known Issues.
4. Hypervisor Support – CTX131239 Supported Hypervisors for Virtual Desktops (XenDesktop) and Provisioning Services
5. Firewall – the UDP-based EDT protocol is enabled past default. Make sure the UDP ports are open for ICA/HDX:
   1. UDP 1494
   2. UDP 2598
   3. UDP 443 – from Internet to Citrix Gateway.
   4. UDP 443 can likewise exist used by internal ICA connections if VDA SSL is configured.
   5. For EDT through Citrix Gateway, make sure your Citrix ADC firmware is upward to date, preferably 12.i or newer. And then enable DTLS on the Gateway Virtual Server.
6. VDA virtual motorcar sizing:
   1. For Windows 10 virtual desktops, give the virtual machine: 2+ vCPU and 4+ GB of RAM
   2. For Windows 2022 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM
   3. See Daniel Feller Sizing Windows 2016, Windows 2012 And Windows ten Virtual Machines
      
7. If using RAM caching (MCSIO or PvS), add more RAM for the cache
8. Remove the floppy drive
9. Remove whatsoever serial or LPT ports
10. If vSphere:
    1. To reduce disk space, reserve retention. Memory reservations reduce or eliminate the virtual machine .vswp file.
    2. The NIC should be VMXNET3.
    3. For vGPU, if vSphere 6.7 Update 1 or newer, set vgpu.hotmigrate.enabled Advanced vCenter Server Setting to truthful. (source = William Lam How to enable vGPU vMotion in vSphere 6.7 Update 1)
       
11. For User Personalization Layer (UPL), Secure Boot is not supported.
    1. When creating a new VM, on the Customize Hardware page, switch to the tab named VM Options.
    2. Expand Boot Options and deselect Secure Kick. You lot can also disable Secure Boot afterward the machine is created. Or you can switch the Firmware to BIOS instead of EFI simply you can simply practise that while creating the auto.
       
12. For Citrix App Layering, switch to BIOS instead of UEFI:
    1. When creating a new VM, on the Customize Hardware page, switch to the tab named VM Options.
    2. Expand Kick Options and change Firmware to BIOS. Note: you tin only practice this when creating a VM. Irresolute an existing VM will prevent information technology course booting.
       
13. If this VDA will boot from Citrix Provisioning:
    1. For vSphere, the NIC Adapter Type must be VMXNET3.
       
    2. For vSphere, configure the CD/DVD Drive to boot from IDE instead of SATA. SATA won't work with PVS.
       
    3. Make sure you remove the SATA Controller later on you change the CD/DVD Drive to be IDE.
       
14. Install the latest version of hypervisor drivers (due east.g. VMware Tools).
15. The vSphere Activity Monitoring Feature with NSX Invitee Introspection feature uses a TDI driver (vnetflt.sys), which might crusade a "Connection Interrupted" message when users log off of Citrix. See CTX221206 "Connection Interrupted" error bulletin displayed while logging off ICA session.

If vSphere, disable NIC Hotplug

1. Users could apply the systray icon to Eject the Ethernet Controller. Evidently this is bad.
   
2. To disable this functionality, power off the virtual automobile.
   
3. In one case powered off, right-click the virtual machine, and click Edit Settings.
   
4. Switch to the tab named VM Options.
   
5. Expand Advanced and then click Edit Configuration.
   
6. Click the button labelled Add Configuration Params.
   
7. For the Name, enter devices. hotplug.
8. For the Value, enter false. So clickOK.
   
9. The VM can then be powered on.
   

Windows Preparation

1. Computer Group Policy – Brand sure the Chief VM is in the same OU as the Linked Clones then the Master VM will become the reckoner-level GPO settings in its registry. Run gpupdate on the primary after moving the VM to the right OU. When Clones are created from the Primary, the computer-level GPO settings will already be applied, thus eliminating timing problems.
   
2. If Server OS, disable IE Enhanced Security Configuration in Server Manager > Local Server.
   
3. Optionally, go to Activity Center (Windows 2012 R2) or Control Panel >Security and Maintenance (Windows 10/2016/2910) to disable User Account Control, and enable SmartScreen.
   
   1. In Windows ten 1703 and newer, search the Settings app forModify User Account Control settings.
      
   2. SmartScreen is configured in Windows Defender Security Eye > App & browser control.
      
4. Run Windows Update. Do not skip this step. Many VDA installation problems are stock-still past simply updating Windows.
   
   
   
   1. Defer Feature Updates – For Windows 10, since Citrix VDA does not immediately support new Windows 10 versions, configure Windows Update to defer feature updates.
      
      
      
5. Add your Citrix Administrators group to the local Administrators grouping on the VDA. Estimator Management.
   
6. The Remote Desktop Services "Prompt for Password" policy prevents Single Sign-on to the Virtual Delivery Amanuensis. Check registry central HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Last Services. If fPromptForPassword = 1 and so you need to fix grouping policy. The following GPO setting will prevent Single Sign-on from working.

   Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security | Always prompt for password upon connexion

   Or set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ Portica\AutoLogon (DWORD) = 0x1. This registry value only applies to Single-session OS (aka Desktop Os), not Multi-session Os (aka Server OS). (source = comments)

7. For Remote Aid in Citrix Managing director, configure the GPO settingComputer Configuration | Policies | Administrative Templates | System | Remote Assistance | Offer Remote Assist. Meet Jason Samuel – How to setup Citrix Director Shadowing with Remote Aid using Group Policy for more details.
   

Install Virtual Delivery Agent (VDA) 1912 Cumulative Update 4

Mixed versions – Y'all can upgrade the VDAs earlier you upgrade the Delivery Controllers resulting in VDAs existence newer than the Commitment Controllers. You lot tin can upgrade the Commitment Controllers earlier y'all upgrade the VDAs. In other words, you can mix and lucifer VDA and Delivery Controller versions. However, for LTSR compliance/support, upgrade all of them to the aforementioned version as before long equally you tin can.

CLI Install:

Command Line Install Options are detailed at Install using the control line at Citrix Docs.

The Citrix Telemetry Service seems to cause problems. You lot tin use the Command Line Installer to exclude Telemetry Service as detailed at VDA upgrade cmdlet at Citrix Discussions.

XenDesktopVDASetup.exe /quiet /noreboot /masterimage /Enable_HDX_PORTS /enable_framehawk_port /Enable_REAL_TIME_TRANSPORT /optimize /controllers "xdc01.corp.local xdc02.corp.local" /Exclude "Citrix Telemetry Service"

CTX234824 Citrix VDA Commandline Helper Tool: a GUI to configure the VDA installation options.

Scripted Upgrade:

To automate the upgrade of VDA software on persistent machines, see David Ott Quickly Updating Persistent MCS VDAs at CUGC for a sample script.

GUI Install:

1. Virtual Aqueduct Let List is enabled past default in VDA 1912 CU4 and newer. This blocks Zoom, Skype, WebEx, etc. See Citrix Docs for more details. 💡
2. Mountain the downloaded Citrix Virtual Apps and Desktops 7 1912 LTSR CU4 ISO and and run AutoSelect.exe.
   
   • Alternatively, you lot tin download the standalone VDA packet and run that instead. Go the master Citrix Virtual Apps and Desktops 7 1912 Cumulative Update 4 download page. Expand the section labelledComponents that are on the production ISO but also packaged separately. In that location is also a VDA installer called Unmarried-session OS Core Services that is designed for Remote PC deployments.
     
3. Click Start side by side to either Virtual Apps or Virtual Apps and Desktops. The only divergence is the product name displayed in the installation wizard.
   
4. On the top correct, click Virtual Commitment Agent for Windows Multi-session Bone (aka RDSH, aka Server OS), or Windows Single-session OS (aka virtual desktop, aka Desktop Os), depending on which type of VDA you lot are edifice.
   
   
5. In the Surroundings page, select Create a master MCS Image orCreate a principal paradigm using Citrix Provisioning, and click Next.
   
   
6. In the Core Components page, if you don't need Citrix Workspace App (formerly known as Receiver) installed on your VDA, then uncheck the box. Workspace app is usually simply needed for double-hop ICA connections (connect to beginning VDA, and then from at that place, connect to 2nd VDA). Click Side by side.
   
7. In theBoosted Components page:
   1. Single-session OS (not Multi-session OS) has a new choice for Citrix User Personalization Layer (UPL). This component comes from Citrix App Layering but does not demand whatever of the App Layering infrastructure.
      
      1. Do not enable User Personalization Layer if you are also using Citrix App Layering.
      2. Warning: A Citrix Policy setting activates Citrix User Personalization Layer by setting the UNC path to where the User Personalization Layers should be stored. The Citrix Policy setting should but be deployed to not-persistent machines. If y'all deploy the Citrix Policy Setting to your Main Image, then your Master Image will be hosed and yous must rebuild information technology from scratch.
         
      3. UPL requires Secure Kicking to be disabled. You can practice that by editing the VM, switch to the VM Options tab, and expand Boot Options.
         
   2. At that place's an choice for Citrix Files for Windows, which installs an agent that tin display files from Citrix Content Collaboration (aka ShareFile). Run across CTX228273 Install and Utilize Citrix Files for Windows.
8. ClickNext.
9. In the Delivery Controller folio, select Do it manually. Enter the FQDN of each Delivery Controller. Click Examination connectedness. And and so make sure you click Add. Click Adjacent when done.
   
10. In the Features page, only the tiptop box is checked by default. If you want to use the other features, check the boxes.
    • There's an option for MCS IO, which is the driver for MCS Retentiveness Read Caching (aka Storage Optimization). In VDA 1912, the MCS IO driver is at present the exact aforementioned driver every bit the driver used in Citrix Provisioning. If you desire the MCSIO feature, then VDA 1912 and newer are strongly recommended since they don't accept the aforementioned performance problems as 1811 and older (including 7.xv). If you have fast storage (e.g. All-Wink Assortment), then you usually don't need the MCS IO characteristic.
11. And so click Side by side.
    
12. In the Firewall page, click Next.
    
13. In the Summary folio, click Install.
    
    
14. Click Close if you are prompted to restart.
    
15. Later the machine reboots twice, login and installation should continue.
    1. After the reboot, and after logging in once more, you might see aLocate 'Citrix Virtual Apps and Desktops 7 LTSR CU4' installation media window. Don't click anything withal.
       
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_1912_4000.iso file and mountain it.
       
    3. Go back to theLocate 'Citrix Virtual Apps and Desktops seven LTSR CU4' installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
       
    6. Installation will continue automatically.
    7. Repeat these instructions every time you're prompted to restart.
16. Note:NT SERVICE\CitrixTelemetryService needs permission to login as a service.
17. In the Diagnostics page, yous can optionally cheque the box next toCollect diagnostic data, click Connect, enter your Citrix business relationship credentials, and then click Next.
    
18. In theCease page, click Terminate to restart the motorcar once more.
    
    
19. From CTX225819 When Launching an Application Published from Windows Server 2016, a Black Screen Appears for Several Seconds Earlier Awarding is Visible
    • HKLM\SOFTWARE\Citrix\Citrix Virtual Desktop Agent\DisableLogonUISuppression (DWORD) should be set to 0.

Multi-session VDA 1912 CU4 Hotfix ane

This hotfix is only for Multi-session VDAs (aka RDSH).

1. Get to C:\Program Files\Citrix\HDX\bin and rename the file StatUi.dll to a unlike file name.
   
2. Excerpt the downloaded hotfix and copy the StatUI.dll file.
   
3. Get back to C:\Program Files\Citrix\HDX\bin and paste the file.
   
4. Restart the VDA.
   

Profile Management 1912 CU3 Hotfix three – Security Fix

This update fixes a Local privilege escalation as detailed at CTX319750 Citrix Virtual Apps and Desktops Security Update.

This hotfix is probably included with VDA Cumulative Update iv (CU4) and doesn't need to be updated separately. For VDA CU3, install this hotfix.

Hotfix 3 fixes Outlook problems and Director problems acquired past Hotfix 1 and Hotfix 2.

1. Download Hotfix ProfilemgtWX64_1912_3003 and excerpt information technology.
2. From the ProfilemgtWX64_1912_3003 folder, run profilemgt_x64.msi.
   
3. In theWelcome to the Citrix Profile direction Setup Magician page, click Adjacent.
   
4. In the End-User License Understanding folio, check the box side by side to I have the terms and click Next.
   
5. In theDestination Binder page, click Next.
   
6. In the Ready to install Citrix Profile management page, click Install.
   
7. Click OK if prompted to update existing files.
   
8. In the Completed the Citrix Profile management Setup Wizard page, click Finish.
   
9. Click Yes when asked to restart now.
   

Also update the UPM VDA Plugin.

1. Download Hotfix UPMVDAPluginWX64_1912_3001 and extract it.
2. From the UPMVDAPluginWX64_1912_3001 folder, run UpmVDAPlugin_x64.msi.
   
3. In the Welcome to the UpmVDAPlugin Setup Sorcerer page, click Next.
   
4. In theEnd-User License Agreement folio, check the box side by side to I accept the terms and click Adjacent.
   
5. In the Destination Folder page, click Next.
   
6. In the Prepare to install UpmVDAPlugin page, click Install.
   
7. Click OK if you meet Files in Utilize.
   
8. Click OK to update existing files.
   
9. In the Completed the UpmVDAPlugin Setup Sorcerer page, click Terminate.
   

Microsoft FSLogix

If you demand to roam the user'south Outlook .OST file (Outlook Cached Way), Outlook Search Index, OneDrive cache, OneNote data, SharePoint data, Skype data, and/or Teams data, and so download, install, and configure Microsoft FSLogix. FSLogix has more Office roaming features than Citrix Profile Management. A common architecture is to enable FSLogix Office Container for the Office cache files and use Citrix Profile Direction for all other roaming profile files and registry keys.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Find that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

Do the following to install Microsoft FSLogix on the VDA car:

1. Go to https://docs.microsoft.com/en-united states/fslogix/install-ht and click the download link.
   
2. Extract the downloaded .nothing file.
3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
   
4. Check the box side by side toI agree to the license terms and conditions and click Install.
   
5. In theSetup Successful page, click Restart.
   
6. Make certain theWindows Search service is set to Automatic and Running.
   
7. If Office is already installed, then repair the Part installation after installing and starting the Windows Search Service.
   

FSLogix is configured through Grouping Policy or by editing registry values on each FSLogix Amanuensis machine.

Citrix Desktop Service

To prevent Citrix Desktop Service (BrokerAgent) from starting and registering with the Delivery Controllers before the boot process is complete, see Jeremy Saunders Decision-making the Starting of the Citrix Desktop Service (BrokerAgent).

Client Experience Improvement Plan (CEIP)

Customer Experience Improvement Program (CEIP) is enabled by default. To disable it, create the registry valueHKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD), and set it to 0 (aught). Also run into CEIP at Citrix Insight Services at Citrix Docs.

Encounter https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.

Connection Quality Indicator

The Connection Quality Indicator tells the user the quality of the connection. Position of the indicator is configurable by the user. Thresholds are configurable through group policy.

Download it from CTX220774 Connectedness Quality Indicator and install it. The commodity is very detailed.

Group Policy templates are located at C:\Program Files (x86)\Citrix\Connection Quality Indicator\Configuration. Copy the files and folder to <Sysvol>\Policies\PolicyDefinitions, or C:\Windows\PolicyDefinitions.

Find the Group Policy settings under Reckoner Config | Policies | Administrative Templates | Citrix Components | Virtual Desktop Amanuensis | CQI

Version 1.two adds the GPO settings to the user one-half of a GPO, which lets yous disable CQI for some users and enable it for others.

Notification display settings lets y'all customize the user notifications, or disable them.

Connection Threshold Settings lets you ready the notification thresholds.

Adaptive Send

Adaptive Send is a HDX/ICA protocol feature that tries to utilize UDP ports (EDT protocol) if they are open, and falls back to TCP ICA if UDP connection is not successful. On higher latency connections, EDT (UDP) tends to perform meliorate than traditional TCP ICA.

The Citrix Policy setting HDX Adaptive Ship defaults to Preferred, which means Adaptive Ship is enabled by default.

The newer Citrix EDT protocol utilizeUDP Ports 1494/2598 for HDX connections to the VDA. The UDP ports should already be open in the VDA's Windows Firewall. In other words, HDX/ICA uses both TCP and UDP ports.

For EDT (and Adaptive Send) through Citrix Gateway, brand certain your Citrix ADC firmware is upwardly to date, preferably 12.1 or newer. Then make sure DTLS is enabled on the Gateway Virtual Server. DTLS is the UDP version of SSL/TLS.

Slow Logons

Citrix Discussions Xenapp 7.9: Look for local session director: "I have a Xenapp seven.9 environment on Windows 2012 R2. When logging in through Citrix I got message "Wait for local session manager" for xx-30 seconds. When logging in to the server with RDS, I do non accept to await for this."

"Add the following two registry keys to your VDA server – then effort connecting to it using ICA to run into if the upshot still occurs:

Add reg keys in "HKLM\SOFTWARE\Citrix\GroupPolicy"
Dword: "CacheGpoExpireInHours" – Value = v-24 (# of Hours) ***commencement with value of 5***
Dword: "GpoCacheEnabled" – Value = 1

Restart the machine after adding these registry keys and attempt an ICA connection (at least twice) to see if that helps the Login filibuster."

Marvin Neys at XenApp wearisome logon times, user get blackness screen for xx seconds at Citrix Discussions says that deletingHKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC at logoff reduces logon times from 40 seconds to six seconds.

Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\UFH\SHC

For additional logon delay troubleshooting, run into Alexander Ollischer XenApp/XenDesktop – "Please Wait For Local Session Managing director" message when logging into RDS. He institute some Windows Updates that caused a logon delay.

VDA recalculates WMI filters on every reconnect. CTX212610 Session Reconnect thirty sec Delay – DisableGPCalculation – WMI Filters indicates that recalculation can be disabled past setting HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Reconnect\DisableGPCalculation (DWORD) to i. Note: this registry value might stop Citrix Policies from existence re-evaluated when users reconnect (source = Citrix Discussions).

Controller Registration Port

Some environments will not accept the default port fourscore for Virtual Delivery Amanuensis registration fifty-fifty though registration is authenticated and encrypted on port 80. To change the port, do the following on the Virtual Delivery Agent:

1. Open Programs and Features. If Windows 10 1703 or newer, or Windows Server 2019, then openApps and Features.
   
2. Find Citrix Virtual Apps and Desktops 7 1912 LTSR CU4 – Virtual Delivery Agent, and click Modify orAlter (Windows x 1703 and newer, or Windows Server 2019).
   
3. Click Customize Virtual Delivery Amanuensis Settings.
   
4. Edit the Delivery Controllers, and click Next.
   
5. On the Protocol and Port page, change the port number, and click Next.
   
6. In the Summary page, click Reconfigure.
   
7. If you see a Diagnostics folio, yous can optionally click Connect. Then click Next.
   
8. In the Finish Reconfiguration page, click End.
   
9. Restart the VDA motorcar.
10. You must also alter the VDA registration port on the Commitment Controllers by running "C:\Plan Files\Citrix\Broker\Service\BrokerService.exe" -VDAPort
    
11. For Local Host Cache, on the Delivery Controller, run "C:\Program Files\Citrix\Broker\Service\HighAvailabilityService.exe" –VdaPort <Right PORT #> . (Source = CTX229493 VDAs Exercise Not Annals in LHC Mode When Registration Port is Not Set To Default)
    

Verify that VDA registered with a Controller

1. If you restart the Virtual Delivery Amanuensis auto, or restart the Citrix Desktop Service…
   
2. In Windows Logs > Application log, you should run across an event 1012 from Citrix Desktop Service saying that it successfully registered with a controller.
   
3. If yous don't run across successful registration, and so yous'll need to fix the ListOfDDCs registry key.
   1. See VDA registration with Controllers at Citrix Docs.
   2. Come across The Near Mutual VDA Registration Bug & Troubleshooting Steps at Citrix Blogs.
4. Y'all can also run Citrix's Health Assistant on the VDA.
   
   
5. See CTX220772 Technical Primer: VDA Registration for a very detailed explanation of the VDA Registration process.

Citrix Workspace app 2109 or Workspace app 1912 LTSR CU6

If y'all want to run Workspace app on the VDA car, then upgrade it to Workspace app 1912 LTSR Cumulative Update 5 or Workspace app 2109 (Current Release).

• Workspace app 1912 LTSR does not support Browser Content Redirection (BCR). Workspace app 2105 does support Browser Content Redirection (BCR).

Download and install Workspace app:

1. Download Workspace app 2112.ane (Current Release) or Workspace app 1912 LTSR Cumulative Update six.
   
   
2. On the VDA, as administrator, run the downloadedCitrixWorkspaceApp.exe.
   
3. In theWelcome to Citrix Workspace folio, clickOutset.
   
4. In theLicense Understanding page, bank check the box next toI accept the license agreement, and clickNext.
   
5. In theEnable Single Sign-on page, cheque the box next toEnable single sign-on, and clickInstall.
   
6. In theInstallation successful page, clickFinish.
   
7. ClickAye when asked to restart at present.
   

Citrix File Access 2.0.4 for Workspace app for Chrome

1. If you lot back up Workspace app for Chrome (Chromebook) and want published applicatons to open up files on Google Drive, install Citrix File Access on the VDAs. Become it from the Citrix File Access for Chrome.
   
2. Go to the extractedCitrix_File_Access_2.0.4, and runFileAccess.msi.
   
3. In thePlease read the File Access License Agreement page, check the box next toI accept the terms, and clickInstall.
   
4. In the Completed the File Access Setup Magician page, click Finish.
   
5. File Access is listed in Apps & Features orPrograms and Features as version 2.0.iv.34.
   
6. File Access has a default listing of supported file extensions. The list can be expanded by editing the registry on the VDA. See CTX219983 Receiver for Chrome Fault: Invalid control line arguments: Unable to open up the file equally information technology has an unsupported extension.
   
7. To open a file from Google Drive, right-click and and open the file using Citrix Workspace app.

Remote Desktop Licensing Configuration

On 2012 R2 and newer RDSH, the only way to configure Remote Desktop Licensing is using group policy (local or domain). This process is not needed on virtual desktops.

1. For local group policy, run gpedit. msc. Alternatively, you tin can configure this in a domain GPO.
   
2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
   
3. Double-click Employ the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the RDS Licensing Servers (typically installed on Delivery Controllers). Click OK.
   
4. Double-click Ready the Remote Desktop licensing mode. Change information technology to Enabled and select Per User. Click OK.
   
5. Optionally, you can install theRemote Desktop Licensing Diagnoser Tool. In the Server Director > Add together Roles and Features Sorcerer, on the Features page, expand Remote Server Administration Tools, aggrandize Part Administration Tools, aggrandize Remote Desktop Services Tools, and select Remote Desktop Licensing Diagnoser Tool. So Finish the magician.
   
6. If it won't install from Server Manager, you can install it from PowerShell past runningInstall-WindowsFeature rsat-rds-licensing-diagnosis-ui.
   
7. In Server Manager, open up the Tools menu, expand Remote Desktop Services (or Last Services), and click Remote Desktop Licensing Diagnoser.
   
   
8. The Diagnoser should find the license server, and indicate the licensing mode. If you're configured for Per User licenses, then it's OK if there are no licenses installed on the Remote Desktop License Server.
   

Several people in Citrix Discussions reported the following issue: If you see a message most RD Licensing Grace Period has expired even though RD Licensing is properly configured, see Eric Verdumen No remote Desktop Licence Server availible on RD Session Host server 2012. The solution was to delete the REG_BINARY in HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Command\Last Server\RCM\GracePeriod simply leaving the default. You lot must take ownership and give admin users full control to be able to delete this value.

C: Drive Permissions

This section is more important for shared VDAs like RDSH (Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019).

The default permissions allow users to store files on the C: drive in places other than their profile.

1. Open the Backdrop dialog box for C:.
   
2. On the Security tab, click Advanced.
   
3. If UAC is enabled, clickChange permissions.
   
4. Highlight the line containing Users and Create Folders, and clickRemove.
   
5. Highlight the line containing Users and Create files (orSpecial), and click Remove. Click OK.
   
6. Click Yes to confirm the permissions modify.
   
7. If you see whatsoever of these Error Applying Security windows, click Continue. This window should appear multiple times.
   
8. Click OK to shut the C: bulldoze backdrop.

Pagefile

If this image will be converted to a Citrix Provisioning vDisk, then yous must ensure the pagefile is smaller than the cache deejay. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and if the enshroud disk is merely 15 GB, then Windows will have a default pagefile size of 20 GB, and Citrix Provisioning will exist unable to move information technology to the cache disk. This causes Citrix Provisioning to cache to server instead of caching to your local cache disk (or RAM).

1. Open System.
   1. In Windows Server 2012 R2 and Windows Server 2016, you can right-click the Start push button, and click Arrangement.
      
   2. In Windows 10 1703 or newer (or Windows Server 2019), search the Starting time Menu foradvanced system settings.
      
   3. Another option is to open File Explorer, right-clickThis PC, and clickProperties. This works in Windows ten 1703 and newer.
      
2. Click Avant-garde system settings.
   
3. On the Advanced tab, click the elevation Settings push button.
   
4. On the Advanced tab, click Modify.
   
5. Uncheck the box next to Automatically manage paging file size for all drives. Then either plough off the pagefile, or set the pagefile to be smaller than the cache disk. Don't leave it prepare to System managed size. Click OK several times.
   

Directly Access Users

When Citrix Virtual Commitment Amanuensis (VDA) is installed on a automobile, non-administrators can no longer RDP to the machine. A new local grouping chosen Straight Access Users is created on each Virtual Commitment Agent. Add your not-ambassador RDP users to this local group then they can RDP straight to the machine.

From CTX228128 What is the HKLM\Software\Citrix\PortICA\DirectAccessUsers registry function: TheHKLM\Software\Citrix\PortICA\DirectAccessUsers registry key determines which Local grouping the VDA references to determine if a user should be allowed Unbrokered RDP admission. Members of the Local Administrators group volition e'er exist granted access. If the Registry Key does not exist, or gets deleted, VDA volition e'er allow the Unbrokered RDP Connection. The Registry key and local group are created as role of the VDA installation process.

Windows Profiles v3/v4/v5/v6

Roaming Profiles are compatible merely betwixt the following client and server operating organisation pairs. The profile version is too listed.

• v6 = Windows 10 (1607 through 1903), Windows Server 2016, and Windows Server 2019
• v5 = Windows 10 (1511 and older)
• v4 = Windows 8.ane and Windows Server 2012 R2
• v3 = Windows 8 and Windows Server 2012
• v2 = Windows vii and Windows Server 2008 R2
• v2 = Windows Vista and Windows Server 2008

For Windows 2012 R2, install Microsoft hotfix 2890783, and set the UseProfilePathExtensionVersion registry value to 1.

CTX230343 Reset Profile Options Is Greyed Out In Citrix Director states that theUseProfilePathExtensionVersion registry value is required on Windows 2012 R2 to enable Director users to reset profiles.

Registry

EDT MTU Discovery

EDT MTU Discovery prevents EDT packet fragmentation that might upshot in performance degradation or failure to found a session. This feature requires the following:

• Citrix Workspace app 1911 for Windows or newer
• Citrix ADC 13.0.52.24 or newer
• Citrix ADC 12.1.56.22 or newer

Set the following registry value on the VDA:

• Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icawd
  • Value (DWORD) = MtuDiscovery = 1

Faster Login

From CTP James Rankin The ultimate guide to Windows logon time optimizations, part #six: DelayedDesktopSwitchTimeout tells the logon process to wait for a shorter fourth dimension before switching from session 0 to the bodily session in use.

• Key = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Organisation
  • Value (DWORD) = DelayedDesktopSwitchTimeout  = 1

Black Screen when launching Published Apps on Windows Server 2016

From CTX225819 When Launching an Application Published from Windows Server 2016, a Black Screen Appears for Several Seconds Before Application is Visible: Citrix and Microsoft have worked together together to deliver code fixes for both Windows Server 2022 and Citrix Virtual Apps. Microsoft is targeting their KB4034661 patch for the tertiary week of August 2017. This ready requires a registry edit to enable.

• Key = HKLM\SOFTWARE\Citrix\Citrix Virtual Desktop Amanuensis
  • Value (DWORD) = DisableLogonUISuppression = 0

Published Explorer

From Citrix CTX128009 Explorer.exe Fails to Launch: When publishing the seamless explorer.exe application, the session initially begins to connect as expected. After the loading, the dialog box disappears, and the Explorer application fails to appear. On the VDA, utilise the following registry change to prepare the length of time a client session waits before disconnecting the session:

• Key = HKLM\System\CurrentControlSet\Control\Citrix\wfshell\TWI
  • Value (DWORD) = LogoffCheckerStartupDelayInSeconds = 10 (Hexadecimal)

Screen Saver

From Citrix CTX205214 Screensaver Not Working in XenDesktop: By default, Screen Saver doesn't piece of work on Desktop OS. To enable it, on the VDA, configure the following registry value:

• Key =HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Graphics
  • Value (DWORD) =SetDisplayRequiredMode = 0

Smart Cards

From CTX231942 Windows ten April 2022 Update (v1803) – Citrix Known Issues – Smart Carte du jour Service (SCardSvr) will run only if a Smart Carte reader is connected. As ICA sessions redirect the Smart Card, it finds the service not to be running and fails.

• Key =HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Cryptography\Calais
  • Value (DWORD) =AllowServiceAccessWithNoReaders = ane

Logon Disclaimer Window Size

From XenApp vii.viii – Session Launch Security/Warning Login Banner at Citrix Discussions: If your logon disclaimer window has scroll bars, gear up the following registry values:

• Key = HKEY_LOCAL_MACHINE\Software\Wow6432node\Citrix\CtxHook\AppInit_DLLS\Multiple Monitor Hook
  • Value (DWORD) = LogonUIWidth = 300
  • Value (DWORD) = LogonUIHeight = 200

Login Timeout

From Citrix CTX203760 VDI Session Launches Then Disappears: VDA, by default, merely allows 180 seconds to consummate a logon operation. The timeout tin be increased by setting the post-obit:

• Central = HKLM\SOFTWARE\Citrix\PortICA
  • Value (DWORD) = AutoLogonTimeout = decimal 240 or college (up to 3599).

Also see Citrix Discussions Machines in "Registered" State, merely VM closes subsequently "Welcome" screen.

From Citrix CTX138404 Awarding Connection Starts but Disappears after Timeout: after loading the awarding, the dialog box disappears and the awarding fails to appear.

•  Cardinal =HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Control\Citrix\wfshell\TWI
  • Value (DWORD) =ApplicationLaunchWaitTimeoutMS = decimal 60000

Workspace app for HTML5/Chrome Enhanced Clipboard

From About Citrix Receiver for Chrome ane.nine at Citrix Docs: To enable enhanced clipboard support, create a REG_SZ registry value HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Proper noun="HTML Format". Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.

Workspace app for HTML5/Chrome Upload Folder

The Workspace app for HTML5 (or Chrome) lets upload files.

By default, the user is prompted to select a upload location. If you utilise the Upload feature multiple times, the last selected folder is not remembered.

Citrix CTX217351 How to Customize File Upload and Download Using Receiver for HTML5 and Receiver for Chrome. Y'all can specify a default uploads location by editingHKLM\Software\Citrix\FileTransfer\UploadFolderLocation on the VDA. Surroundings variables are supported. When this value is configured, users are no longer prompted to select an upload location. The modify takes consequence at adjacent logon.

Notation: HTML5/Chrome Workspace app likewise adds a Salvage to My Device location to facilitate downloads.

4K Monitors

From Citrix Knowledgebase commodity CTX218217 Unable to bridge across multiple monitors later upgrade to 7.11 VDA, Blackness/Blank screen appears on the monitors while connecting to ICA session:

1. Summate the video retentivity that is required for monitors using the following formula:

   SumOfAllMons (Width * Height) * four / 0.3, where width and height are resolution of the monitor. Note: There is no hard and fast dominion that volition work for all cases.

   Case: Consider the resolution of monitor 1 is 1920*1200 and monitor 2 is 1366*768. Then SumOfAllMons will be (1920*1200 + 1366*768)

2. CTX115637 Citrix Session Graphics Retention Reference describes how multi-monitor resolution is determined.
3. Open the registry (regedit) and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vbdenum
4. Increase the value of "MaxVideoMemoryBytes" REG_DWORD value to the in a higher place calculated memory.
5. Reboot the VDA.

Citrix Policies also control graphics performance.

COM Port Threads

CTX212090 COM Port Intermittently Inaccessible During ICA Sessions: increment the default value of "MaxThreads" nether the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\picaser\Parameters from 20 to a value greater than the number of COM port connections y'all want to back up. For example, if a VDA server supports 100 sessions and each session opens two COM ports, the value of "MaxThreads" should exist greater than 200.

NVIDIA vGPU Grid License

Allow NVIDIA vGPU Grid License to apply later the session is started. (Source = Jan Hendrik Meier NVIDIA GRID license not applied before the user connects – License Restriction will not exist removed until the user reconnects)

• Key =HKLM\SOFTWARE\NVIDIA Corporation\Global\GridLicensing
  • Value (DWORD) =IgnoreSP = 1

Legacy Client Drive Mapping

Citrix CTX127968 How to Enable Legacy Client Bulldoze Mapping Format on XenApp: Citrix Client Drive Mapping no longer uses drive letters and instead they appear equally local disks. This is similar to RDP drive mapping.

The old bulldoze letter method tin be enabled by setting the registry value:

• Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UncLinks (create the key)
  • Value (DWORD) = UNCEnabled = 0
    

When you reconnect, the client drives volition be mapped as bulldoze letters (starts with 5: and goes backwards).

Impress Commuter for Mac/Linux Clients

From CTX140208 Customer printing from Mac and Linux clients on Windows ten, Server 2012 R2, and Server 2016. By default, Non-Windows clients cannot map printers due to a missing impress driver on the VDA auto.

1. Download the HP Color LaserJet 2800 Series PS driver direct from Microsoft Itemize as detailed at CTX283355 Client Printing from Linux/MAC is not working on Windows Server 2022 and 2019. The Catalog is at https://www.catalog.update.microsoft.com/. Then search for hp color laserjet 2800. Pick the 6.one.7600.16385 driver version 💡
   
2. Excerpt the .cab file using 7-zip or similar.
   
3. In Windows 10 1803+, open up Printers & scanners. On the right (or whorl down) is a link to Print Server Properties.
   
4. In older versions of Windows, you lot can get to Print server properties from Devices and Printers.
   1. In Windows prior to Windows 10 1703, click Showtime, and run Devices and Printers.
      
   2. In Windows 10 1703, openPrinters & scanners, then scroll down, and clickDevices and printers.
      
      
5. In the Printers section, highlight a local printer (e.thousand. Microsoft XPS Document Writer). So in the toolbar, click Print server backdrop.
   
6. Switch to the Drivers tab and click Change Driver Settings.
   
7. So clickAdd together.
   
8. In the Welcome to the Add Printer Driver Wizard page, click Adjacent.
   
9. In the Processor Selection page, click Side by side.
   
10. In the Printer Driver Selection page, clickAccept Disk and browse to the .inf that you extracted from the .cab file.
    
    
11. Select HP Color LaserJet 2800 Series PS and click Next.
    
12. In the Completing the Add Printer Driver Wizard folio, click Finish.
    

SSL for VDA

If y'all intend to utilize HTML5 Workspace app internally, install certificates on the VDAs so the WebSockets (and ICA) connection volition be encrypted. Internal HTML5 Workspace app volition non accept clear text WebSockets. External users don't have this trouble since they are SSL-proxied through Citrix Gateway.

Notes:

• Each Virtual Commitment Amanuensis needs a machine certificate that matches the machine name. This is viable for a pocket-size number of persistent VDAs. For non-persistent VDAs, you lot'll need some automatic means for creating machine certificates every time they reboot.
• As detailed in the post-obit procedure, use PowerShell on the Delivery Controller to enable SSL for the Delivery Group. This forces SSL for every VDA in the Commitment Group, which means every VDA in the Delivery Group must take SSL certificates installed.

The following instructions for manually enabling SSL on VDA can exist found at Configure TLS on a VDA using the PowerShell script at Citrix Docs.

1. On the VDA machine, run certlm.msc.
2. Correct-click Personal, expandAll Tasks, and clickRequest New Certificate to request a document from your internal Certificate Authority. You can apply either the Computer template or the Spider web Server template.
   
   • You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers.
     
3. Browse to the Citrix Virtual Apps and Desktops ISO. In the Support\Tools\SslSupport folder, shift+right-click the Enable-VdaSSL.ps1 script, and click Copy as path.
   
4. Run PowerShell as administrator (elevated).
   
5. Run the command Set-ExecutionPolicy unrestricted. Enter Y to approve.
   
6. In the PowerShell prompt, type in an ampersand (&), and a space.
7. Correct-click the PowerShell prompt to paste in the path copied earlier.
8. At the end of the path, blazon in -Enable
9. If in that location's simply one certificate on this machine, printing Enter.
   
10. If at that place are multiple certificates, so y'all'll need to specify the thumbprint of the certificate you want to use. Open the Certificates snap-in, open the properties of the machine certificate you want to use, and copy the Thumbprint from the Details tab.
    

    In the PowerShell prompt, at the end of the command, enter ‑CertificateThumbPrint, add a infinite, and type quotes (").

    Right-click the PowerShell prompt to paste the thumbprint.

    Type quotes (") at the end of the thumbprint. Then remove all spaces from the thumbprint. The thumbprint needs to be wrapped in quotes.
    

11. There are boosted switches to specify minimum SSL Version and Zilch Suites. Also see Citrix CTX226049 Disabling Triple DES on the VDA breaks the VDA SSL connection.
    
12. Press <Enter> to run the Enable-VdaSSL.ps1 script.
13. Printing <Y> twice to configure the ACLs and Firewall.
14. You might have to reboot before the settings accept effect.
    
15. Login to a Controller, and run PowerShell every bit Administrator (elevated).
16. Run the command asnp Citrix.*
    
17. Enter the command:

    Get-BrokerAccessPolicyRule -DesktopGroupName '<commitment-grouping-proper noun>' | Fix-BrokerAccessPolicyRule ‑HdxSslEnabled $true

    where <commitment-group-name> is the proper noun of the Delivery Grouping containing the VDAs.
    

18. Y'all can run Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' to verify that HDX SSL is enabled.
    
19. As well run the post-obit command to enable DNS resolution.

    Set-BrokerSite –DnsResolutionEnabled $true

    

20. Since the UDP-based EDT protocol is enabled by default, open port UDP 443 to the VDAs.

You should at present be able to connect to the VDA using the HTML5 Workspace app from internal machines.

The Citrix blog postal service How To Secure ICA Connections in XenApp and XenDesktop vii.half-dozen using SSL has a method for automatically provisioning certificates for pooled virtual desktops by enabling certificate auto-enrollment and setting upwards a task that runs afterward the certificate has been enrolled.

• From Russ Hargrove at A note on VDA certificates in seven.fourteen at Citrix Discussions: Citrix installs a new "Citrix XenApp/XenDesktop HDX Service" certificate in the Personal store which breaks the automation of the Enable-VdaSSL.ps1 script. To gear up the problem, modify the job scheduler powershell script to:

  Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (Get-ChildItem -path cert:\LocalMachine\My | Where-Object -FilterScript {$_.Field of study -eq ""} | Select-Object -ExpandProperty Thumbprint) -Ostend:$False

• For certificate auto-enrollment on non-persistent Remote Desktop Session Hosts (aka Multi-session OS, aka Server OS VDAs), see Non-Persistent Server SSL to VDA by Alfredo Magallon Arbizu at CUGC.

Anonymous Accounts

If you intend to publish apps anonymously then follow this section.

1. Anonymous accounts are created locally on the VDAs. When VDA creates Anon accounts, it gives them an idle time as specified at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\AnonymousUserIdleTime. The default is 10 minutes. Adjust as desired.
   
2. Pre-create the Anon accounts on the VDA by running "C:\Plan Files\Citrix\ICAConfigTool\CreateAnonymousUsersApp.exe" . If y'all don't run this tool, then anonymous users can't login.
   
3. You can see the local Anon accounts past opening Computer Direction, expanding System Tools, expandingLocal Users and Groups and clicking Users.
   
4. If yous want profiles for anonymous users to delete at logoff, then you lot'll need to add the local Anon users to the local Guests grouping.
   
5. If you open ane of the accounts, on the Sessions tab, notice that idle timeout defaults to 10 minutes. Experience free to change it.
   

Grouping Policy for Anonymous Users

Since Anonymous users are local accounts on each Virtual Delivery Amanuensis, domain-based GPOs will not apply. To work effectually this limitation, you'll need to edit the local group policy on each Virtual Delivery Agent.

1. On the Virtual Delivery Amanuensis, run mmc.exe.
2. Open the File menu, and click Add together/Remove Snap-in.
   
3. Highlight Grouping Policy Object Editor, and click Add to move it to the right.
   
4. In the Welcome to the Grouping Policy Sorcerer folio, click Browse.
   
5. On the Users tab, select Non-Administrators.
   
6. Click Finish.
   
7. Now you lot tin configure group policy to lock downwards sessions for anonymous users. Since this is a local group policy, you'll need to repeat the grouping policy configuration on every Virtual Commitment Agent paradigm. Also, Group Policy Preferences is not available in local group policy.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft'south virus scanning recommendations (east.thou. exclude grouping policy files) – http://support.microsoft.com/kb/822158.

Citrix'due south Recommended Antivirus Exclusions

Citrix Tech Zone Endpoint Security and Antivirus Best Practices: provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments.

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide y'all with a consolidated listing of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we take seen cause issues in the field:

• Fix real-time scanning to scan local drives just and not network drives
• Disable scan on boot
• Remove any unnecessary antivirus related entries from the Run key
• Exclude the pagefile(s) from beingness scanned
• Exclude Windows event logs from beingness scanned
• Exclude IIS log files from existence scanned

See the Blog Postal service for exclusions for each Citrix component/production including: StoreFront, VDA, Controller, and Citrix Provisioning. The Blog Post also has links to additional KB manufactures on antivirus.

Symantec

Symantec links:

• Symantec TECH91070 Citrix and last server best practices for Endpoint Protection.
• Symantec TECH197344 Virtualization best practices for Endpoint Protection 12.1.x and SEP 14.ten
• Symantec TECH180229 Endpoint Protection – Not-persistent Virtualization Best Practices
• Symantec TECH123419 How to prepare Symantec Endpoint Protection clients on virtual disks for use with Citrix Provisioning Server has a script that automates changing the MAC accost registered with Symantec.
• Citrix Blog Mail How to prepare a Citrix Provisioning Services Target Device for Symantec Endpoint Protection
• If profiles are deleted on logoff, set Symantec registry valueCloseUserLogFile to i. Symantec TECH210170 Citrix user sessions are held open past ccSvcHst.exe during log off

Trend Micro

Tendency Micro Wearisome login on Citrix environment after installing OfficeScan (OSCE): The following registries can exist used to troubleshoot the outcome. These registries will permit a delay on the startup procedure of OSCE until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts feel slow response and performance more than noticeable while users effort to log in to the servers. At some point the performance of the servers is affected, resulting in problems with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the post-obit registry on all the affected servers. Add new DWORD Value every bit:

[HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Services\TmFilterParameters] "DisableCtProcCheck"=dword:00000001

Tendency Micro Links:

• Tendency Micro Docs – Trend Micro Virtual Desktop Support
• Trend Micro Docs – VDI Pre-Scan Template Generation Tool
• Trend Micro 1056314 – Configuring the OfficeScan (OSCE) Virtual Desktop Infrastructure (VDI) client/agent
• Trend Micro 1055260 – Best do for setting upwards Virtual Desktop Infrastructure (VDI) in OfficeScan
• Trend Micro 1056376 – Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Sophos

CTX238012 Logon process to VDAs is extremely dull when Citrix UPM is enabled. Set the following registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application
  • DisableAsyncScans (DWORD) = i

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: nosotros've amassed the post-obit practical information nearly how you tin can optimize our software to piece of work with this applied science.

Sophos Endpoint Security and Command: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: Information technology maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make certain that the produced target/cloned computers:

• Get their distinct identity with Enterprise Panel, under which they tin exist subsequently managed.
• Take the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

• Install Traps Agent for Windows:
  • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden prototype which has Traps installed.
  • Temporary session—Intended for either concrete or virtual endpoints (such equally a Remote Desktop Server) that repeatedly revert to a snapshot (or prototype) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Disable Network protection and configure Citrix's antivirus exclusions (source = Citrix CTX319676 Users sessions are getting disconnected – Connectedness Interrupted)

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) surround – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Optimize Performance

VDA Optimizer

Installation of the VDA might take already washed this, only there's no harm in doing it again. This tool is merely available if you installed VDA in Master Image mode.

1. On the master VDA, go to C:\Program Files\Citrix\PvsVm\TargetOSOptimizer, and runTargetOSOptimizer.exe.
   
2. And then click OK. Discover that it disables Windows Update.
   
3. Encounter CTX125874 How to Optimize XenDesktop Machines for the list of registry values changed by the TargetOSOptimizer tool. You can use Group Policy Preferences to ready these values.

Windows ten / Windows 2012 R2 / Windows 2022 / Windows 2022 and newer

Download Citrix Optimizer and run it.

Citrix Daniel Feller links:

James Rankin Improving Windows ten logon fourth dimension:

• Removing UWP apps on Windows 10 1803 – the easy mode! – YouTube video
  Get-AppxProvisionedPackage -online | Out-GridView -passthru | Remove-AppxProvisionedPackage -online
• UseRemove-AppXProvisionedPackage to remove Modernistic apps. Run across the article for a list of apps to remove. Besides see James Rankin Everything you wanted to know virtually virtualizing, optimizing and managing Windows x…only were agape to ask – office #3: Modernistic APPS
• Import a Standard Starting time Tiles layout(Export-StartLayout)
• Create a template user profile

David Wilkinson links:

Citrix Links:

• Citrix's Windows x Optimization Guide – remove born apps, delete Scheduled Tasks, disable services, etc.
• CTX232313 Citrix Provisioning Services: Ho-hum Login Functioning with Windows 10 VDA Machines says that if you removed all Store apps, and then theNetwork Location Awareness Service can be disabled.
  • Or enable the local group policy settingComputer Configuration | Authoritative Templates | Network | Network Isolation |Subnet definitions are authoritative.
    

Microsoft links:

Optimization Notes:

• If this machine is provisioned using Citrix Provisioning, do non disable the Shadow Copy services.
• Citrix CTX213540 Unable To View Printers In Devices And Printers Win 2012 R2 – don't disable the Device Setup Manager Service
• Citrix CTX131995 User Cannot Launch Application in Seamless Manner in a Provisioning Services Server when XenApp Optimization Best Practices are Applied. Do non enable NtfsDisable8dot3NameCreation.

Applications

Choose installers that install to C:\Program Files instead of to %appdata%. Search for VDI or Enterprise versions of the following applications. These VDI versions practise not automobile-update so you'll have to update them manually.

• Google Chrome – Chrome Enterprise
• Microsoft Edge – Edge for Business
• Microsoft Teams – Teams for VDI
• Microsoft OneDrive – Install the sync app per machine
• Zoom – Zoom VDI
• WebEx – WebEx VDI
• Cisco Jabber – Jabber VDI
• Etc.

Seal and Shut Down

If this VDA volition be a master paradigm in a Automobile Creation Services or Citrix Provisioning itemize, later the primary is fully prepared (including applications), do the following:

1. Become to the properties of the C: drive, and run Deejay Cleanup.
   
2. If Disk Cleanup is missing, you lot can runcleanmgr.exe instead.
   
3. Windows x 1703 and newer has a new method for cleaning upwardly temporary files.
   1. Right-click the Start button, and clickOrganisation.
   2. ClickStorage on the left, and clickThis PC (C:) on the right.
      
   3. ClickTemporary Files.
      
   4. Check boxes, and clickRemove files.
      
4. On the Tools tab of the local C: drive Backdrop, click Optimize to defrag the drive.
   `
5. Run slmgr. vbs /dlv and make sure information technology is licensed with KMS and has at least one rearm remaining. It is not necessary to manually rearm licensing since MCS volition do it automatically.
   
6. Run Delprof2 to clean up local profiles. Become it from http://helgeklein.com/download/.
   
7. Auto Cosmos Services and Citrix Provisioning crave DHCP.
   
8. Session hosts (RDSH) ordinarily have DHCP reservations.
   
9. Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Grouping Policy.
   
   
10. Shut down the principal paradigm. You tin can at present use Studio (Motorcar Creation Services) or Citrix Provisioning to create a itemize of linked clones.
    

Uninstall VDA

Uninstall the VDA from Apps & Features or Programs and Features.

Then see CTX209255 VDA Cleanup Utility.

To run the VDA Cleanup Tool silently:

1. Execute VDACleanupUtility.exe /silent /noreboot to suppress reboot.
2. Once the VDACleanupUtility has finished executing, setup Auto logon for the current user.
3. Reboot.
4. After reboot, tool will launch automatically to keep Cleanup.

Some other option is to delete CitrixVdaCleanup value under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. And so after reboot, runVDACleanupUtility.exe /silent /reboot to indicate that it'southward running subsequently the reboot.

Related Pages

• Citrix Provisioning Master Device Preparation
• Catalogs / Commitment Groups
• Citrix Policy Settings

tripletthatiagoorah.blogspot.com

Source: https://www.carlstalhood.com/citrix-virtual-delivery-agent-vda-1912-ltsr/

Share this post