Citrix Receiver for Windows 4.9 LTSR
Nov 17, 20 17
Citrix Receiver for Windows is an easy-to-install software that provides access to your applications and desktops using
XenApp and XenDesktop from a remote client device. Citrix Receiver for Windows provides access from your desktop, Start
menu, Receiver user interface, or web browsers.
You can use Citrix Receiver for Windows on domain and non-domain joined PCs, tablets, and thin clients. Using Citrix
StoreFront in conjunction with Citrix Receiver for Windows allows your organization to provide you with self-service access
to your applications and desktops - all with a common user interface, regardless of the endpoint device hardware,
operating system (32-bit and 64-bit editions), or form factor.
T his is the documentation set for Citrix Receiver for Windows 4.9 - the most recent Long Term Service Release (LT SR) of
Citrix Receiver for Windows.
For information about the Current Release of Citrix Receiver for Windows, see Citrix Receiver for Windows 4.8.
For information about the differences between LT SR and Current Releases, see Lifecycle Milestones for Citrix Receiver.
For information about earlier Citrix Receiver for Windows releases, see the following sections:
Citrix Receiver for Windows 4.7
Citrix Receiver for Windows 4.6
Citrix Receiver for Windows 4.5
Citrix Receiver for Windows 4. 4 (LT SR)
ICA Settings Reference
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.1
What's new
Nov 17, 20 17
What's new in 4.9
Cumulative Update 1 (CU1) for Citrix Receiver 4.9 LT SR was released on November 17, 2017. With more than 15 fixes to
customer-reported issues, CU1 continues to add further stability and ease of use to this LT SR version. CU1 is available for
download from the Citrix download page.
With this release, the size of the Citrix Receiver for Windows installer is reduced to 39.9MB. T his constitutes a 15%
reduction in size from earlier releases.
On a StoreFront account, ping.citrix.com is used as a replacement for the www.citrix.com external beacon.
Starting with Citrix Receiver for Windows Version 4.9, no user-configurable changes are required.
If you are using an earlier version of Citrix Receiver for Windows, Citrix recommends that you replace the www.citrix.com
external beacon with ping.citrix.com.
For more information about the external beacon, see Knowledge Center article CT X218708.
For information about configuring the external beacon on StoreFront, see Configure beacon points.
Note
Ignore if the StoreFront account is not configured with www.citrix.com as the external beacon.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.2
Fixed issues
Nov 17, 20 17
Citrix Receiver for Windows 4.9 LTSR CU1
Compared to: Citrix Receiver for Windows 4.9 LT SR
Client Device Issues
Devices such as a keyboard, mouse, or a monitor connected to a docking station or a USB hub cannot be used. T he issue
occurs when the user session is in full-screen mode or if the session window is in focus and if you connect the docking
station or the hub to a client machine after starting the user session. [#LC8295]
Cont ent Redirect ion
File type association might not work when you log on to Citrix Receiver for Windows using a roaming profile. [#LC8042]
HDX RealT ime
When multiple webcams of the same model are installed on the VDA, only the latest webcam might be recognized by
the session and mapped. With the fix, multiple webcams that are the same model can be used in any video conference
application inside a session.
Not e :
With Fix #LC5008 installed, you might not be able to switch webcams from the "Preferences" tab.
T o enable this fix, you must install both a server and a client hotfix that contains Fix #LC5008. [#LC5008]
Session/Connect ion
When attempting to launch Microsoft Internet Explorer as a different user than the currently logged in user using the
"Run As" command and with the Redirector.exe process running on the system, the browser might launch but content
does not load for about 20-30 seconds. [#LC5227]
Attempts to launch a desktop using Mozilla Firefox might fail. T he issue occurs when the desktop viewer fails to delete a
previously created ICA file from the temporary directory of Internet Explorer. T his results in an "Access denied" error that
prevents the copying of the ICA file when you launch a new session. [#LC7883]
When you launch an application from the Start menu or the desktop shortcut, the application might launch but the
following error message appears:
"Cannot find this file, Please verify that the correct path and file name are given." [#LC8253]
With Citrix Receiver for Windows 4.8 installed, certain features of an employee web portal might not function properly.
However, when the Citrix ICA Client ActiveX control is disabled within Microsoft Internet Explorer, the website functions
properly. [#LC8428]
Syst em Except ions
Citrix Receiver for Windows might exit unexpectedly with the following error message:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.3
"Citrix HDX Engine has stopped working" [#LC8040]
Citrix Receiver for Windows 4.8 might experience a fatal exception, displaying a blue screen. T he issue occurs when you
restart the system using certain multifunction keyboard models and plug and unplug the keyboard multiple times from
the system. [#LC8182]
After removing the headphones from a user device while an audio file is playing, the session might become unresponsive
until you disconnect and reconnect the session. [#LC8243]
When you use the keyboard shortcut "Alt+Enter" in a published seamless application, the wfica32.exe process might exit
unexpectedly. [#LC8317]
In a double-hop scenario, the wfica32.exe process might exit unexpectedly when you switch a session between clients.
[#LC8354]
User Experience
When you record sound with audio quality set to high, the quality of the sound recording might be poor. [#LC8241]
When you restore a seamless window from full-screen to its original size in a multi-monitor environment and then drag it
back across monitors in order to view the entire application, the window might be clipped incorrectly. As a result, only a
partial window is visible. T he issue occurs with seamless windows that are wider than the monitor and thus partially offscreen. [#LC8325]
When you configure shortcut options in the Store web.config file, published application shortcuts might disappear from
the Start menu and desktop.
Not e : T his fix provides a complete fix for Fix #LC7577. [#LC8391]
When launching a session in seamless mode while using Epic Hyperspace, the application might not allow other
applications that are running locally on an endpoint to appear in the foreground. T he Epic Hyperspace application might
retain the foreground focus until you minimize it. [#LC8462]
When you connect to a published desktop, blank areas might appear on the desktop that change when resizing the
window. T his error occurs when using legacy graphics mode. [#LC8518]
Citrix Receiver for Windows 4.9 LTSR
Compared to: Citrix Receiver for Windows 4.8
HDX 3D P ro
With HDX 3D Pro enabled on a VDA, using certain third-party applications can cause the VDA to disconnect.
To enable the fix, set the following registry keys:
On 32-bit Windows
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\T hinwire3.0
Name: T w2IgnoreValidationErrors
T ype: REG_SZ
Value: T RUE
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.4
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\T hinwire3.0
Name: T w2IgnoreExecutionErrors
T ype: REG_SZ
Value: T RUE
On 64-bit Windows
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\ICA
Client\Engine\Configuration\Advanced\Modules\T hinwire3.0
Name: T w2IgnoreValidationErrors
T ype: REG_SZ
Value: T RUE
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\ICA
Client\Engine\Configuration\Advanced\Modules\T hinwire3.0
Name: T w2IgnoreExecutionErrors
T ype: REG_SZ
Value: T RUE
[#LC7655]
Server/Sit e Administ rat ion
When a user password expires, the "Change Password" input form might become non-interactive. T he issue occurs when
the new password does not meet the requirement. [#LC7943]
Session/Connect ion
When you assign a desktop group to an external client IP address according to the procedure described in Knowledge
Center article CT X128232, the published desktop might fail to start when you access through NetScaler Gateway. T he
following error message might appear:
"Cannot start app" [#LC5932]
Citrix Receiver for Windows might fail to connect to StoreFront when connected through the Juniper SSL VPN. T he issue
occurs when the DNS resolution for the StoreFront URL fails. [#LC6711]
Citrix Receiver for Windows might exit unexpectedly when disconnecting from a VDA that is using an integrated
webcam. T he issue occurs when you disconnect from the VDA while the webcam is running. [#LC6815]
With Desktop Lock enabled, the user session might automatically disconnect when the StoreFront session expires.
[#LC6984]
When using the Epic Hyperspace software for medical dictation, the dictation recorder might become unresponsive on
the user device while recording. [#LC7435]
When you use the Citrix ICA Client Object API to launch a client session through NetScaler and configure the Client
Selective Trust in Group Policy Object, the session might fail to launch. [#LC7575]
File type association might fail to open the associated document when you set the registry value "DisableStubCreation"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.5
to "true" under the registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Dazzle on 32-bit Windows and
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\Dazzle on 64-bit Windows. T he issue occurs when the
"%1" parameter is missing for the relevant file name extension under the registry key
HKEY_CURRENT _USER\SOFT WARE\Classes\Dazzle.<appname>.<extension>.1\shell\open\command. [#LC7619]
With local app access enabled, the size and position of VDA for Desktop OS sessions launched in full-screen mode might
be incorrect. [#LC7646]
When you add a store through the group policy settings or the command line and configure reconnect at Windows
logon, Citrix Receiver for Windows might not automatically reconnect at Windows logon. [#LC7679]
After resuming from Sleep mode, the auto client reconnect feature might fail to work, preventing sessions from
reconnecting. [#LC7705]
With local app access enabled, the wfcrun32.exe process might exit unexpectedly. [#LC7946]
Smart Cards
With the local security setting "Lock Workstation," located under the policy "Interactive logon: Smart card removal
behavior" set in a user session, the session might not be locked when you remove the smart card reader from that
session. [#LC7571]
When the SCardListReaderGroup API is called in a user session from the server, Citrix Receiver for Windows might not
execute the API that is called on the client side. [#LC7699]
User Experience
Double-tapping on a device's touchscreen might not work for some applications within a user session. [#LC6698]
When you click the taskbar icons to switch the focus between the windows of a third-party application in a seamless
session, the corresponding window of the third-party application might fail to appear in the foreground. [#LC6709]
When you change the resolution of the user device while one of the mouse buttons is in the down state, seamless apps
might not be able to receive the mouse up state for that mouse event. As a result, the mouse capture is lost. [#LC7419]
When you configure shortcut options in the Store web.config file, published application shortcuts might disappear from
the Start menu and desktop. [#LC7577]
When launching a session in seamless mode while using Epic Hyperspace, the application might not allow other
applications that are running locally on an endpoint to appear in the foreground. T he Epic Hyperspace application might
retain the foreground focus until the application is minimized. [#LC7906]
Not e : T his version of Citrix Receiver for Windows also includes all fixes included in Versions 4.8, 4.7, 4.6, 4.5, 4.4, 4.3, 4.2, 4.1,
and 4.0.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.6
Known Issues
Nov 17, 20 17
Citrix Receiver for Windows 4.9 contains all known issues that were present in Versions 4.5, 4.6,4.7, 4.8, plus the following,
additional known issue:
With Framehawk enabled, the wfica32.exe process might exit unexpectedly when you attempt to log on and off
continually. [#LCMRFWIN-704]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.7
Third party notices
Nov 17, 20 17
Citrix Receiver for Windows might include third party software licensed under the terms defined in the following document:
Citrix Receiver for Windows Third Party Notices
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.8
System requirements and compatibility
Aug 14 , 20 17
Requirements
T his version of Citrix Receiver for Windows requires a minimum of 500MB free disk space and 1GB RAM.
.NET Framework minimum requirements
NET 3.5 Service Pack 1 is required by the Self-Service plug-in, which allows users to subscribe to and launch desktops
and applications from the Receiver user interface or from a command line. For more information, see Configure and
install Receiver for Windows using command-line parameters.
T he .NET 2.0 Service Pack 1 and Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package are required.
Compatibility matrix
Citrix Receiver for Windows Version 4.8 is compatible with the following Windows operating systems and web browsers. It
is also compatible with all currently supported versions of XenApp, XenDesktop, and NetScaler Gateway as listed in
the Citrix Product Lifecycle Matrix.
Note
T he NetScaler Gateway End Point Analysis Plug-in (EPA) does not support native Citrix Receiver for Windows.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.9
Ope ra ting s y s te m
Bro ws e r
Windows 10 [1]
Internet Explorer
Windows 8.1, 32-bit and 64-bit editions (including Embedded edition)
Latest Google Chrome (requires StoreFront)
Windows 7, 32-bit and 64-bit editions (including Embedded edition)
Latest Mozilla Firefox
Windows Vista, 32-bit and 64-bit editions
Microsoft Edge
Windows Server 2016
Windows Server 2012 R2, Standard and Datacenter editions
Windows Server 2012, Standard and Datacenter editions
Windows Server 2008 R2, 64-bit edition
Windows T hin PC
[1] Supports Windows 10 Anniversary Update and Creator Update.
Supportability matrix
Ope ra ting s y s te m s s uppo rte d o n to uch-e na ble d de v ice s
Ope ra ting s y s te m s s uppo rte d o n VDAs
Windows 10
Windows 10
Windows 8
Windows 8
Windows 7
Windows 7
Windows 2012 R2
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.10
Connections, Certificates and Authentication
Aug 14 , 20 17
Connections
1. HT T P store
2. HT T PS store
3. NetScaler Gateway 10.5 and later
4. Web Interface 5.4
Citrix Receiver for Windows can be connected to the VDA or an ICA session can be established on windows domain-joined
machines, managed devices (local and remote with or without VPN) and non-domain joined machines.
Certificates
1. Private (self-signed)
2. Root
3. Wildcard
4. Intermediate
If a private certificate is installed on the remote gateway, the root certificate of the organization's certificate authority
must be installed on the user device to successfully access Citrix resources using Citrix Receiver for Windows.
Note
If the remote gateway's certificate cannot be verified upon connection (because the root certificate is not included in the local
Keystore.), an untrusted certificate warning appears. If a user chooses to continue through the warning, a list of apps is displayed but
the apps cannot be launched.
For domain-joined computers, you can use Group Policy Object administrative template to distribute and trust CA
certificates.
For non-domain joined computers, the organization can create a custom install package to distribute and install the CA
certificate. Contact your system administrator for assistance.
Wildcard certificates are used on a server within the same domain.
Citrix Receiver for Windows supports wildcard certificates; however, they must be used in accordance with your
organization's security policy. In practice, an alternative to wildcard certificates is a certificate containing the list of server
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.11
names with the Subject Alternative Name (SAN) extension is considered. T hese certificates are issued by both private and
public certificate authorities.
If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the
NetScaler Gateway server certificate. For information, see Configuring Intermediate Certificates.
Authentication
Receiver f or
St oreF ront
St oreF ront
Net Scaler t o
Net Scaler t o
Web using
Services sit e
XenApp Services
Receiver f or
St oreF ront
browsers
(nat ive)
sit e (nat ive)
Web (browser)
Services sit e
(nat ive)
Anonymous
Yes
Yes
Domain
Yes
Yes
Yes
Domain pass-
Yes
Yes
Yes
Yes*
Yes*
Security token
Yes*
Yes*
Two-factor
Yes*
Yes*
Yes*
Yes*
Yes
Yes
Yes (NetScaler
Yes (NetScaler plug-
plug-in)
in)
through
(domain with
security token)
SMS
Smart card
Yes
Yes
User certificate
* With or without the NetScaler plug-in installed on the device.
Note
Citrix Receiver for Windows 4.8 supports 2FA (domain plus security token) through NetScaler Gateway to the StoreFront native
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.12
service.
Citrix Receiver for Windows supports the following authentication methods (Web Interface uses the term Explicit for
domain and security token authentication):
Web
Web Int erf ace
Int erf ace
XenApp Services
(browsers)
sit e
Anonymous
Yes
Domain
Yes
Yes
Domain pass-
Yes
Yes
Net Scaler t o Web
Int erf ace (browser)
Net Scaler t o Web
Int erf ace XenApp
Services sit e
Yes*
through
Security token
Yes*
Two-factor (domain
Yes*
with security token)
SMS
Smart card
User certificate
Yes*
Yes
Yes
Yes (NetScaler plug-in)
* Available only in deployments that include NetScaler Gateway, with or without the associated plug-in installed on the
device.
For information about authentication, see Configuring Authentication and Authorization in the NetScaler Gateway
documentation and Manage topics in the StoreFront documentation.
For information about authentication methods supported by Web Interface, see Web Interface documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.13
Install
Aug 14 , 20 17
T he CitrixReceiver.exe installation package can be installed in the following methods:
By a user from Citrix.com or your own download site
A first-time user who obtains Citrix Receiver for Windows from Citrix.com or your own download site can set up an
account by entering an email address instead of a server URL. Citrix Receiver for Windows determines the NetScaler
Gateway or StoreFront Server associated with the email address and prompts the user to log on and continue the
installation. T his feature is referred to as "email-based account discovery."
Note: A first-time user is one who does not have Citrix Receiver for Windows installed on the device.
Email-based account discovery for a first-time user does not apply if Citrix Receiver for Windows is downloaded from
a location other than Citrix.com (such as a Receiver for Web site).
If your site requires configuration of Citrix Receiver for Windows, use an alternate deployment method.
Automatically from Receiver for Web or from a Web Interface logon screen.
A first-time user can set up an account by entering a server URL or downloading a provisioning (CR) file.
Using an Electronic Software Distribution (ESD) tool
A first-time user must enter a server URL or open a provisioning file to set up an account.
Citrix Receiver for Windows does not require administrator rights to install unless you are using pass-through
authentication.
A single installer now combines the latest Citrix Receiver for Windows with the HDX RT ME installer. When installing Citrix
Receiver by using the executable file (.exe), the HDX RT ME is installed as well.
If you have installed the HDX RealT ime Media Engine, when you uninstall and then reinstall Citrix Receiver for Windows,
ensure that you use the same mode that you used to install the HDX RT ME.
Note
Installing the latest version of Citrix Receiver with integrated RT ME support requires administrative privileges on the host machine.
Consider the following HDX RT ME issues when installing or upgrading Citrix Receiver for Windows:
T he latest version of Citrix ReceiverPlusRT ME contains HDX RT ME; no further installation is required to install RT ME.
Upgrading from a previous Citrix Receiver for Windows version to the latest bundled version (Citrix Receiver with RT ME) is
supported. Previously installed versions of RT ME are overwritten with the latest version; upgrading from the same Citrix
Receiver for Windows version to the latest bundled version (for example, Receiver 4.7 to the bundled Receiver 4.7 plus
RT ME) is not supported.
If you have an earlier version of RT ME, installing the latest Citrix Receiver for Windows version automatically updates the
RT ME on the client device.
If a more recent version of RT ME is present, the installer retains the latest version.
Important
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.14
T he HDX RealT ime Connector on your XenApp/XenDesktop servers must be at least version 2.0.0.417 for compatibility with the
new RT ME package; that is, you cannot use RT ME 2.0 with the 1.8 RT ME Connector.
For deployments with StoreFront:
Best practice for BYOD (Bring Your Own Device) users is to configure the latest versions of NetScaler Gateway and
StoreFront as described in the documentation for those products on the Product Documentation site. Attach the
provisioning file created by StoreFront to an email and inform users how to upgrade and to open the provisioning file
after installing Citrix Receiver for Windows.
As an alternative to providing a provisioning file, inform users to enter the NetScaler Gateway URL. Or, if you configured
email-based account discovery as described in the StoreFront documentation, inform users to enter their email address.
Another method is to configure a Citrix Receiver for Web site as described in the StoreFront documentation and
complete the configuration described in Deploy Citrix Receiver for Windows from Citrix Receiver for Web. Inform users
how to upgrade Citrix Receiver for Windows, access the Citrix Receiver for Web site, and download the provisioning file
from Citrix Receiver for Web (click the user name and click Activate).
For deployments with Web Interface
Upgrade your Web Interface site with Citrix Receiver for Windows and complete the configuration described in Deploy
Citrix Receiver for Windows from a Web Interface logon screen. Let your users know how to upgrade Citrix Receiver for
Windows. You can, for example, create a download site where users can obtain the renamed Citrix Receiver installer.
Citrix Receiver for Windows 4.x can be used to upgrade Citrix Receiver for Windows 3.x as well as Citrix online plug-in 12.x.
If Citrix Receiver for Windows 3.x was installed per machine, a per-user upgrade (by a user without administrative privileges)
is not supported.
If Citrix Receiver for Windows 3.x was installed per user, a per-machine upgrade is not supported.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.15
Install and uninstall Citrix Receiver for Windows
manually
Aug 14 , 20 17
You can install Citrix Receiver for Windows from the installation media, a network share, Windows Explorer, or a command
line by manually running the CitrixReceiver.exe installer package. For command line installation parameters and space
requirements, see Configure and install Receiver for Windows using command-line parameters.
Validating free disk space
Citrix Receiver for Windows performs a check to verify whether there is enough available disk space to complete the
installation. T he verification is performed both during a fresh installation and an upgrade.
During a fresh installation, the installation ends when there is insufficient disk space and the following dialog appears.
When you are upgrading Citrix Receiver for Windows, the installation ends when there is insufficient disk space and the
following dialog appears.
T he following table provides details on the minimum required disk space to install Citrix Receiver for Windows.
Inst allat ion t ype
Required disk space
Fresh installation
320 MB
Upgrade of Citrix Receiver
206 MB
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.16
Note
T he installer performs the check on the disk space only after extracting the installation package.
When the system is low on disk space during silent installation, the dialog does not appear but the error message is recorded in
the CT XIns ta ll_T ro lle y Expre s s -*.lo g .
Uninstalling Citrix Receiver for Windows
You can uninstall Citrix Receiver for Windows with the Windows Programs and Features utility (Add/Remove Programs).
To uninst all Cit rix Receiver f or Windows
You can also uninstall Citrix Receiver for Windows from a command line by typing the following command:
CitrixReceiver.exe /uninstall
After uninstalling Citrix Receiver for Windows, the custom Citrix Receiver for Windows registry keys created by
receiver.adm/receiver.adml or receiver.admx remain in the Software\Policies\Citrix\ICA Client directory under
HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER.
If you reinstall Citrix Receiver for Windows, these policies might be enforced, possibly causing unexpected behavior. To
remove the customizations, delete them manually.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.17
Configure and install using command-line parameters
Aug 14 , 20 17
Customize Citrix Receiver for Windows installer by specifying command line options. T he installer package self-extracts to
the user's temp directory before launching the setup program. T he space requirement includes program files, user data, and
temp directories after launching several applications.
For more information space requirements, see System requirements.
To install Citrix Receiver for Windows from a command prompt, use the syntax:
Cit rixReceiver.exe [Opt ions]
Opt ion
/AutoUpdateCheck = auto/manual/disabled
Indicates that Citrix Receiver for Windows detects when an update is available.
Auto – You are notified when an update is available (default).
Descript ion
Manual – You are not notified when updates are available. Check for updates manually.
Disabled – Disable auto-update
CitrixReceiver.exe / AutoUpdateCheck = auto
Sample usage
CitrixReceiver.exe / AutoUpdateCheck = manual
CitrixReceiver.exe / AutoUpdateCheck = disabled
Opt ion
/ AutoUpdateStream= LT SR/Current
Descript ion
Indicates the release of Citrix Receiver for Windows.
LT SR – indicates that the release is a Long T erm Service Release
Current – indicates that the release is the latest version of Citrix Receiver for Windows
Sample usage
CitrixReceiver.exe /AutoUpdateStream= LT SR
CitrixReceiver.exe / AutoUpdateStream= Current
Opt ion
/DeferUpdateCount
Descript ion
Indicates the number of times the Remind me lat er option is displayed. Indicates that you can
defer the update to set count.
-1 – indicates that you can defer the notifications any number of times (default value=-1).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.18
0 – indicates that the Remind me lat er option is not displayed.
Any other number – indicates that the Remind me lat er option is displayed in that count.
For example, if you set the value to 10, the Remind me lat er option is displayed 10 times.
Sample usage
CitrixReceiver.exe /DeferUpdateCount=-1
CitrixReceiver.exe /DeferUpdateCount=-0
CitrixReceiver.exe /DeferUpdateCount= <any other number>
Opt ion
/AURolloutPriority
Descript ion
Indicates the period when you can stage the rollout.
Fast – Update rollout happens at the beginning of the delivery period.
Medium – Update rollout happens at the mid-delivery period.
Slow – Update rollout happens at the end of the delivery period.
Sample usage
CitrixReceiver.exe /AURolloutPriority=Fast
CitrixReceiver.exe /AURolloutPriority=Medium
CitrixReceiver.exe /AURolloutPriority=Slow
Note
By default, Citrix Receiver for Windows does not install the bidirectional content redirection components if they are already installed
on the server. If you are using XenDesktop as a client machine, you must install Citrix Receiver for Windows by using the
/FORCE_LAA switch to install the bidirectional content redirection components. T he feature, however, must be configured both on
the server and the client.
Opt ion
Descript ion
Sample
usage
Opt ion
ALLOW_BIDIRCONT ENT REDIRECT ION=1
Indicates that the bidirectional content redirection between client to host and host to the client is
Enabled .
CitrixReceiver.exe /ALLOW_BIDIRCONT ENT REDIRECT ION=1
FORCE_LAA=1
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.19
By default, Citrix Receiver for Windows does not install the client side Local App Access components if
the components are already installed on the server. T o force the client side Local App Access
Descript ion
components on the Citrix Receiver, use FORCE_LAA command line switch.
Administrator-level privileges are required to perform these steps.
For more information on Local App Access, see Local App Access in XenApp and XenDesktop
documentation.
Sample
usage
CitrixReceiver.exe /FORCE_LAA =1
Opt ion
/? or /help
Descript ion
Indicates usage information
CitrixReceiver.exe /?
Sample usage
Opt ion
CitrixReceiver.exe /help
/noreboot
Suppresses reboot during UI installations. T his option is not necessary for silent installs. If you suppress
Descript ion
Sample
usage
reboot prompts, the USB devices that are in suspended state when Citrix Receiver for Windows installs is
not recognized by Citrix Receiver for Windows until after the user device is restarted.
CitrixReceiver.exe /noreboot
Opt ion
/silent
Descript ion
Disables the error and progress dialogs to run a completely silent installation.
Sample usage
CitrixReceiver.exe /silent
Opt ion
/includeSSON
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.20
Indicates that the Citrix Receiver for Windows will be installed with the single sign-on component.
T he related option, ENABLE_SSON, is enabled when /includeSSON is on the command line. If you use
ADDLOCAL= to specify features and you want to install the single sign on, you must also specify the
value SSON.
Descript ion
To enable pass-through authentication for a user device, you must install Citrix Receiver for Windows
with local administrator rights from a command line that has the option /includeSSON. For more
information, see How to Manually Install and Configure Citrix Receiver for Pass-T hrough Authentication.
Note: Smart card, Kerberos and Local user name and password policies are inter-dependent. T he order
of configuration is important. We recommend to first disable unwanted policies, and then enable the
policies you require. Carefully validate the result.
Sample
usage
CitrixReceiver.exe /includeSSON
Opt ion
ENABLE_SSON={Yes | No}
Enable Single sign-on when /includeSSON is specified. T he default value is Yes. Enables Single sign-on
when /includeSSON is also specified. T his property is required for smart card Single sign-on.
Descript ion
Note that users must log off and log in to their devices after an installation with Single sign-on
authentication enabled. Requires administrator rights.
Sample
usage
CitrixReceiver.exe ENABLE_SSON=Yes
Opt ion
/EnableT racing={true | false}
Descript ion
By default, this feature is set to true.
Use this property to explicitly enable or disable the always-on tracing feature. Always-on tracing helps
collect critical logs around connection time. T hese logs can prove useful when troubleshooting
intermittent connectivity issues. T he Always-on tracing policy overrides this setting.
Sample
usage
CitrixReceiver.exe /EnableT racing=true
Opt ion
EnableCEIP={true | false}
When you enable participation in the Citrix Customer Experience Improvement Program (CEIP),
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.21
Descript ion
anonymous statistics and usage information are sent to Citrix to help Citrix improve the quality and
performance of its products.
Sample
usage
CitrixReceiver.exe EnableCEIP=true
Opt ion
INST ALLDIR=<Installation Directory>
Specifies the installation path, where Installation Directory is the location where most of the Citrix
Receiver software will be installed. T he default value is C:\Program Files\Citrix\Receiver. T he following
Receiver components are installed in the C:\Program Files\Citrix path:
Authentication Manager
Descript ion
Citrix Receiver
Self-Service plug-in.
If you use this option and specify an Installation directory, you must install RIInstaller.msi in the
installation directory\Receiver directory and the other .msi files in the installation directory.
Sample
usage
CitrixReceiver.exe INST ALLDIR=c:\Citrix\T est
Opt ion
CLIENT _NAME=<ClientName>
Descript ion
Specifies the client name, where ClientName is the name used to identify the user device to the server .
T he default value is %COMPUT ERNAME%
Sample
usage
CitrixReceiver.exe CLIENT _NAME=%COMPUT ERNAME%.
Opt ion
ENABLE_CLIENT _NAME=Yes | No
T he dynamic client name feature allows the client name to be the same as the computer name. When
Descript ion
Sample
usage
users change their computer name, the client name changes to match. Defaults to Yes. T o disable
dynamic client name support, set this property to No and specify a value for the CLIENT _NAME
property.
CitrixReceiver.exe ENABLE_DYNAMIC_CLIENT _NAME =Yes
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.22
Option
ADDLOCAL=<feature... ,>
Installs one or more of the specified components. When specifying multiple parameters, separate each
parameter with a comma and without spaces. T he names are case sensitive. If you do not specify this
parameter, all components are installed by default.
Citrix recommends that you use the ADDLOCAL Sample Usage given below. If the Sample Usage is not
used as described, it might possibly cause unexpected behavior.
Components include:
ReceiverInside – Installs the Citrix Receiver experience (required component for Receiver operation).
ICA_Client – Installs the standard Citrix Receiver (required component for Receiver operation).
WebHelper – Installs the WebHelper component. T his component retrieves the ICA file from
Storefront and passes it to the HDX Engine. In addition, if verifies environment parameters and shares
them with Storefront (similar to ICO client detection).
Description
[Optional] SSON – Installs single sign on. Requires administrator rights.
AM – Installs the Authentication Manager.
SELFSERVICE – Installs the Self-Service Plug-in. T he AM value must be specified on the command line
and .NET 3.5 Service Pack 1 must be installed on the user device. T he Self-Service Plug-in is not available
for Windows T hin PC devices, which do not support .NET 3.5.
For information on scripting the Self-Service Plug-in (SSP), and a list of parameters available in Receiver
for Windows 4.2 and later, see Knowledge Center article CT X200337
T he Self-Service Plug-in allows users to access virtual desktops and applications from the Receiver
window or from a command line, as described later in this section in T o launch a virtual desktop or
application from a command line.
USB – Installs USB support. Requires administrator rights.
DesktopViewer – Installs the Desktop Viewer.
Flash – Installs HDX media stream for Flash.
Vd3d – Enables the Windows Aero experience (for operating systems that support it).
Sample
CitrixReceiver.exe
usage
ADDLOCAL=ReceiverInside,ICA_Client,AM,SELFSERVICE,DesktopViewer,Flash,Vd3d,usb,WebHelper
Opt ion
ALLOWADDST ORE={N | S | A}
Specifies whether users can add and remove stores not configured through Merchandising Server
deliveries; users can enable or disable stores configured through Merchandising Server deliveries, but they
cannot remove these stores or change the names or the URLs.) Defaults to S. Options include:
N – Never allow users to add or remove their own store.
S – Allow users to add or remove secure stores only (configured with HT T PS).
A – Allow users to add or remove both secure stores (HT T PS) and non-secure stores (HT T P). Not
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.23
applicable if Citrix Receiver is installed per user.
You can also control this feature by updating the registry key HKLM\Software\
[Wow6432Node\]Citrix\Dazzle\AllowAddStore.
Descript ion
Note: Only secure (HT T PS) stores are allowed by default and are recommended for production
environments. For test environments, you can use HT T P store connections through the following
configuration:
1. Set HKLM\Software\[Wow6432Node\]Citrix\Dazzle\AllowAddStore to A to allow users to add nonsecure stores.
2. Set HKLM\Software\[Wow6432Node\]Citrix\Dazzle\AllowSavePwd to A to allow users to save their
passwords for non-secure stores.
3. T o enable the addition of a store that is configured in StoreFront with a T ransportT ype of HT T P,
add to HKLM\Software\[Wow6432Node\]Citrix\AuthManager the
value ConnectionSecurityMode (REG_SZ type) and set it to Any.
4. Exit and restart Citrix Receiver.
Sample
usage
Opt ion
CitrixReceiver.exe ALLOWADDST ORE=N
ALLOWSAVEPWD={N | S | A}
Specifies whether users can add and remove stores not configured through Merchandising Server
deliveries; users can enable or disable stores configured through Merchandising Server deliveries, but they
cannot remove these stores or change the names or the URLs.) Defaults to S. Options include:
N – Never allow users to save their passwords.
S – Allow users to save passwords for secure stores only (configured with HT T PS).
A – Allow users to save passwords for both secure stores (HT T PS) and non-secure stores (HT T PS)
and non-secure stores (HT T P).
You can also control this feature by updating the registry key HKLM\Software\
Descript ion
[Wow6432Node]\Citrix\Dazzle\AllowSavePwd.
Note: T he following registry key must be added manually if AllowSavePwd does not work:
Key for 32bit OS client: HKLM\Software\Citrix\AuthManager
Key for 64bit OS client: HKLM\Software\wow6432node\Citrix\AuthManager
T ype: REG_SZ
Value: never - never allow users to save their passwords. secureonly - allow users to save passwords
for secure stores only (configured with HT T PS). always - allow users to save passwords for both
secure stores (HT T PS) and non-secure stores (HT T P).
Sample
CitrixReceiver.exe ALLOWSAVEPWD=N
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.24
usage
Opt ion
AM_CERT IFICAT ESELECT IONMODE={Prompt | SmartCardDefault | LatestExpiry}
Use this option to select a certificate.T he default value is Prompt, which prompts the user to choose a
certificate from a list. Change this property to choose the default certificate (per the smart card
provider) or the certificate with the latest expiry date. If there are no valid logon certificates, the user is
notified, and given the option to use an alternate logon method if available.
Descript ion
You can also control this feature by updating the registry key HKCU or HKLM\Software\
[Wow6432Node\]Citrix\AuthManager:CertificateSelectionMode={ Prompt | SmartCardDefault |
LatestExpiry }. Values defined in HKCU take precedence over values in HKLM to best assist the user in
selecting a certificate.
Sample
usage
Opt ion
CitrixReceiver.exe AM_CERT IFICAT ESELECT IONMODE=Prompt
AM_SMART CARDPINENT RY=CSP
Use CSP components to manage Smart Card PIN entry. By default, the PIN prompts presented to users
are provided by Citrix Receiver rather than the smart card Cryptographic Service Provider (CSP). Receiver
Descript ion
prompts users to enter a PIN when required and then passes the PIN to the smart card CSP. Specify this
property to use the CSP components to manage the PIN entry, including the prompt for a PIN.
Sample
usage
Opt ion
CitrixReceiver.exe AM_SMART CARDPINENT RY=CSP
ENABLE_KERBEROS={Yes | No}
T he default value is No. Specifies whether the HDX engine should use Kerberos authentication and
Descript ion
Sample
usage
applies only when single sign-on (pass-through) authentication is enabled. For more information,
see Configure domain pass-through authentication with Kerberos.
CitrixReceiver.exe ENABLE_KERBEROS=No
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.25
Opt ion
LEGACYFT AICONS={False | T rue}
Use this option to display Legacy FTA icons. T he default value is False. Specifies whether or not
application icons are displayed for documents that have file type associations with subscribed
applications. When the argument is set to false, Windows generates icons for documents that do not
Descript ion
have a specific icon assigned to them. T he icons generated by Windows consist of a generic document
icon overlaid with a smaller version of the application icon. Citrix recommends enabling this option if you
plan to deliver Microsoft Office applications to users running Windows 7.
Sample
usage
Opt ion
CitrixReceiver.exe LEGACYFT AICONS=False
ENABLEPRELAUNCH={False | T rue}
T he default value is False. For information about session pre-launch, see Reduce application launch
Descript ion
Sample
usage
Opt ion
time.
CitrixReceiver.exe ENABLEPRELAUNCH=False
ST ART MENUDIR={Directory Name}
By default, applications appear under Start > All Programs. You can specify the relative path under the
programs folder to contain the shortcuts to subscribed applications. For example, to place shortcuts
under Start > All Programs > Receiver, specify START MENUDIR=\Receiver\. Users can change the folder
name or move the folder at any time.
You can also control this feature through a registry key: Create the entry REG_SZ for StartMenuDir and
give it the value "\RelativePath". Location:
HKLM\Software\[Wow6432Node\]Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
For applications published through XenApp with a Client applications folder (also referred to as a
Program Neighborhood folder) specified, you can specify that the client applications folder is to be
appended to the shortcuts path as follows: Create the
Descript ion
entry REG_SZ for UseCategoryAsStartMenuPath and give it the value "true". Use the same registry
locations as noted above.
Note: Windows 8/8.1 does not allow the creation of nested folders within the Start Menu. Applications
will be displayed individually or under the root folder but not within Category sub folders defined with
XenApp.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.26
Examples
If client application folder is \office, UseCategoryAsStartMenuPath is true, and no StartMenuDiris
specified, shortcuts are placed under Start > All Programs > Office.
If Client applications folder is \Office, UseCategoryAsStartMenuPath is true,
and StartMenuDir is \Receiver, shortcuts are placed under Start > All Programs > Receiver > Office.
Changes made to these settings have no impact on shortcuts that are already created. To move
shortcuts, you must uninstall and re-install the applications.
Sample
usage
Opt ion
CitrixReceiver.exe ST ART MENUDIR=\Office
ST OREx="storename;http[s]://servername.domain/IISLocation/discovery;[On | Off] ; [storedescription]"
[ ST OREy="..."]
Use this option to specify the Store name. Specifies up to 10 stores to use with Citrix Receiver. Values:
x and y – Integers 0 through 9.
storename – Defaults to store. T his must match the name configured on the StoreFront Server.
servername.domain – T he fully qualified domain name of the server hosting the store.
IISLocation – the path to the store within IIS. T he store URL must match the URL in StoreFront
provisioning files. T he store URLs are of the form “/Citrix/store/discovery”. T o obtain the URL, export
Descript ion
a provisioning file from StoreFront, open it in notepad and copy the URL from the <Address> element.
On | Off – T he optional Off configuration setting enables you to deliver disabled stores, giving users
the choice of whether or not they access them. When the store status is not specified, the default
setting is On.
storedescription – An optional description of the store, such as HR App Store.
Note: In this release, it is important to include "/discovery" in the store URL for successful pass-through
authentication.
Sample
usage
Opt ion
CitrixReceiver.exe ST ORE0="Store;https://test.xx.com/Citrix/Store/Discovery"
ALLOW_CLIENT HOST EDAPPSURL=1
Enables the URL redirection feature on user devices. Requires administrator rights. Requires that Citrix
Descript ion
Receiver is installed for All Users. For information about URL redirection, see Local App Access and its
sub-topics in the XenDesktop 7 documentation.
Sample
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.27
usage
CitrixReceiver.exe ALLOW_CLIENT HOST EDAPPSURL=1
Opt ion
SELFSERVICEMODE={False | T rue}
T he default value is True. When the administrator sets the SelfServiceMode flag to false, the user no
Descript ion
Sample
usage
longer has access to the self-service Citrix Receiver user interface. Instead, they can access subscribed
apps from the Start menu and via desktop shortcuts - known as "shortcut-only mode".
CitrixReceiver.exe SELFSERVICEMODE=False
Opt ion
DESKT OPDIR=<Directory Name>
Brings all shortcuts into a single folder. CategoryPath is supported for desktop shortcuts.
Descript ion
Note: When using the DESKTOPDIR option, set the PutShortcutsOnDesktop key to True.
Sample usage
CitrixReceiver.exe DESKT OPDIR=\Office
Opt ion
/rcu
Descript ion
Sample usage
Allows you to upgrade from an unsupported version to the latest version of Citrix Receiver.
CitrixReceiver.exe /rcu
Troubleshooting the installation
If there is a problem with the installation, search in the user's %T EMP%/CT XReceiverInstallLogs directory for the logs with
the prefix CtxInstall- or TrolleyExpress- . For example:
CtxInstall-ICAWebWrapper-20141114-134516.log
TrolleyExpress-20090807-123456.log
Examples of a command line inst allat ion
To install all components silently and specify two application stores:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.28
CitrixReceiver.exe /silent STORE0="AppStore;https://testserver.net/Citrix/MyStore/discovery;on;HR App Store"
STORE1="BackUpAppStore;https://testserver.net/Citrix/MyBackupStore/discovery;on;Backup HR App Store"
To specify single sign-on (pass-through authentication) and add a store that points to a XenApp Services URL:
CitrixReceiver.exe /INCLUDESSON /STORE0="PNAgent;https://testserver.net/Citrix/PNAgent/config.xml;on;My PNAgent
Site"
Citrix Receiver for Windows creates a stub application for each subscribed desktop or application. You can use a stub
application to launch a virtual desktop or application from the command line. Stub applications are located in
%appdata%\Citrix\SelfService. T he file name for a stub application is the Display Name of the application, with the spaces
removed. For example, the stub application file name for Internet Explorer is InternetExplorer.exe.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.29
Deploy using Active Directory and sample startup
scripts
Aug 14 , 20 17
You can use Active Directory Group Policy scripts to pre-deploy Citrix Receiver for Windows on systems based on your
Active Directory organizational structure. Citrix recommends using the scripts rather than extracting the .msi files because
the scripts allow for a single point for installation, upgrade, and uninstall; they consolidate the Citrix entries in Programs and
Features, and make it easier to detect the version of Citrix Receiver that is deployed. Use the Scripts setting in the Group
Policy Management Console (GPMC) under Computer Configuration or User Configuration. For general information about
startup scripts, see Microsoft documentation.
Citrix includes sample per-computer startup scripts to install and uninstall CitrixReceiver.exe. T he scripts are located on the
Citrix Receiver for Windows Download page.
CheckAndDeployReceiverPerMachineStartupScript.bat
CheckAndRemoveReceiverPerMachineStartupScript.bat
When the scripts are executed during Startup or Shutdown of an Active Directory Group Policy, custom configuration files
might be created in the Default User profile of a system. If not removed, these configuration files can prevent some users
from accessing the Receiver logs directory. T he Citrix sample scripts include functionality to properly remove these
configuration files.
To use t he st art up script s t o deploy Receiver wit h Act ive Direct ory
1. Create the Organizational Unit (OU) for each script.
2. Create a Group Policy Object (GPO) for the newly created OU.
Modify the scripts by editing these parameters in the header section of each file:
Current Version of package . T he specified version number is validated and if it is not present the deployment
proceeds. For example, set DesiredVersion= 3.3.0.XXXX to exactly match the version specified. If you specify a partial
version, for example, 3.3.0, it matches any version with that prefix (3.3.0.1111, 3.3.0.7777, and so forth).
P ackage Locat ion/Deployment direct ory . T his specifies the network share containing the packages and is not
authenticated by the script. T he shared folder must have Read permission for EVERYONE.
Script Logging Direct ory . T his specifies the network share where the install logs are copied and is not authenticated
by the script. T he shared folder must have Read and Write permissions for EVERYONE.
P ackage Inst aller Command Line Opt ions . T hese command line options are passed to the installer. For the
command line syntax, see Configure and install Receiver for Windows using command-line parameters.
1. Open the Group Policy Management Console.
2. Select Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
3. In the right-hand pane of the Group Policy Management Console, select Startup.
4. In the Properties menu, click Show Files, copy the appropriate script to the folder displayed, and then close the window.
5. In the Properties menu, click Add and use Browse to find and add the newly created script.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.30
1. Move the user devices designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions) contains the newly installed
package.
1. Move the user devices designated for the removal to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions) removed the previously installed
package.
Citrix recommends using per-computer startup scripts. However, for situations where you require Citrix Receiver for
Windows per-user deployments, two Citrix Receiver for Windows per-user scripts are included on the XenDesktop and
XenApp media in the Citrix Receiver for Windows and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.
CheckAndDeployReceiverPerUserLogonScript.bat
CheckAndRemoveReceiverPerUserLogonScript.bat
To set up the per-user startup scripts
1. Open the Group Policy Management Console.
2. Select User Configuration > Policies > Windows Settings > Scripts.
3. In the right-hand pane of the Group Policy Management Console, select Logon
4. In the Logon Properties menu, click Show Files, copy the appropriate script to the folder displayed, and then close the
window.
5. In the Logon Properties menu, click Add and use Browse to find and add the newly created script.
To deploy Citrix Receiver for Windows per-user
1. Move the users designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions) contains the newly installed
package.
To remove Citrix Receiver for Windows per-user
1. Move the users designated for the removal to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions) removed the previously installed
package.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.31
Deploy Citrix Receiver for Windows from Receiver for
Web
Aug 14 , 20 17
You can deploy Citrix Receiver for Windows from Citrix Receiver for Web to ensure that you have installed the Receiver
before connecting to an application from a browser. Citrix Receiver for Web site enable you to access StoreFront stores
through a web page. If the Citrix Receiver for Web site detects that a user does not have a compatible version of Citrix
Receiver for Windows, you are prompted to download and install Citrix Receiver for Windows.
For more information, see Citrix Receiver for Web sites in the StoreFront documentation.
Email-based account discovery is not supported when Citrix Receiver for Windows is deployed from Citrix Receiver for Web.
If email-based account discovery is configured and a first-time user installs Citrix Receiver for Windows from Citrix.com,
Citrix Receiver for Windows prompts the user for an email or server address. Entering an email address results in the error
message "Your email cannot be used to add an account."
Use the following configuration to prompt for the server address only.
1. Download CitrixReceiver.exe to your local computer.
2. Rename CitrixReceiver.exe to CitrixReceiverWeb.exe.
3. Deploy the renamed executable using your regular deployment method. If you use StoreFront, refer to Configure
Receiver for Web sites using the configuration files in the StoreFront documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.32
Deploy Citrix Receiver for Windows from a Web
Interface logon screen
Aug 14 , 20 17
T his feature is available only for XenDesktop and XenApp releases that support Web Interface.
You can deploy Citrix Receiver for Windows from a web page to ensure that users have it installed before they try to use
the Web Interface. T he Web Interface provides a client detection and deployment process that detects which Citrix clients
can be deployed within the user's environment and then guides them through the deployment procedure.
You can configure the client detection and deployment process to run automatically when users access a XenApp website.
If the Web Interface detects that a user does not have compatible version of Citrix Receiver for Windows, the user is
prompted to download and install Citrix Receiver for Windows.
Email-based account discovery does not apply when Citrix Receiver for Windows is deployed from Web Interface. If emailbased account discovery is configured and a first-time user installs Citrix Receiver for Windows from Citrix.com, Citrix
Receiver for Windows prompts the user for an email or server address. Entering an email address results in the error message
"Your email cannot be used to add an account." Use the following configuration to prompt for the server address only.
1. Download CitrixReceiver.exe to your local computer.
2. Rename CitrixReceiver.exe to CitrixReceiverWeb.exe.
3. Specify the changed filename in the ClientIcaWin32 parameter in the configuration files for your XenApp websites.
T o use the client detection and deployment process, the Citrix Receiver for Windows installation files must be available
on the Web Interface server. By default, the Web Interface assumes that the file names of the Citrix Receiver for
Windows installation files are the same as the files supplied on the XenApp or XenDesktop installation media.
4. Add the sites from which the CitrixReceiverWeb.exe file is downloaded to the T rusted Sites zone.
5. Deploy the renamed executable using your regular deployment method.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.33
Deploy using System Center Configuration Manager
2012 R2
Aug 14 , 20 17
You can use Microsoft System Center Configuration Manager (SCCM) to deploy Citrix Receiver for Windows.
Note: Only Citrix Receiver for Windows Version 4.5 and later supports SCCM deployment.
T here are four parts to completing the deployment of Citrix Receiver for Windows using SCCM:
1. Adding Citrix Receiver for Windows to the SCCM deployment
2. Adding distribution points
3. Deploying the Receiver software to the software center
4. Creating Device Collections
Adding Citrix Receiver for Windows to the SCCM
deployment
1. Copy the downloaded Citrix Receiver to a folder on the Configuration Manager server and launch the Configuration
Manager console.
2. Select Sof t ware Library > Applicat ion Management . Right-click Applicat ion and click Creat e Applicat ion .
T he Create Application wizard appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.34
3. In the General pane, select Manually specif y t he applicat ion inf ormat ion and click Next .
4. In the General Inf ormat ion pane, specify information about the application such as Name, Manufacturer, Software
version, and so on.
5. In the Application Catalog wizard, specify additional information such as Language, Application name, User category and
so on and click Next .
Note: Users can see the information you specify here.
6. In the Deployment T ype pane, click Add to configure the deployment type for Citrix Receiver setup.
T he Create Deployment Type wizard appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.35
In the General pane: Set the deployment type to Windows Installer (*.msi file), select Manually specif y t he
deployment t ype inf ormat ion and click Next .
In the General Inf ormat ion pane: Specify deployment type details (For example: Receiver Deployment) and click Next .
In the Cont ent pane:
1. Provide the path where the Citrix Receiver setup file is present. For example: T ools on SCCM server.
2. Specify Inst allat ion program as one of the following:
- CitrixReceiver.exe /silent for default silent installation.
- CitrixReceiver.exe /silent /includeSSON to enable domain pass-through.
- CitrixReceiver.exe /silent SELFSERVICEMODE=false to install receiver in Non-Self Service Mode.
3. Specify Uninst all program as CitrixReceiver.exe /uninstall (to enable uninstallation through SCCM).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.36
- In the Det ect ion Met hod pane: Select Configure rules t o det ect t he presence of t his deployment t ype and
click Add Clause .
T he Detection Rule dialog appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.37
Set Set t ing T ype to File System.
Under Specif y t he f ile or f older t o det ect t he applicat ion , set the following:
- T ype – From the drop-down menu, select File.
- P at h – %ProgramFiles (x86)%\Citrix\ICA Client\Receiver
- F ile or f older name – Receiver.exe
P ropert y – From the drop-down menu, select Version
Operat or – From the drop-down menu, select Great er t han or equal t o
Value – T ype 4 .3.0.65534
Note: T his rule combination applies to Citrix Receiver for Windows upgrades as well.
- In the User Experience pane, set:
Inst allat ion behavior - Install for system
Logon requirement - Whether or not a user is logged on
Inst allat ion program visibilit y - Normal.
Click Next.
Note: Do not specify any requirements and dependencies for this deployment type.
7. In the Summary pane , verify the settings for this deployment type. Click Next .
A success message appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.38
8. In the Complet ion pane , a new deployment type (Receiver Deployment) is listed under the Deployment types.
Click Next and click Close .
Add distribution points
1. Right-click Receiver for Windows in the Configuration Manager console and select Dist ribut e Cont ent .
T he Distribute Content wizard appears.
2. In the Content Distribution pane, click Add > Dist ribut ion P oint s .
T he Add Distribution Points dialog appears.
3. Browse to the SCCM server where the content is available and click OK .
In the Completion pane, a success message appears
4. Click Close
Deploy the Receiver software to the software center
1. Right-click Receiver for Windows in the Configuration Manager console select Deploy .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.39
T he Deploy Software wizard appears.
2. Select Browse against Collection (can be Device Collection or User Collection) where the application is to be deployed
and click Next .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.40
3. In the Deployment Set t ings pane, set Act ion to Install and P urpose to Required (enables unattended installation).
Click Next .
4. In the Scheduling pane, specify the schedule to deploy the software on target devices.
5. In the User Experience pane, set the User not ificat ions behavior; select Commit changes at deadline or during a
maint enance window (requires rest art ) and click Next to complete the Deploy Software wizard.
In the Completion pane, a success message appears.
Reboot the target endpoint devices (required only to start installation immediately).
On endpoint devices, Citrix Receiver for Windows is visible in the Software Center under Available Sof t ware . Installation is
triggered automatically based on the schedule you configure. Alternatively, you can also schedule or install on demand. T he
installation status is displayed in the Software Center after the installation starts.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.41
Creating device collections
1. Launch the Configuration Manager console, click Asset s and Compliance > Overview > Devices .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.42
2. Right-click Device Collect ions and select Creat e Device Collect ion .
T he Create Device Collection wizard appears.
3. In the General pane, type the Name for the device and click Browse for Limiting collection.
T his determines the scope of devices, which can be one the default Device Collections created by SCCM.
Click Next .
4. In the Membership Rules pane, click Add Rule for filtering the devices.
T he Create Direct Membership Rule wizard appears.
In the Search for Resources pane, select the At t ribut e name based on the devices you want to filter and provide
the Value for Attribute name to select the devices.
5. Click Next . In the Select Resources pane, select the devices that are required to be part of device collection.
In the Completion pane a success message appears.
6. Click Close .
7. In the Membership rules pane, a new rule is listed under Click Next.
8. In the Completion pane, a success message appears. Click Close to complete the Create Device Collection wizard.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.43
T he new device collection is listed in Device Collect ions . T he new device collection is a part of Device Collections while
browsing in Deploy Software wizard.
Note
When you set the MS IRES T ART MANAGERCONT ROL attribute to Fa ls e , deploying Citrix Receiver for Windows using SCCM might
not be successful.
As per our analysis, Citrix Receiver for Windows is NOT the cause of this failure. Also, retrying might yield successful deployment.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.44
Configure
Aug 14 , 20 17
When using Citrix Receiver for Windows software, the following configuration steps allow users to access their hosted
applications and desktops:
Configure your application delivery and Configure your XenDesktop environment. Ensure your XenApp environment is
configured correctly. Understand your options and provide meaningful application descriptions for your users.
Configure self-service mode by adding a StoreFront account to Citrix Receiver for Windows. T his mode allows your users
to subscribe to applications from the Citrix Receiver for Windows user interface.
Configure with the Group Policy Object administrative template
Provide users with account information. Provide users with the information they need to set up access to accounts
hosting their virtual desktops and applications. In some environments, users must manually set up access to those
accounts.
If you have users who connect from outside the internal network (for example, users who connect from the Internet or
from remote locations), configure authentication through NetScaler Gateway. For more information, see Authentication
and Authorization in NetScaler Gateway documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.45
Configuring application delivery
Aug 14 , 20 17
When delivering applications with XenDesktop or XenApp, consider the following options to enhance the user experience:
Web Access Mode - Without any configuration, Citrix Receiver for Windows provides browser-based access to
applications and desktops. You can open a browser to a Receiver for Web or Web Interface site to select and use the
applications you want. In this mode, no shortcuts are placed on the user's desktop.
Self Service Mode - By adding a StoreFront account to Citrix Receiver for Windows or configuring Citrix Receiver for
Windows to point to a StoreFront site, you can configure self-service mode, which allows you to subscribe to
applications from the Citrix Receiver for Windows user interface. T his enhanced user experience is similar to that of a
mobile app store. In a self-service mode, you can configure mandatory, auto-provisioned and featured app keyword
settings as required.
Note: By default, Citrix Receiver for Windows allows you to select the applications to display in the Start menu.
App shortcut-only mode - As a Citrix Receiver for Windows administrator, you can configure Citrix Receiver for Windows
to automatically place application and desktop shortcuts directly in the Start menu or on the desktop in a similar way
that Citrix Receiver for Windows Enterprise places them. T he new shortcut only mode allows you to find all the published
apps within the familiar Windows navigation schema where you would expect to find them.
For information on delivering applications using XenApp and XenDesktop 7, see Create a Delivery Group application.
Not e : Include meaningful descriptions for applications in a Delivery Group. Descriptions are visible to Citrix Receiver for
Windows users when using Web access or self-service mode.
Configuring NetScaler Gateway Store
Citrix recommends using the Group Policy Object administrative template to configure rules for network routing, proxy
servers, trusted server configuration, user routing, remote user devices, and user experience.
You can use the receiver.admx / receiver.adml template files with domain policies and local computer policies. For domain
policies, import the template file using the Group Policy Management console. T his is especially useful for applying Citrix
Receiver for Windows settings to a number of different user devices throughout the enterprise. To affect a single user
device, import the template file using the local Group Policy Editor on the device.
To add or specif y a Net Scaler Gat eway using Group P olicy Object administ rat ive t emplat e:
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
If applying the policy on a single computer, launch it from the Start menu.
If applying on domain policies, launch it by using the Group Policy Management console
2. Under the Computer Configuration node, go to Administrative Templates > Classic Administrative
Templates (ADM) > Citrix Components > Citrix Receiver > StoreFront, and select NetScaler Gateway
URL/StoreFront Accounts List.
3. Edit the settings.
Store name – Indicates the displayed store name
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.46
Store URL – Indicates the URL of the store
#Store name – Indicates the name of the store behind NetScaler Gateway
Store enabled state – Indicates the state of the store, On/Off
Store Description – Provides description of the store
4. Add or specify the NetScaler URL. Enter the name of the URL, delimited by a semi-colon:
Example : HRStore;https://dtls.blrwinrx.com#Store name;On; Store for HR staff
Where #Store name is the name of store behind NetScaler Gateway; dtls.blrwinrx.com is the NetScaler URL
When Citrix Receiver for Windows is launched after adding the Netscaler Gateway using GPO, the following message
appears in the notification area.
Limit at ions
1. NetScaler URL should be listed as first followed by StoreFront URL(s).
2. Multiple NetScaler URLs are not supported.
3. Any change in NetScaler URL requires the Citrix Receiver for Windows to be reset for the changes to take effect.
4. NetScaler Gateway URL configured using this method does not support PNA Services site behind NetScaler Gateway.
Configure self-service mode
By simply adding a StoreFront account to Citrix Receiver or configuring Citrix Receiver to point to a StoreFront site, you can
configure self-service mode, which allows users to subscribe to applications from the Receiver user interface. T his enhanced
user experience is similar to that of a mobile app store.
Note: By default, Citrix Receiver for Windows allows users to select the applications they want to display in their Start
menu.
In self-service mode, you can configure mandatory, auto-provisioned and featured app keyword settings as needed.
Append keywords to the descriptions you provide for delivery group applications:
T o make an individual app mandatory, so that it cannot be removed from Citrix Receiver for Windows, append the string
KEYWORDS:Mandatory to the application description. T here is no Remove option for users to unsubscribe to mandatory
apps.
T o automatically subscribe all users of a store to an application, append the string KEYWORDS:Auto to the description.
When users log on to the store, the application is automatically provisioned without users needing to manually subscribe
to the application.
T o advertise applications to users or to make commonly used applications easier to find by listing them in the Citrix
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.47
Receiver Featured list, append the string KEYWORDS:Featured to the application description.
Note
You should make changes to group policy before configuring a store. If at any time you want to customize the group policies, reset
Citrix Receiver, configure the group policy, and then reconfigure the store.
As an administrator, you can configure shortcuts using group policy.
1. Open the Local Group Policy Editor by running the command gpedit.msc locally from the Start menu when applying
policies to a single computer or by using the Group Policy Management Console when applying domain policies.
2. In the left pane of the Group Policy Editor, select the Administrative T emplates folder.
3. From the Action menu, choose Add/Remove T emplates.
4. Choose Add, browse to the Receiver Configuration folder and then select receiver.admx (or receiver.adml)
5. Select Open to add the template and then Close to the return to the Group Policy Editor.
6. In the Group Policy Editor, got to Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix
Components > Citrix Receiver > Self Service.
7. Select Manage SelfServiceMode to enable or disable the self-service Receiver user interface.
8. Choose Manage App Shortcut to enable or disable:
Shortcuts on Desktop
Shortcuts in Start menu
Desktop Directory
Start menu Directory
Category path for Shortcuts
Remove apps on logoff
Remove apps on exit
9. Choose Allow users to Add/Remove account to give users privileges to add or remove more than one
account.
You can set up shortcuts in the Start menu and on the desktop from the StoreFront site. T he following settings can be
added in the web.config file in C:\inet pub\wwwroot \Cit rix\Roaming in the <annot at edServices> section:
T o put shortcuts on the desktop, use PutShortcutsOnDesktop. Settings: "true" or "false" (default is false).
T o put shortcuts in the Start menu, use PutShortcutsInStartMenu. Settings: "true" or "false" (default is true).
T o use the category path in the Start menu, use UseCategoryAsStartMenuPath. Settings: "true" or "false" (default is
true).
NOT E : Windows 8/8.1 does not allow the creation of nested folders within the Start Menu. Applications will be displayed
individually or under the root folder but not within Category sub folders defined with XenApp.
T o set a single directory for all shortcuts in the Start menu, use StartMenuDir. Setting: String value, being the name of
the folder into which shortcuts are written.
T o reinstall modified apps, use AutoReinstallModifiedApps. Settings: "true" or "false" (default is true).
T o show a single directory for all shortcuts on the desktop, use DesktopDir. Setting: String value, being the name of the
folder into which shortcuts are written.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.48
T o not create an entry on the clients 'add/remove programs', useDontCreateAddRemoveEntry. Settings: "true" or "false"
(default is false).
T o remove shortcuts and Receiver icon for an application that was previously available from the Store but now is not
available, use SilentlyUninstallRemovedResources. Settings: "true" or "false" (default is false).
In the web.config file, the changes should be added in the XML section for the account. Find this section by locating the
opening tab:
<account id=... name="Store"
T he section ends with the </account> tag.
Before the end of the account section, in the first properties section:
<properties> <clear /> </properties>
Properties can be added into this section after the <clear /> tag, one per line, giving the name and value. For example:
<property name="PutShortcutsOnDesktop" value="True" />
Not e : Property elements added before the <clear /> tag may invalidate them. Removing the <clear /> tag when adding a
property name and value is optional.
An extended example for this section is:
<properties> <property name="PutShortcutsOnDesktop" value="True" /> <property name="DesktopDir" value="Citrix
Applications" />
Important
In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that
the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate
your configuration changes to the server group, so that the other servers in the deployment are updated.
Citrix Receiver can be configured to automatically place application and desktop shortcuts directly in the Start Menu or on
the desktop. T his functionality was similar to previously released versions of Citrix Receiver, however, release 4.2.100
introduced the ability to control app shortcut placement using XenApp per app settings. T his functionality is useful in
environments with a handful of applications that need to be displayed in consistent locations.
If you want to set the location of shortcuts so every user finds them in the same place use XenApp per App Settings:
If you want per-app settings to determine where applications are
placed independently of whether in self-service mode or Start Menu
mode..
configure Receiver with
P ut Short cut sInSt art Menu= f alse and
enable per app settings.
Note: T his setting applies to the Web
interface site only.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.49
Note: T he P ut Short cut sInSt art Menu= f alse setting applies to both XenApp 6.5 and XenDesktop 7.x.
Configure per app set t ings in XenApp 6.5
To configure a per app publishing shortcut in XenApp 6.5:
1. In the XenApp Application Properties screen, expand Basic properties.
2. Select the Shortcut presentation option.
3. In the Application shortcut placement portion of the Shortcut presentation screen, select the Add to the client's Start
menu check box. After selecting the check box, enter the name of the folder where you want to place the shortcut. If
you do not specify a folder name, XenApp places the shortcut in the Start Menu without placing it in a folder.
4. Select the Add shortcut to the client's desktop to include the shortcut on a client machine's desktop.
5. Click Apply.
6. Click OK.
To configure a per app publishing shortcut in XenApp 7.6:
1. In Citrix Studio, locate the Application Settings screen.
2. In the Application Settings screen, select Delivery. Using this screen, you can specify how applications are delivered to
users.
3. Select the appropriate icon for the application. Click Change to browse to the location of the desired icon.
4. In the Application category field, optionally specify the category in Receiver where the application appears. For example,
if you are adding shortcuts to Microsoft Office applications, enter Microsoft Office.
5. Select the Add shortcut to user's desktop checkbox.
6. Click OK.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.50
If users experience delays in app enumeration at each logon, or if there is a need to digitally sign application stubs, Receiver
provides functionality to copy the .EXE stubs from a network share.
T his functionality involves a number of steps:
1. Create the application stubs on the client machine.
2. Copy the application stubs to a common location accessible from a network share.
3. If necessary, prepare a white list (or, sign the stubs with an Enterprise certificate.
4. Add a registry key to enable Receiver to create the stubs by copying them from the network share.
If RemoveappsOnLogoff and RemoveAppsonExit are enabled, and users are experiencing delays in app enumeration at
every logon, use the following workaround to reduce the delays:
1. Use regedit to add HKCU\Software\Citrix\Dazzle /v ReuseStubs /t REG_SZ /d "true".
2. Use regedit to add HKLM\Software\Citrix\Dazzle /v ReuseStubs /t REG_SZ /d "true". HKCU has preference over HKLM.
Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
Enable a machine to use pre-created stub executables that are stored on a network share:
1. On a client machine, create stub executables for all of the apps. T o accomplish this, add all the applications to the
machine using Receiver; Receiver generates the executables.
2. Harvest the stub executables from %APPDAT A%\Citrix\SelfService. You only need the .exe files.
3. Copy the executables to a network share.
4. For each client machine that will be locked down, set the following registry keys:
1. Reg add HKLM\Software\Citrix\Dazzle /v CommonStubDirectory /t REG_SZ /d "\\ShareOne\ReceiverStubs"
2. Reg add HKLM\Software\Citrix\Dazzle /v
3. CopyStubsFromCommonStubDirectory /t REG_SZ /d "true". It's also possible to configure these settings on HKCU if
you prefer. HKCU has preference over HKLM.
4. Exit and restart Receiver to test the settings.
T his topic provides use cases for app shortcuts.
Allowing users t o choose what t hey want in t he St art Menu (Self-Service)
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.51
If you have dozens (or even hundreds) of apps, it's best to allow users to select which applications they want to favorite
and add to the Start Menu:
If you want the user to choose the applications
configure Citrix Receiver in self-service mode. In this mode you also
they want in their Start Menu..
configure auto-provisioned and mandatory app keyword settings
as needed.
If you want the user to choose the applications
they want in their Start Menu but also want
configure Citrix Receiver without any options and then use per app
settings for the few apps that you want on the desktop. Use auto
specific app shortcuts on the desktop..
provisioned and mandatory apps as needed.
No app short cut s in t he St art Menu
If a user has a family computer, you might not need or want app shortcuts at all. In such scenarios, the simplest approach is
browser access; install Citrix Receiver without any configuration and browse to Citrix Receiver for Web and Web interface.
You can also configure Citrix Receiver for self-service access without putting shortcuts anywhere.
If you want to prevent Citrix Receiver
from putting application shortcuts in the
configure Citrix Receiver with PutShortcutsInStartMenu=False. Citrix
Receiver will not put apps in the Start Menu even in self-service mode
Start Menu automatically..
unless you put them there using per app settings.
All app short cut s in t he St art Menu or on t he Deskt op
If the user has only a few apps, you can put them all in the Start Menu or all on the desktop, or in a folder on the desktop.
If you want Citrix Receiver to put all application
configure Citrix Receiver with SelfServiceMode =False. All
shortcuts in the start menu automatically..
available apps will appear in the Start Menu.
If you want all application shortcuts to put on
configure Citrix Receiver with PutShortcutsOnDesktop = true.
desktop..
All available apps will appear in the desktop.
If you want all shortcuts to be put on the desktop in
configure Citrix Receiver with DesktopDir=Name of the
a folder...
desktop folder where you want applications.
P er app set t ings in XenApp 6.5 or 7 .x
If you want to set the location of shortcuts so every user finds them in the same place use XenApp per App Settings:
If you want per-app settings to determine where applications are
configure Citrix Receiver with
placed independently of whether in self-service mode or Start Menu
P ut Short cut sInSt art Menu= f alse and
mode..
enable per app settings.
Note: T his setting applies to the Web
Interface site only.
Apps in cat egory f olders or in specific f olders
If you want applications displayed in specific folders use the following options:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.52
If you want the application shortcuts
Citrix Receiver places in the start menu to
configure Citrix Receiver with UseCategoryAsStartMenuPath=T rue.
be shown in their associated category
(folder)..
within the Start Menu. Applications will be displayed individually or under
the root folder but not within Category sub folders defined with XenApp.
If you want the applications that Citrix
Receiver puts in the Start menu to be in a
configure Citrix Receiver with StartMenuDir=the name of the Start Menu
folder name.
Note: Windows 8/8.1 does not allow the creation of nested folders
specific folder..
Remove apps on logof f or exit
If you don't want users to see apps if another user is going to share the end point, you can ensure that apps are removed
when the user logs off and exits
If you want Citrix Receiver to remove all apps on logoff..
configure Citrix Receiver with RemoveAppsOnLogoff=T rue.
If you want Citrix Receiver to remove apps on exit..
configure Citrix Receiver with RemoveAppsOnExit=T rue.
When configuring local app access applications:
T o specify that a locally installed application should be used instead of an application available in Citrix Receiver, append
the string KEYWORDS:prefer="pattern". T his feature is referred to as Local App Access.
Before installing an application on a user's computer, Citrix Receiver searches for the specified patterns to determine if
the application is installed locally. If it is, Citrix Receiver subscribes the application and does not create a shortcut. When
the user starts the application from the Citrix Receiver window, Citrix Receiver starts the locally installed (preferred)
application.
If a user uninstalls a preferred application outside of Citrix Receiver, the application is unsubscribed during the next Citrix
Receiver refresh. If a user uninstalls a preferred application from the Citrix Receiver window, Citrix Receiver unsubscribes
the application but does not uninstall it.
Note: T he keyword prefer is applied when Citrix Receiver subscribes an application. Adding the keyword after the
application is subscribed has no effect.
You can specify the prefer keyword multiple times for an application. Only one match is needed to apply the keyword to
an application. T he following patterns can be used in any combination:
T o specify that a locally installed application should be used instead of an application available in Citrix Receiver,
append the string KEYWORDS:prefer="pattern". T his feature is referred to as Local App Access.
Before installing an application on a user's computer, Citrix Receiver searches for the specified patterns to
determine if the application is installed locally. If it is, Citrix Receiver subscribes the application and does not create
a shortcut. When the user starts the application from the Citrix Receiver window, Citrix Receiver starts the locally
installed (preferred) application.
If a user uninstalls a preferred application outside of Citrix Receiver, the application is unsubscribed during the next
Citrix Receiver refresh. If a user uninstalls a preferred application from the Citrix Receiver window, Citrix Receiver
unsubscribes the application but does not uninstall it.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.53
Note: T he keyword prefer is applied when Citrix Receiver subscribes an application. Adding the keyword after the
application is subscribed has no effect.
You can specify the prefer keyword multiple times for an application. Only one match is needed to apply the
keyword to an application. T he following patterns can be used in any combination:
prefer="ApplicationName"
T he application name pattern matches any application with the specified application name in the shortcut file
name. T he application name can be a word or a phrase. Quotation marks are required for phrases. Matching is
not allowed on partial words or file paths and is case-insensitive. T he application name matching pattern is
useful for overrides performed manually by an administrator.
KEYWORDS:pref er=
Short cut under P rograms
Mat ches?
Word
\Microsoft Office\Microsoft Word 2010
Yes
"Microsoft Word"
\Microsoft Office\Microsof t Word 2010
Yes
Console
\McAfee\VirusScan Console
Yes
Virus
\McAfee\VirusScan Console
No
McAfee
\McAfee\VirusScan Console
No
prefer="\\Folder1\Folder2\...\ApplicationName"
T he absolute path pattern matches the entire shortcut file path plus the entire application name under the
Start menu. T he Programs folder is a sub folder of the Start menu directory, so you must include it in the
absolute path to target an application in that folder. Quotation marks are required if the path contains spaces.
T he matching is case-sensitive. T he absolute path matching pattern is useful for overrides implemented
programmatically in XenDesktop.
KEYWORDS:pref er=
Short cut under P rograms
Mat ches?
"\\Programs\Microsoft Office\Microsoft
\P rograms\Microsof t Of f ice\Microsof t
Yes
Word 2010"
Word 2010
"\\Microsoft Office\"
\Programs\Microsoft Office\Microsoft Word
No
2010
"\\Microsoft Word 2010"
\Programs\Microsoft Office\Microsoft Word
No
2010
"\\Programs\Microsoft Word 2010"
\P rograms\Microsof t Word 2010
Yes
prefer=”\Folder1\Folder2\...\ApplicationName”
T he relative path pattern matches the relative shortcut file path under the Start menu. T he relative path
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.54
provided must contain the application name and can optionally include the folders where the shortcut resides.
Matching is successful if the shortcut file path ends with the relative path provided. Quotation marks are
required if the path contains spaces. T he matching is case-sensitive. T he relative path matching pattern is useful
for overrides implemented programmatically.
KEYWORDS:pref er=
Short cut under P rograms
Mat ches?
"\Microsoft Office\Microsoft Word 2010"
\Microsof t Of f ice\Microsof t Word 2010
Yes
"\Microsoft Office\"
\Microsoft Office\Microsoft Word 2010
No
"\Microsoft Word 2010"
\Microsoft Office\Microsof t Word 2010
Yes
"\Microsoft Word"
\Microsoft Word 2010
No
For information about other keywords, see "Additional recommendations" in Optimize the user experience in the
StoreFront documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.55
Configuring your XenDesktop environment
Aug 14 , 20 17
After the Citrix Receiver for Windows is installed, the following configuration steps allow users to access their hosted
applications and desktops:
Adaptive transport - Adaptive transport optimizes data transport by applying a new Citrix protocol called Enlightened
Data T ransport (EDT ) in preference to T CP whenever possible. For more information about configuring adaptive
transport, see Configuring adaptive transport.
Auto-update - Auto-update provides automatic updates for Citrix Receiver for Windows and for the HDX RealT ime
Optimization Pack without the need to download updates manually. For more information about configuring autoupdate, see Configuring auto-update.
Bidirectional content redirection - T he bidirectional content redirection allows you to enable or disable client to host and
host to client URL redirection. For more information on configuring bidirectional content redirection, see Configuring
bidirectional content redirection.
Bloomberg keyboards - Specialist USB devices (for example, Bloomberg keyboards and 3-D mice) can be configured to
use USB support. For information on configuring Bloomberg keyboards, see Configure Bloomberg keyboards.
Composite USB Device - A composite USB device has the ability to perform more than one function. T his is accomplished
by exposing each of those functions using different interfaces. For more information on configuring composite USB
device, see Configuring composite USB device.
USB support - USB support enables users to interact with a wide range of USB devices when connected to a virtual
desktop. For more information on configuring USB support, see Configuring USB support.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.56
Configuring adaptive transport
Aug 14 , 20 17
Requirement s
XenApp and XenDesktop 7.12 and later (required to enable the feature using Citrix Studio).
StoreFront 3.8.
IPv4 VDAs only. IPv6 and mixed IPv6 and IPv4 configurations are not supported.
Add firewall rules to allow inbound traffic on UDP ports 1494 and 2598 of the VDA.
Note
TCP ports 1494 and 2598 are also required and opened automatically when you install the VDA. However, UDP ports 1494 and 2598
are not automatically opened. You must enable them.
Adaptive transport must be configured on the VDA by applying the policy before it is available for communication between
the VDA and Citrix Receiver.
By default, the adaptive transport is allowed in Citrix Receiver for Windows. However, also by default, the client attempts
to use adaptive transport only if the VDA is configured to P ref erred in the Citrix Studio policy and if the setting has been
applied on the VDA.
You can enable adaptive transport using the HDX Adapt ive T ransport policy setting. Set the new policy to P ref erred
to use adaptive transport when possible, with fallback to TCP.
To disable adaptive transport on a specific client, set the EDT options appropriately using the Citrix Receiver Group Policy
Object administrative template.
To configure adapt ive t ransport using t he Cit rix Receiver Group P olicy Object administ rat ive t emplat e
(opt ional)
T he following are optional configuration steps to customize your environment. For example, you may choose to disable the
feature for a particular client for security reasons.
Note
By default, adaptive transport is disabled (Off) and TCP is always used.
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
If you are applying the policy on a single computer, launch it from the Start menu.
If you are applying the policy on a domain, launch it by using the Group Policy Management console.
For information on how to import the Citrix Receiver for Windows administrative template files into the Group Policy
Editor, see Configuring Citrix Receiver for Windows with the Group Policy Object template.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.57
2. Under the Computer Configuration node, go to Administ rat ive Templat es > Cit rix Receiver > Net work rout ing .
3.Set the T ransport prot ocol f or Receiver policy to Enabled .
4. Select Communicat ion P rot ocol f or Cit rix Receiver as required.
Of f : Indicates that T CP is used for data transfer.
P ref erred : Indicates that the Citrix Receiver tries to connect to the server using UDP at first and then switches to T CP
as a fallback.
On : Indicates that the Citrix Receiver connects to the server using UDP only. T here is no fallback to T CP with this option.
5. Click Apply and OK .
6. From a command line, run the gpupdate /force command.
Additionally, for the adaptive transport configuration to take effect, the user is required to add the Citrix Receiver Windows
template files to the Policy Definitions folder. For more information on adding admx/adml template files to the local GPO,
see Configuring Citrix Receiver for Windows with the Group Policy Object template.
To confirm that the policy setting has taken effect:
Navigate to HKEY_LOCAL_MACHINE\SOFT WARE\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All
Regions\Lockdown\Network\UDT and verify that the key HDXOverUDP is included.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.58
Configuring auto-update
Aug 14 , 20 17
When you configure auto-update from Citrix Receiver for Windows, follow the methods below in the order of priority:
1. Group Policy Object administrative template
2. Command line interface
3. Advanced Preferences (per-user)
Configuring using the Group Policy Object
administrative template
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
If you are applying the policy on a single computer, launch the Citrix Receiver Group Policy Object administrative
template from the Start menu.
If you are applying the policy on a domain, launch the Citrix Receiver Group Policy Object administrative template by
using the Group Policy Management console.
2. Under the Computer Configuration node, go to Administ rat ive Templat es > Cit rix Component s > Cit rix Receiver >
Aut oUpdat e.
3. Select the Set t he Delay in Checking f or Updat e policy. T his policy allows you to stage the rollout for a period.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.59
4. Select Enabled , and from the Delay Group drop-down, select one of the following options:
F ast – Update rollout happens at the beginning of the delivery period.
Medium – Update rollout happens at the mid-delivery period.
Slow – Update rollout happens at the end of the delivery period.
5. Click Apply and OK to save the Policy.
6. In the AutoUpdate Templates section, select the Enable or Disable Aut oUpdat e policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.60
7. Select Enabled and set the values as required:
From the Enable Aut oUpdat e P olicy drop-down, select one of the following options:
Aut o – You are notified when an update is available (default).
Manual – You are not notified when updates are available. Check for updates manually.
Select LT SR ONLY to get updates for LT SR only.
From the aut o-updat e-Def erUpdat e-Count drop-down, select a value between -1 and 30 , where
-1 – indicates that you can defer the notifications any number of times (default value=-1).
0 – indicates that the Remind me lat er option is not displayed.
Any other number – indicates that the Remind me lat er option is displayed in that count. For example, if you set
the value to 10, the Remind me lat er option is displayed 10 times.
8. Click Apply and OK to save the policy.
Configuring using the command line interface
To configure auto-update settings as an administrator using command-line settings during Citrix Receiver installation:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.61
/Aut oUpdat eCheck = auto/manual/disabled
/Aut oUpdat eSt ream= LT SR/Current. Where, LT SR refers to Long T erm Service Release and Current refers to the
current release.
/Def erUpdat eCount = any value between -1 and 30
/AURollout P riorit y= auto/fast/medium/slow
For example: CitrixReceiver.exe / AutoUpdateCheck=auto /AutoUpdateStream= Current /DeferUpdateCount=-1 /
AURolloutPriority= fast
T o configure auto-update settings as a user using command-line settings during Citrix Receiver installation
/Aut oUpdat eCheck= auto/manual
For example: CitrixReceiver.exe / AutoUpdateCheck=auto
Editing auto-update settings using the Group Policy Object administrative template overrides the settings applied during
Citrix Receiver for Windows installation for all users.
Auto-update can be configured after installing Citrix Receiver for Windows.
To use the command line:
Open Windows Command Prompt and change the directory to where Cit rixReceiverUpdat er.exe is located. Typically,
CitrixReceiverUpdater.exe is located at CitrixReceiverInstallLocation\Citrix\Ica Client\Receiver.
You can also set the auto-update command-line policy using this binary.
For example: Administrators can use all the four options:
CitrixReceiverUpdater.exe / AutoUpdateCheck=auto /AutoUpdateStream= STSR /DeferUpdateCount=-1 /
AURolloutPriority= fast
Configuring using the graphical user interface
An individual user can override the auto-update setting using the Advanced P ref erences dialog. T his is a per-user
configuration and the settings apply only to the current user.
1. Right-click Citrix Receiver for Windows from the notification area.
2. Select Advanced P ref erences and click Aut o Updat e .
T he auto-update dialog appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.62
3. Select one of the following options:
Yes, notify me
No, don’t notify me
Use administrator specified settings
4. Click Save .
Configuring Auto-update using StoreFront
1. Use a text editor to open the web.config file, which is typically located in the C:\inetpub\wwwroot\Citrix\Roaming
directory.
2. Locate the user account element in the file (Store is the account name of your deployment)
For example: <account id=... name="Store">
Before the </account> tag, navigate to the properties of that user account:
<properties>
<clear />
</properties>
3. Add the auto-update tag after <clear /> tag.
<accounts>
<clear />
<account id="d1197d2c-ac82-4f13-9346-2ee14d4b0202" name="F84Store"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.63
<account id="d1197d2c-ac82-4f13-9346-2ee14d4b0202" name="F84Store"
description="" published="true" updaterType="Citrix" remoteAccessType="None">
<annotatedServices>
<clear />
<annotatedServiceRecord serviceRef="1__Citrix_F84Store">
<metadata>
<plugins>
<clear />
</plugins>
<trustSettings>
<clear />
</trustSettings>
<properties>
<property name="Auto-Update-Check" value="auto" />
<property name="Auto-Update-DeferUpdate-Count" value="1" />
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.64
<property name="Auto-Update-LTSR-Only" value="FALSE" />
<property name="Auto-Update-Rollout-Priority" value="fast" />
</properties>
</metadata>
</annotatedServiceRecord>
</annotatedServices>
<metadata>
<plugins>
<clear />
</plugins>
<trustSettings>
<clear />
</trustSettings>
<properties>
<clear />
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.65
</properties>
</metadata>
</account>
auto-update-Check
T his indicates that Citrix Receiver for Windows detects when an update is available.
Valid values:
Auto – You are notified when an update is available (default).
Manual – You are not notified when updates are available. Check for updates manually.
Disabled – Disable auto-update.
auto-update-LTSR-Only
T his indicates that Citrix Receiver for Windows must accept updates only for LT SR.
Valid values:
T rue – auto-updates checks only for LT SR updates of Citrix Receiver for Windows
False – auto-update checks for non-LT SR updates of Citrix Receiver for Windows as well.
auto-update-DeferUpdate-Count
T his indicates the number of counts you can defer the notifications. T he Remind me later option is displayed in the count
of the set value.
Valid values:
-1 – indicates that you can defer the notifications any number of times (default value=-1).
0 – indicates that the Remind me later option is not displayed.
Any other number – indicates that the Remind me later option is displayed in that count. For example, if you set the
value to 10, the Remind me later option is displayed 10 times.
aut o-updat e-Rollout -P riorit y
T his indicates the period that you can set for the rollout.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.66
Valid values:
Fast – Update rollout happens at the beginning of the delivery period.
Medium – Update rollout happens at the mid-delivery period.
Slow – Update rollout happens at the end of the delivery period.
Limit at ions:
1. Your system must have access to the internet.
2. Receiver for Web users cannot download the StoreFront policy automatically.
3. If you have configured an SSL intercepting outbound proxy, you must add an exception to the Receiver auto-update
Signature service (https://citrixupdates.cloud.com) and the download location (https://downloadplugins.citrix.com).
4. By default, auto-update is disabled on the VDA. T his includes RDS multi-user server machines, VDI and RemotePC
machines.
5. auto-update is disabled on machines where Desktop Lock is installed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.67
Configuring bidirectional content redirection
Aug 14 , 20 17
You can enable bidirectional content redirection by using one of the following:
1. Group Policy Object administrative template
2. Registry
Note
Bidirectional content redirection does not work on session where Lo ca l App Acce s s is enabled.
Bidirectional content redirection must be enabled both on the server and the client. When it is disabled either on the server or the
client, the functionality is disabled.
To enable bidirect ional cont ent redirect ion using t he Group P olicy Object administ rat ive t emplat e
Use Group Policy Object administrative template configuration for a first-time installation of Citrix Receiver for Windows.
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
If you are applying the policy on a single computer, launch it from the Start menu.
If you are applying the policy on a domain, launch it by using the Group Policy Management console.
2. Under the User Configuration node, go to Administ rat ive T emplat es > Classic Administ rat ive T emplat es (ADM)
> Cit rix Component s > Cit rix Receiver > User experience .
3. Select the Bidirect ional Cont ent Redirect ion policy.
4. Edit the settings.
Note
When you include URLs, you can specify a single URL or a semi-colon delimited list of URLs. You can use an asterisk (*) as a wildcard.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.68
5. Click Apply and OK .
6. From a command line, run the gpupdate /force command.
To enable bidirect ional cont ent redirect ion using t he regist ry
To enable bidirectional content redirection, run the redirect or.exe /RegIE command from the Citrix Receiver for Windows
installation folder (C:\Program Files (x86)\Citrix\ICA Client).
Limit at ions
No fallback mechanism is present if redirection fails due to session launch issues.
Important
Ensure that redirection rules do not result in a looping configuration. A looping configuration, for example results if VDA rules are
set so that a URL, https://www.my_company.com, is configured to be redirected to the client, and the same URL is configured to
be redirected to the VDA.
URL redirection supports only explicit URLs (those appearing in the address bar of the browser or found using the in-browser
navigation, depending on the browser).
If two applications with same display name are configured to use multiple StoreFront accounts, the display name in the primary
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.69
StoreFront account is used for launching the application or a desktop session.
New browser window opens only when URL is redirected to the client. When URL is redirected to VDA, if the browser is already
open, then the redirected URL opens in the new tab.
Embedded links in files like documents, emails, pdfs is supported.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.70
Configuring Bloomberg keyboards
Aug 14 , 20 17
Citrix Receiver for Windows supports the use of Bloomberg Keyboard in a XenApp and XenDesktop session. T he required
components are installed with the plug-in. You can enable the Bloomberg keyboard feature during Citrix Receiver for
Windows installation or by using the registry
Multiple sessions to Bloomberg keyboards are not recommended. T he keyboard only operates correctly in single-session
environments.
To enable or disable Bloomberg keyboard support
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
1. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA Client\GenericUSB
2. Do one of the following:
T o turn on this feature, for the entry with T ype DWORD and Name EnableBloombergHID, set Value to 1.
T o turn off this feature, set the Value to 0.
For more information on configuring Bloomberg Keyboard, see Knowledge Center article CT X122615.
To prevent the Desktop Viewer window f rom dimming
If users have multiple Desktop Viewer windows, by default the desktops that are not active are dimmed. If users need to
view multiple desktops simultaneously, this can make the information on them unreadable. You can disable the default
behavior and prevent the Desktop Viewer window from dimming by editing the Registry.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
1. On the user device, create a REG_DWORD entry called DisableDimming in one of the following keys, depending on
whether you want to prevent dimming for the current user of the device or the device itself. An entry already exists if
the Desktop Viewer has been used on the device:
HKEY_CURRENT _USER\Software\Citrix\XenDesktop\DesktopViewer
HKEY_LOCAL_MACHINE\Software\Citrix\XenDesktop\DesktopViewer
Optionally, instead of controlling dimming with the above user or device settings, you can define a local policy by creating
the same REG_WORD entry in one of the following keys:
HKEY_CURRENT _USER\Software\Policies\Citrix\XenDesktop\DesktopViewer
HKEY_LOCAL_MACHINE\Software\Policies\Citrix\XenDesktop\DesktopViewer
T he use of these keys is optional because XenDesktop administrators, rather than plug-in administrators or users,
typically control policy settings using Group Policy. So, before using these keys, check whether your XenDesktop
administrator has set a policy for this feature.
2. Set the entry to any non-zero value such as 1 or true.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.71
If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. If multiple entries are specified,
the following precedence is used. T he first entry that is located in this list, and its value, determine whether the window
is dimmed:
1. HKEY_CURRENT _USER\Software\Policies\Citrix\...
2. HKEY_LOCAL_MACHINE\Software\Policies\Citrix\...
3. HKEY_CURRENT _USER\Software\Citrix\...
4. HKEY_LOCAL_MACHINE\Software\Citrix\...
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.72
Configuring composite USB device redirection
Aug 14 , 20 17
Configuring composite USB redirection using the Group Policy Object administrative template
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
1. If you are applying the policy on a single computer, launch the Citrix Receiver Group Policy Object administrative
template from the Start menu.
2. If you are applying the policy on a domain, launch the Citrix Receiver Group Policy Object administrative template by
using the Group Policy Management console.
2. Under the User Configuration node, go to Administrative Templates > Citrix Components > Citrix Receiver >
Remoting client devices > Generic USB Remoting.
3. Select the SplitDevices policy.
4. Select Enabled.
5. Click Apply.
6. Click OK to save the policy.
To allow or deny an interf ace using the Group Policy Object administrative template
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
1. If you are applying the policy on a single computer, launch the Citrix Receiver Group Policy Object administrative
template from the Start menu.
2. If you are applying the policy on a domain, launch the Citrix Receiver Group Policy Object administrative template by
using the Group Policy management console.
2. Under the User Configuration node, go to Administrative Templates > Citrix Components > Citrix Receiver >
Remoting client devices > Generic USB Remoting.
3. Select USB Device Rules policy.
4. Select Enabled.
5. In the USB Device Rules text box, add the USB device that you want to allow or deny.
For example, ALLOW: vid=047F pid= C039 split=01 intf=00,03 //Allowed 00 and 03 interface, restrict others.
6. Click Apply and OK.
In a desktop session, split USB devices are displayed in the Desktop Viewer under Devices. Additionally, you can view split
USB devices from Pref erences > Devices.
In an application session, split USB devices are displayed in the Connection Center.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.73
T he table below provides details on the behavior scenarios when a USB interface is allowed or denied.
To allow an interf ace:
Split
Interf ace
Action
T RUE
Valid number 0 -n
Allow specified interface
T RUE
Invalid number
Allow all interfaces
FALSE
Any value
Allow Generic USB of parent device
Not specified
Any value
Allow Generic USB of parent device
For example, SplitDevices- true indicates that all devices split.
To deny an interf ace:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.74
Split
Interf ace
Action
T RUE
Valid number 0 - n
Deny specified interface
T RUE
Invalid number
Deny all interfaces
FALSE
Any value
Deny Generic USB of parent device
Not specified
Any value
Deny Generic USB of parent device
For example, SplitDevices- false indicates that devices are not split with specified interface number.
Example: My_< plantronics> headset
Interf ace number
Audio Interface Class -0
HID Interface Class-3
Sample rules used for My_< plantronics> headset:
ALLOW: vid=047F pid= C039 split=01 intf=00,03 //Allowed 00 and 03 interface, restrict others
DENY: vid=047F pid= C039 split=01 intf=00,03 // deny 00 and 03
Limitations:
1. Citrix recommends that you do not split interfaces for a webcam. As a workaround, redirect the device as a single device
using Generic USB redirection. For a better performance, use the optimized virtual channel.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.75
Configuring USB support
Aug 14 , 20 17
USB support enables you to interact with a wide range of USB devices when connected to a virtual desktop. You can plug
USB devices into their computers and the devices are remote to their virtual desktop. USB devices available for remoting
include flash drives, smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. Desktop Viewer users
can control whether USB devices are available on the virtual desktop using a preference in the toolbar.
Isochronous features in USB devices, such as webcams, microphones, speakers, and headsets are supported in typical low
latency/high-speed LAN environments. T his allows these devices to interact with packages, such as Microsoft Office
Communicator and Skype.
T he following types of device are supported directly in a XenApp and XenDesktop session, and so does not use USB
support:
Keyboards
Mice
Smart cards
Note: Specialist USB devices (for example, Bloomberg keyboards and 3-D mice) can be configured to use USB support. For
information on configuring Bloomberg keyboards, see Configure Bloomberg keyboards. For information on configuring
policy rules for other specialist USB devices, see Knowledge Center article CT X122615
By default, certain types of USB devices are not supported for remoting through XenDesktop and XenApp. For example, a
user may have a network interface card attached to the system board by internal USB. Remoting this device would not be
appropriate. T he following types of USB device are not supported by default for use in a XenDesktop session:
Bluetooth dongles
Integrated network interface cards
USB hubs
USB graphics adapters
USB devices connected to a hub can be remote, but the hub itself cannot be remote.
T he following types of USB device are not supported by default for use in a XenApp session:
Bluetooth dongles
Integrated network interface cards
USB hubs
USB graphics adapters
Audio devices
Mass storage devices
For instructions on modifying the range of USB devices that are available to users, see Update the list of USB devices
available for remoting.
For instructions on automatically redirecting specific USB devices, see Knowledge Center article CT X123015.
How USB support works
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.76
When a user plugs in a USB device, it is checked against the USB policy, and, if allowed, remoted to the virtual desktop. If
the device is denied by the default policy, it is available only to the local desktop.
When a user plugs in a USB device, a notification appears to inform the user about a new device. T he user can decide which
USB devices are remoted to the virtual desktop by selecting devices from the list each time they connect. Alternatively, the
user can configure USB support so that all USB devices plugged in both before and/or during a session are automatically
remoted to the virtual desktop that is in focus.
Mass storage devices
For mass storage devices only, in addition to USB support, remote access is available through client drive mapping, which you
configure through the Citrix Receiver policy Remoting client devices > Client drive mapping. When this policy is applied, the
drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. T he drives are
displayed as shared folders with mapped drive letters.
T he main differences between the two types of remoting policy are:
Feature
Client drive
mapping
USB support
Enabled by default
Yes
No
Read-only access configurable
Yes
No
Safe to remove device during a
No
Yes, if the user clicks Safely Remove Hardware in the
session
notification area
If both Generic USB and the Client drive mapping policies are enabled and a mass storage device is inserted before a session
starts, it will be redirected using client drive mapping first, before being considered for redirection through USB support. If it
is inserted after a session has started, it will be considered for redirection using USB support before client drive mapping.
USB device classes allowed by def ault
Different classes of USB device are allowed by the default USB policy rules.
Although they are on this list, some classes are only available for remoting in XenDesktop and XenApp sessions after
additional configuration. T hese are noted below.
Audio (Class 01). Includes audio input devices (microphones), audio output devices, and MIDI controllers. Modern audio
devices generally use isochronous transfers, which is supported by XenDesktop 4 or later. Audio (Class01) is not applicable
to XenApp because these devices are not available for remoting in XenApp using USB support.
Note: Some specialty devices (for example, VOIP phones) require additional configuration. For more information, see
Knowledge Center article CT X123015.
Physical Interf ace Devices (Class 05). T hese devices are similar to Human Interface Devices (HIDs), but generally
provide "real-time" input or feedback and include force feedback joysticks, motion platforms, and force feedback
exoskeletons.
Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras often support the still imaging class
which uses the Picture T ransfer Protocol (PT P) or Media T ransfer Protocol (MT P) to transfer images to a computer or
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.77
other peripheral. Cameras may also appear as mass storage devices and it may be possible to configure a camera to use
either class, through setup menus provided by the camera itself.
Note: If a camera appears as a mass storage device, client drive mapping is used and USB support is not required.
Printers (Class 07). In general most printers are included in this class, although some use vendor-specific protocols (class
ff). Multi-function printers may have an internal hub or be composite devices. In both cases the printing element
generally uses the Printers class and the scanning or fax element uses another class; for example, Still Imaging.
Printers normally work appropriately without USB support.
Note: T his class of device (in particular printers with scanning functions) requires additional configuration. For instructions
on this, see Knowledge Center article CT X123015.
Mass Storage (Class 08). T he most common mass storage devices are USB flash drives; others include USB-attached
hard drives, CD/DVD drives, and SD/MMC card readers. T here are a wide variety of devices with internal storage that also
present a mass storage interface; these include media players, digital cameras, and mobile phones. Mass Storage (Class
08) is not applicable to XenApp because these devices are not available for remoting in XenApp using USB support.
Known subclasses include:
01 Limited flash devices
02 T ypically CD/DVD devices (AT API/MMC-2)
03 T ypically tape devices (QIC-157)
04 T ypically floppy disk drives (UFI)
05 T ypically floppy disk drives (SFF-8070i)
06 Most mass storage devices use this variant of SCSI
Mass storage devices can often be accessed through client drive mapping, and so USB support is not required.
Important: Some viruses are known to propagate actively using all types of mass storage. Carefully consider whether or
not there is a business need to permit the use of mass storage devices, either through client drive mapping or USB
support.
Content Security (Class 0d). Content security devices enforce content protection, typically for licensing or digital rights
management. T his class includes dongles.
Video (Class 0e). T he video class covers devices that are used to manipulate video or video-related material, such as
webcams, digital camcorders, analog video converters, some television tuners, and some digital cameras that support
video streaming.
Note: Most video streaming devices use isochronous transfers, which is supported by XenDesktop 4 or later. Some video
devices (for example webcams with motion detection) require additional configuration. For instructions on this, see
Knowledge Center article CT X123015.
Personal Healthcare (Class 0f ). T hese devices include personal healthcare devices such as blood pressure sensors, heart
rate monitors, pedometers, pill monitors, and spirometers.
Application and Vendor Specif ic (Classes f e and f f ). Many devices use vendor specific protocols or protocols not
standardized by the USB consortium, and these usually appear as vendor-specific (class ff).
USB devices classes denied by def ault
T he following different classes of USB device are denied by the default USB policy rules.
Communications and CDC Control (Classes 02 and 0a). T he default USB policy does not allow these devices, because one
of the devices may be providing the connection to the virtual desktop itself.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.78
Human Interface Devices (Class 03). Includes a wide variety of both input and output devices. T ypical Human Interface
Devices (HIDs) are keyboards, mice, pointing devices, graphic tablets, sensors, game controllers, buttons, and control
functions.
Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.
T he default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1), or USB mice (class 03, subclass 01,
protocol 2). T his is because most keyboards and mice are handled appropriately without USB support and it is normally
necessary to use these devices locally as well remotely when connecting to a virtual desktop.
USB Hubs (Class 09). USB hubs allow extra devices to be connected to the local computer. It is not necessary to access
these devices remotely.
Smart Card (Class 0b). Smart card readers include contactless and contact smart card readers, and also USB tokens with
an embedded smart card-equivalent chip.
Smart card readers are accessed using smart card remoting and do not require USB support.
Wireless Controller (Class e0). Some of these devices may be providing critical network access, or connecting critical
peripherals, such as Bluetooth keyboards or mice.
T he default USB policy does not allow these devices. However, there may be particular devices to which it is appropriate
to provide access using USB support.
Miscellaneous network devices (Class ef , subclass 04 ). Some of these devices may be providing critical network
access. T he default USB policy does not allow these devices. However, there may be particular devices to which it is
appropriate to provide access using USB support.
Update the list of USB devices available f or remoting
You can update the range of USB devices available for remoting to desktops by editing the Citrix Receiver for Windows
template file. T his allows you to make changes to the Citrix Receiver for Windows using Group Policy. T he file is located in
the following installed folder:
<root drive>:\Program Files\Citrix\ICA Client\Configuration\en
Alternatively, you can edit the registry on each user device, adding the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules" Value=
Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
T he product default rules are stored in:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=
Do not edit the product default rules.
For details of the rules and their syntax, see the Knowledge Center article CT X119722.
Configuring USB audio per user
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.79
Citrix recommends using the Group Policy Object receiver.admx/receiver.adml template file to configure rules for network
routing, proxy servers, trusted server configuration, user routing, remote user devices, and the user experience.
You can use the receiver.admx template file with domain policies and local computer policies. For domain policies, import the
template file using the Group Policy Management Console. T his is especially useful for applying Citrix Receiver for Windows
settings to a number of different user devices throughout the enterprise. To affect a single user device, import the
template file using the local Group Policy Editor on the device.
Note: T his feature is available only on XenApp server.
To configure USB audio devices per user
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying
policies to a single computer, or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the receiver template into the Group Policy Editor, you can leave out steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative T emplates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (for 32-bit machines, usually C:\Program Files\Citrix\ICA
Client\Configuration, for 64-bit machines usually C:\Program Files (x86)\Citrix\ICA Client\Configuration) and select
receiver.admx.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Under the Computer Configuration node, go to Administrative Templates > Classic Administrative Templates
(ADM) > Citrix Components > Citrix Receiver > User experience, and select Audio through Generic USB
Redirection.
7. Edit the settings.
8. Click Apply and OK.
9. Open cmd prompt in administrator mode.
10. Run the below command
gpupdate /force
Note: Any change in the policy requires the XenApp server to be restarted for the changes to take effect.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.80
Configuring StoreFront
Aug 14 , 20 17
Citrix StoreFront authenticates users to XenDesktop, XenApp, and VDI-in-a-Box, enumerating and aggregating available desktops and
applications into stores that users access through Citrix Receiver for Windows.
In addition to the configuration summarized in this section, you must also configure NetScaler Gateway to enable users to connect from
outside the internal network (for example, users who connect from the Internet or from remote locations).
Tip
Citrix Receiver for Windows occasionally shows the older StoreFront UI instead of the updated StoreFront UI after you select the option to show all
stores.
To configure StoreFront
1. Install and configure StoreFront as described in the StoreFront documentation. Citrix Receiver for Windows requires an HT T PS
connection. If the StoreFront server is configured for HT T P, a registry key must be set on the user device as described in Configure and
install Receiver for Windows using command-line parameters under the ALLOWADDST ORE property description.
Note: For administrators who need more control, Citrix provides a template you can use to create a download site for Citrix Receiver
for Windows.
Manage workspace control reconnect
Workspace control lets applications follow users as they move between devices. T his enables, for example, clinicians in hospitals to move
from workstation to workstation without having to restart their applications on each device. For Citrix Receiver for Windows, you manage
workspace control on client devices by modifying the registry. T his can also be done for domain-joined client devices using Group Policy.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot
guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure
to back up the registry before you edit it.
Create WSCReconnectModeUser and modify the existing registry key WSCReconnectMode in the Master Desktop Image or in XenApp
server hosting. T he published desktop can change the behavior of the Citrix Receiver for Windows.
WSCReconnectMode key settings for Citrix Receiver for Windows:
0 = do not reconnect to any existing sessions
1 = reconnect on application launch
2 = reconnect on application refresh
3 = reconnect on application launch or refresh
4 = reconnect when Receiver interface opens
8 = reconnect on Windows log on
11 = combination of both 3 and 8
Disable workspace control f or Citrix Receiver f or Windows
To disable workspace control for Citrix Receiver for Windows, create the following key:
HKEY_CURRENT _USER\SOFT WARE\Wow6432Node\Citrix\Dazzle (64-bit)
HKEY_CURRENT _USER\SOFT WARE\Citrix\Dazzle for (32-bit)
Name: WSCReconnectModeUser
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.81
Type: REG_SZ
Value data: 0
Modify the following key from the default value of 3 to zero
HKEY_CURRENT _USER\SOFT WARE\Wow6432Node\Citrix\Dazzle (64-bit)
HKEY_CURRENT _USER\SOFT WARE\Citrix\Dazzle (32-bit)
Name: WSCReconnectMode
Type: REG_SZ
Value data: 0
Note: Alternatively, you can set the REG_SZ value WSCReconnectAll to false if you do not want to create a new key.
Changing the status indicator timeout
You can change the amount of time the status indicator displays when a user is launching a session. To alter the time out period, create a
REG_DWORD value SI INACT IVE MS in HKLM\SOFT WARE\Citrix\ICA CLIENT \Engine\. T he REG_DWORD value can be set to 4 if you
want the status indicator to disappear sooner.
Warning
Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before
you edit it.
Customizing location f or application shortcut via CLI
Start menu integration and desktop shortcut only mode lets you bring published application shortcuts into the Windows Start menu and
onto the desktop. Users do not have to subscribe to applications from the Citrix Receiver user interface. Start menu integration and
desktop shortcut management provides a seamless desktop experience for groups of users, who need access to a core set of
applications in a consistent way.
As a Citrix Receiver administrator, you use a command-line install flags, GPOs, account services, or registry settings to disable the usual
"self-service" Citrix Receiver interface and replace it with a pre-configured Start menu. T he flag is called SelfServiceMode and is set to true
by default. When the administrator sets the SelfServiceMode flag to false, the user no longer has access to the self-service Citrix Receiver
user interface. Instead, they can access subscribed apps from the Start menu and via desktop shortcuts - referred to here as a shortcutonly mode.
Users and administrators can use a number of registry settings to customize the way shortcuts are set up.
Working with shortcuts
Users cannot remove apps. All apps are mandatory when working with the SelfServiceMode flag set to false (shortcut-only mode). If
the user removes a shortcut icon from the desktop, the icon comes back when the user selects Refresh from the Citrix Receiver for
Windows system tray icon.
Users can configure only one store. T he Account and Preferences options are not available. T his is to prevent the user from configuring
additional stores. T he administrator can give a user special privileges to add more than one account using the Group Policy Object
template, or by manually adding a registry key ( HideEditStoresDialog) on the client machine. When the administrator gives a user this
privilege, the user has a Preferences option in the system tray icon, where they can add and remove accounts.
Users cannot remove apps via the Windows Control Panel.
You can add desktop shortcuts via a customizable registry setting. Desktop shortcuts are not added by default. After you make any
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.82
changes to the registry settings, Citrix Receiver for Windows must be restarted.
Shortcuts are created in the Start menu with a category path as the default,
UseCategoryAsStartMenuPath.
Note: Windows 8/8.1 does not allow the creation of nested folders within the Start Menu. Applications will be displayed individually or
under the root folder but not within Category sub folders defined with XenApp.
You can add a flag [/DESKT OPDIR="Dir_name"] during installation to bring all shortcuts into a single folder. CategoryPath is supported
for desktop shortcuts.
Auto Re-install Modified Apps is a feature which can be enabled via the registry key AutoReInstallModifiedApps. When
AutoReInstallModifiedApps is enabled, any changes to attributes of published apps and desktops on the server are reflected on the
client machine. When AutoReInstallModifiedApps is disabled, apps and desktop attributes are not updated and shortcuts are not restored on refresh if deleted on the client. By default, this AutoReInstallModifiedApps is enabled. See Using registry keys to customize
app shortcut locations.
Customizing location f or application shortcut via Registry
Note
By default, registry keys use String format.
You can use registry key settings to customize shortcuts. You can set the registry keys at the following locations. Where they apply, they
are acted on in the order of preference listed.
Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting f rom the incorrect use of Registry Editor can be solved. Use Registry Editor at
your own risk. Be sure to back up the registry bef ore you edit it .
Note: You should make changes to registry keys before configuring a store. If at any time you or a user wants to customize the registry
keys, you or the user must reset Receiver, configure the registry keys, and then reconfigure the store.
Registry keys for 32-bit machines
Registry name
RemoveAppsOnLogoff
Def ault value
False
Locations in order of pref erence
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
RemoveAppsOnExit
False
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.83
PutShortcutsOnDesktop
False
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM \SOFT WARE\Citrix\Dazzle
PutShortcutsInStartMenu
T rue
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
SelfServiceMode
T rue
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
UseCategoryAsStartMenuPath
T rue
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM \SOFT WARE\Citrix\Dazzle
StartMenuDir
"" (empty)
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM \SOFT WARE\Citrix\Dazzle
DesktopDir
"" (empty)
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.84
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
AutoReinstallModifiedApps
T rue
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
HideEditStoresDialog
T rue inSelfServiceMode,
and False inNonSelfServiceMode
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
WSCSupported
T rue
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID
+\Properties
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
WSCReconnectAll
T rue
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
WSCReconnectMode
3
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID
+\Properties
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Citrix\Dazzle
WSCReconnectModeUser
https://docs.citrix.com
Registry is not created during
HKCU\Software\Citrix\Dazzle
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.85
installation.
HKCU\Software\Citrix\Receiver\SR\Store\" +
primaryStoreID+\Properties
HKLM\SOFT WARE\Policies\Citrix\Dazzle
HKLM\SOFT WARE \Citrix\Dazzle
Registry keys for 64-bit machines
Registry name
RemoveAppsOnLogoff
Def ault value
False
Locations in order of pref erence
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
RemoveAppsOnExit
False
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
PutShortcutsOnDesktop
False
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM \SOFT WARE\Wow6432Node\Citrix\Dazzle
PutShortcutsInStartMenu
T rue
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
SelfServiceMode
T rue
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.86
UseCategoryAsStartMenuPath
T rue
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM \SOFT WARE\Wow6432Node\Citrix\Dazzle
StartMenuDir
"" (empty)
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM \SOFT WARE\Wow6432Node\Citrix\Dazzle
DesktopDir
"" (empty)
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
AutoReinstallModifiedApps
T rue
HKCU\Software\Citrix\Receiver\SR\Store\+StoreID
+\Properties
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKCU\Software\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
HideEditStoresDialog
T rue inSelfServiceMode,
and False inNonSelfServiceMode
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.87
\Properties
WSCSupported
T rue
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID
+\Properties
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
WSCReconnectAll
T rue
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID +
\Properties
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
WSCReconnectMode
3
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" + primaryStoreID
+\Properties
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
WSCReconnectModeUser
Registry is not created during
installation.
HKCU\Software\Citrix\Dazzle
HKCU\Software\Citrix\Receiver\SR\Store\" +
primaryStoreID+\Properties
HKLM\SOFT WARE\Wow6432Node\Policies\Citrix\Dazzle
HKLM\SOFT WARE\Wow6432Node\Citrix\Dazzle
Configuring application display using graphical user interf ace
Note
Shortcuts can be set only for the subscribed applications and desktops.
1. Logon to Citrix Receiver for Windows
2. Right click on the Citrix Receiver for Windows icon in the notification area and click Advanced Pref erences.
T he Advanced Preferences window appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.88
3. Click Settings Option
Note: By default, Show Applications in Start Menu option is selected.
4.
Specify the folder name. T his moves all the subscribed apps to the specified folder in the Start menu. Applications can be added both
to a new or existing folder in the Start menu.
On enabling this feature, both existing and newly added applications get added to the specified folder.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.89
5. Select the checkbox Show Applications on Desktop under Desktop Options pane.
6. Specify the folder name. T his moves all the subscribed apps to the specified folder on your local desktop.
7. Select the checkbox Enable dif f erent path f or Start Menu and Desktop under Category Options.
T his creates the shortcuts and category folder for applications as defined in the application properties server. For ex, IT Apps, Finance
Apps
Note: By default, Category as Start Menu Path option is selected.
a. Select Category as Start Menu Path to display the subscribed apps and their category folder as defined in the application properties
server in the Windows Start menu.
b.Select Category as Desktop Path to display the subscribed apps and their category folder as defined in the application properties
server on your local desktop.
5.Click OK.
Configuring reconnect options using graphical user interf ace
After logging on to the server, users can reconnect to all of their desktops or applications at any time. By default, Reconnect Options
opens desktops or applications that are disconnected, plus any that are currently running on another client device. You can configure
Reconnect Options to reconnect only those desktops or applications that the user disconnected from previously.
1. Logon to Citrix Receiver for Windows
2. Right click on the Citrix Receiver for Windows icon in the system tray and click Advanced Pref erences.
T he Avanced Preferences window appears.
3. Click Settings Option
4. Click Reconnect Options
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.90
5. Select Enable for Workspace Control Support to allow the users to reconnect to all of their desktops or applications at any time.
a. Select Reconnect to all active and disconnected sessions to allow users to reconnect to both the active and disconnected sessions.
b.Select Reconnect to disconnected sessions only to allow users to reconnect only to the disconnected sessions.
Note: Supported Reconnect Mode takes the value as set in the GPO. Users can modify this option by navigating to Administrative Templates > Citrix Components > Citrix Receiver
> SelfService>Control when Receiver attempts to reconnect to existing sessions.
To modify this option via registry, see Knowledge Center article CTX136339.
6.Click OK.
Hiding Settings Option using command line interf ace
Option
/DisableSetting
Description
Suppresses Settings Option to be displayed in the Advanced Preferences dialog.
Sample usage
CitrixReceiver.exe /DisableSetting=3
If you want both Application Display and Reconnect
Enter CitrixReceiver.exe /DisableSetting=0
Options to be displayed in the Settings Option..
If you want Settings Option to be hidden in the
Enter CitrixReceiver.exe /DisableSetting=3
Advanced Preferences dialog
If you want Settings Option to display only Application
Enter CitrixReceiver.exe /DisableSetting=2
Display
If you want Settings Option to display only Reconnect
Enter CitrixReceiver.exe /DisableSetting=1
Options
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.91
Configuring the Group Policy Object administrative
template
Aug 14 , 20 17
Citrix recommends using the Windows Group Policy Object Editor to configure Citrix Receiver for Windows. Citrix Receiver
for Windows includes administrative template files (receiver.adm or receiver.admx\receiver.adml -depending on the Operating
System) in the installation directory.
Note
Starting with Citrix Receiver for Windows Version 4.6, the installation directory includes CitrixBase.admx and CitrixBase.adml files.
Citrix recommends that you use the CitrixBase.admx and CitrixBase.adml files to ensure that the options are correctly organized
and displayed within the Group Policy Object Editor.
T he .adm file is for use with Windows XP Embedded platforms only. T he .admx/.adml files are for use with Windows
Vista/Windows Server 2008 and all later versions of Windows.
If Citrix Receiver for Windows is installed with VDA, admx/adml files are found in the Citrix Receiver for Windows installation
directory. For example: <installation directory>\Online Plugin\Configuration.
If Citrix Receiver for Windows is installed without VDA, the admx/adml files are typically found in the C:\Program Files\Citrix\ICA
Client\Configuration directory.
See the table below for information on Citrix Receiver for Windows templates files and their respective location.
Note: Citrix recommends that you use the GPO template files provided with latest Citrix Receiver for Windows.
File Type
File Location
receiver.adm
<Installation Directory>\ICA Client\Configuration
receiver.admx
<Installation Directory>\ICA Client\Configuration
receiver.adml
<Installation Directory>\ICA Client\Configuration\[MUIculture]
CitrixBase.admx
<Installation Directory>\ICA Client\Configuration
CitrixBase.adml
<Installation Directory>\ICA Client\Configuration\[MUIculture]
Note
If the CitrixBase.admx\adml is not added to the local GPO, the Enable ICA File Signing policy might be lost.
When upgrading Citrix Receiver for Windows, you must add the latest template files to local GPO as explained in the procedure
below. While importing the latest files, previous settings are retained.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.92
To add the receiver.adm template file to the local GPO (Windows XP Embedded Operating system only)
Note: You can use .adm template files to configure Local GPO and/or Domain-Based GPO.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying
policies to a single computer, or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the Citrix Receiver for Windows template into the Group Policy Editor, you can leave out
steps 2 to 5.
2.In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3.From the Action menu, choose Add/Remove Templates.
4.Select Add and browse to the template file location <Installation Directory>\ICA Client\Configuration\receiver.adm
5.Select Open to add the template and then Close to return to the Group Policy Editor.
Citrix Receiver for window template file will be available on local GPO in path Administrative Templates > Classic
Administrative Templates (ADM) > Citrix Components > Citrix Receiver.
After the .adm template files are added to the local GPO, the following message is displayed:
“T he following entry in the [strings] section is too long and has been truncated:
Click OK to ignore the message.
To add the receiver.admx/adml template files to the local GPO (later versions of Windows Operating System)
NOTE: You can use admx/adml template files to configure Local GPO and/or Domain-Based GPO. Refer Microsoft MSDN
article on managing ADMX files here.
1. After installing Citrix Receiver for Windows, copy the template files.
admx:
From : <Installation Directory>\ICA Client\Configuration\receiver.admx
To : %systemroot%\policyDefinitions
From : <Installation Directory>\ICA Client\Configuration\CitrixBase.admx
To : %systemroot%\policyDefinitions
adml:
From: <Installation Directory>\ICA Client\Configuration\[MUIculture]receiver.adml
To: %systemroot%\policyDefinitions\[MUIculture]
From : <Installation Directory>\ICA Client\Configuration\[MUIculture]\CitrixBase.adml
To : %systemroot%\policyDefinitions\[MUIculture]
Note
Citrix Receiver for Window template files are available on local GPO in Administrative Templates > Citrix Components > Citrix
Receiver folder only when the user adds the CitrixBase.admx/CitrixBase.adml to the \ policyDefinitions folder.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.93
Providing users with account information
Aug 14 , 20 17
Provide users with the account information they need to access virtual desktops and applications. You can provide this
information by:
Configuring email-based account discovery
Providing users with a provisioning file
Providing users with account information to enter manually
Important
Citrix recommends you to restart Citrix Receiver for Windows after the installation. T his is to ensure that users can add accounts and
that Citrix Receiver for Windows can discover USB devices that were in a suspended state during installation.
A dialog appears indicating a successful installation, followed by the Add Account dialog. For a first time user, the Add
Account dialog requires you to enter an email or server address to setup an account.
Suppressing Add Account dialog
Add Account dialog is displayed when the store is not configured. Users can use this window to set up a Citrix Receiver
account by entering email address or a server URL.
Citrix Receiver for Windows determines the NetScaler Gateway, StoreFront server, or AppController virtual appliance
associated with the email address and then prompts the user to log on for enumeration.
Add account dialog can be suppressed in the following ways:
1. At system logon
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.94
Select Do not show this window automatically at logon to prevent the Add Account window to pop-up on
subsequent logon.
T his setting is specific to per user and resets during Citrix Receiver for Windows Reset action.
2. Command line Installation
Install Citrix Receiver for Windows as an administrator using Command Line Interface with the following switch.
CitrixReceiver.exe /ALLOWADDSTORE=N
T his is a per machine setting; hence the behavior shall be applicable for all users.
T he following message is displayed when Store is not configured.
Additionally, Add Account dialog can be suppressed in the following ways.
NOTE: Citrix recommends users to suppress the Add Account dialog either using System logon or Command Line Interface
methods.
Renaming Citrix execution f ile:
Rename the CitrixReceiver.exe to CitrixReceiverWeb.exe to alter the behavior of Add Account dialog. By renaming the
file, Add Account dialog is not displayed from the Start menu.
See Deploy Receiver for Windows from Receiver for Web for more information related to Citrix Receiver for Web
Group Policy Object:
T o hide Add Account button from the Citrix Receiver for Windows installation wizard, disable EnableFTUpolicy under
Self-Service node in Local Group Policy editor as shown below.
T his is per machine setting, hence the behavior shall be applicable for all users.
T o load template file, see Configure Receiver with the Group Policy Object template.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.95
Configure email-based account discovery
When you configure Citrix Receiver for Windows for email-based account discovery, users enter their email address rather
than a server URL during initial Citrix Receiver for Windows installation and configuration. Citrix Receiver for Windows
determines the NetScaler Gateway or StoreFront Server associated with the email address based on Domain Name System
(DNS) Service (SRV) records and then prompts the user to log on to access virtual desktops and applications.
Note
Email-based account discovery is not supported for deployments with Web Interface.
To configure your DNS server to support email-based discovery, see Configure email-based account discovery in the
StoreFront documentation.
To configure NetScaler Gateway, see Connecting to StoreFront by using email-based discovery in the NetScaler Gateway
documentation.
Provide users with provisioning files
StoreFront provides provisioning files that users can open to connect to stores.
You can use StoreFront to create provisioning files containing connection details for accounts. Make these files available to
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.96
your users to enable them to configure Citrix Receiver for Windows automatically. After installing Citrix Receiver for
Windows, users simply open the file to configure Citrix Receiver for Windows. If you configure Citrix Receiver for Web sites,
users can also obtain Citrix Receiver for Windows provisioning files from those sites.
For more information, see To export store provisioning files for users in the StoreFront documentation.
Provide users with account inf ormation to enter manually
To enable users to set up accounts manually, be sure to distribute the information they need to connect to their virtual
desktops and applications.
For connections to a StoreFront store, provide the URL for that server. For example: https://servername.company.com
For web interface deployments, provide the URL for the XenApp Services site.
For connections through NetScaler Gateway, first determine whether user should see all configured stores or just the
store that has remote access enabled for a particular NetScaler Gateway.
T o present all configured stores: Provide users with the NetScaler Gateway fully-qualified domain name.
T o limit access to a particular store: Provide users with the NetScaler Gateway fully-qualified domain name and the
store name in the form:
NetScalerGatewayFQDN?MyStoreName
For example, if a store named "SalesApps" has remote access enabled for server1.com and a store named "HRApps"
has remote access enabled for server2.com, a user must enter server1.com?SalesApps to access SalesApps or
enter server2.com?HRApps to access HRApps. T his feature requires that a first-time user create an account by
entering a URL and is not available for email-based discovery.
When a user enters the details for a new account, Citrix Receiver for Windows attempts to verify the connection. If
successful, Citrix Receiver for Windows prompts the user to log on to the account.
To manage accounts, a Citrix Receiver user opens the Citrix Receiver for Windows home page, clicks
, and then
clicks Accounts.
Sharing multiple store accounts automatically
Warning
Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot
guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make
sure you back up the registry before you edit it.
If you have more than one store account, you can configure Citrix Receiver for Windows to automatically connect to all
accounts when establishing a session. To automatically view all accounts when opening Citrix Receiver for Windows:
For 32-bit systems, create the key "CurrentAccount":
Location: HKLM\Software\Citrix\Dazzle
KeyName: CurrentAccount
Value: AllAccount
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.97
Type: REG_SZ
For 64 -bit systems, create the key "CurrentAccount":
Location: HKLM\Software\Wow6432Node\Citrix\Dazzle
KeyName: CurrentAccount
Value: AllAccount
Type: REG_SZ
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.98
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.99
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.100
Optimize the environment
Aug 14 , 20 17
You can optimize the environment.
Reduce application launch time
Facilitate the connection of devices to published resources
Support DNS name resolution
Use proxy servers with XenDesktop connections
Enable access to anonymous applications
Check Single Sign-on configuration
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.101
Reducing application launch time
Aug 14 , 20 17
Use the session pre-launch feature to reduce application launch time during normal or high traffic periods, thus providing
users with a better experience. T he pre-launch feature allows a pre-launch session to be created when a user logs on to
Citrix Receiver for Windows, or at a scheduled time if the user is already logged on.
T his pre-launch session reduces the launch time of the first application. When a user adds a new account connection to
Citrix Receiver for Windows, session pre-launch does not take effect until the next session. T he default application
ctxprelaunch.exe is running in the session, but it is not visible to the user.
Session pre-launch is supported for StoreFront deployments as of the StoreFront 2.0 release. For Web Interface
deployments, be sure to use the Web Interface Save Password option to avoid logon prompts. Session pre-launch is not
supported for XenDesktop 7 deployments.
Session pre-launch is disabled by default. To enable session pre-launch, specify the ENABLEPRELAUNCH=true parameter on
the Receiver command line or set the EnablePreLaunch registry key to true. T he default setting, null, means that pre-launch
is disabled.
Note: If the client machine has been configured to support Domain Passthrough (SSON) authentication, then prelaunch is
automatically enabled. If you want to use Domain Passthrough (SSON) without prelaunch, then set the EnablePreLaunch
registry key value to false.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
T he registry locations are:
HKEY_LOCAL_MACHINE\Software\[Wow6432Node\]Citrix\Dazzle
HKEY_CURRENT _USER\Software\Citrix\Dazzle
T here are two types of pre-launch:
Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials are authenticated whether or not it
is a high-traffic period. T ypically used for normal traffic periods. A user can trigger just-in-time pre-launch by restarting
Citrix Receiver for Windows.
Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launch starts only when the user device is
already running and authenticated. If those two conditions are not met when the scheduled pre-launch time arrives, a
session does not launch. T o spread network and server load, the session launches within a window of when it is
scheduled. For example, if the scheduled pre-launch is scheduled for 1:45 p.m., the session actually launches between 1:15
p.m. and 1:45 p.m. T ypically used for high-traffic periods.
Configuring pre-launch on a XenApp server consists of creating, modifying, or deleting pre-launch applications, as well as
updating user policy settings that control the pre-launch application. See "To pre-launch applications to user devices" in the
XenApp documentation for information about configuring session pre-launch on the XenApp server.
Customizing the pre-launch feature using the receiver.admx file is not supported. However, you can change the pre-launch
configuration by modifying registry values during or after Citrix Receiver for Windows installation. T here are three HKLM
values and two HKCU values:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.102
T he HKLM values are written during client installation.
T he HKCU values enable you to provide different users on the same machine with different settings. Users can change
the HKCU values without administrative permission. You can provide your users with scripts to accomplish this.
HKEY_LOCAL_MACHINE registry values
For Windows 7 and 8, 64-bit: HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\ICA Client\Prelaunch
For all other supported 32-bit Windows operating systems: HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA
Client\Prelaunch
Name: UserOverride
Values:
0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT _USER values are also present.
1 - Use HKEY_CURRENT _USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINE values.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials are authenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time configured for Schedule.)
Name: Schedule
Value:
T he time (24 hour format) and days of week for scheduled pre-launch entered in the following format:
HH:MM|M:T :W:T H:F:S:SU where HH and MM are hours and minutes. M:T :W:T H:F:S:SU are the days of the week. For
example, to enable scheduled pre-launch on Monday, Wednesday, and Friday at 1:45 p.m., set Schedule as
Schedule=13:45|1:0:1:0:1:0:0 . T he session actually launches between 1:15 p.m. and 1:45 p.m.
HKEY_CURRENT_USER registry values
HKEY_CURRENT _USER\SOFT WARE\Citrix\ICA Client\Prelaunch
T he State and Schedule keys have the same values as for HKEY_LOCAL_MACHINE.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.103
Mapping client devices
Aug 14 , 20 17
Citrix Receiver for Windows supports device mapping on user devices so they are available from within a session. Users can:
T ransparently access local drives, printers, and COM ports
Cut and paste between the session and the local Windows clipboard
Hear audio (system sounds and .wav files) played from the session
During logon, Citrix Receiver for Windows informs the server of the available client drives, COM ports, and LPT ports. By
default, client drives are mapped to server drive letters and server print queues are created for client printers so they appear
to be directly connected to the session. T hese mappings are available only for the current user during the current session.
T hey are deleted when the user logs off and recreated the next time the user logs on.
You can use the redirection policy settings to map user devices not automatically mapped at logon. For more information,
see the XenDesktop or XenApp documentation.
Turn of f user device mappings
You can configure user device mapping including options for drives, printers, and ports, using the Windows Server Manager
tool. For more information about the available options, see your Remote Desktop Services documentation.
Redirect client f olders
Client folder redirection changes the way client-side files are accessible on the host-side session. When you enable only
client drive mapping on the server, client-side full volumes are automatically mapped to the sessions as Universal Naming
Convention (UNC) links. When you enable client folder redirection on the server and the user configures it on the user device,
the portion of the local volume specified by the user is redirected.
Only the user-specified folders appear as UNC links inside sessions instead of the complete file system on the user device. If
you disable UNC links through the registry, client folders appear as mapped drives inside the session. For more information,
including how to configure client folder redirection for user devices, see the XenDesktop 7 documentation.
Map client drives to host-side drive letters
Client drive mapping allows drive letters on the host-side to be redirected to drives that exist on the user device. For
example, drive H in a Citrix user session can be mapped to drive C of the user device running Citrix Receiver for Windows.
Client drive mapping is built into the standard Citrix device redirection facilities transparently. To File Manager, Windows
Explorer, and your applications, these mappings appear like any other network mappings.
T he server hosting virtual desktops and applications can be configured during installation to map client drives automatically
to a given set of drive letters. T he default installation maps drive letters assigned to client drives starting with V and works
backward, assigning a drive letter to each fixed drive and CD-ROM drive. (Floppy drives are assigned their existing drive
letters.) T his method yields the following drive mappings in a session:
Client drive letter
Is accessed by the server as:
A
A
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.104
B
Client drive letter
B
Is accessed by the server as:
C
V
D
U
T he server can be configured so that the server drive letters do not conflict with the client drive letters; in this case the
server drive letters are changed to higher drive letters. For example, changing server drives C to M and D to N allows client
devices to access their C and D drives directly. T his method yields the following drive mappings in a session:
Client drive letter
Is accessed by the server as:
A
A
B
B
C
C
D
D
T he drive letter used to replace the server drive C is defined during Setup. All other fixed drive and CD-ROM drive letters are
replaced with sequential drive letters (for example; C > M, D > N, E > O). T hese drive letters must not conflict with any
existing network drive mappings. If a network drive is mapped to the same drive letter as a server drive letter, the network
drive mapping is not valid.
When a user device connects to a server, client mappings are reestablished unless automatic client device mapping is
disabled. Client drive mapping is enabled by default. To change the settings, use the Remote Desktop Services (Terminal
Services) Configuration tool. You can also use policies to give you more control over how client device mapping is applied.
For more information about policies, see the XenDesktop or XenApp documentation in Citrix Product Documentation.
HDX Plug and Play USB device redirection
Updated: 2015-01-27
HDX Plug and Play USB device redirection enables dynamic redirection of media devices, including cameras, scanners, media
players, and point of sale (POS) devices to the server. You or the user can restrict redirection of all or some of the devices.
Edit policies on the server or apply group policies on the user device to configure the redirection settings. For more
information, see USB and client drive considerations in the XenApp and XenDesktop documentation.
Important: If you prohibit Plug and Play USB device redirection in a server policy, the user cannot override that policy setting.
A user can set permissions in Citrix Receiver for Windows to always allow or reject device redirection or to be prompted
each time a device is connected. T he setting affects only devices plugged in after the user changes the setting.
To map a client COM port to a server COM port
Client COM port mapping allows devices attached to the COM ports of the user device to be used during sessions. T hese
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.105
mappings can be used like any other network mappings.
You can map client COM ports at the command prompt. You can also control client COM port mapping from the Remote
Desktop (Terminal Services) Configuration tool or using policies. For information about policies, see the XenDesktop or
XenApp documentation.
Important: COM port mapping is not T API-compatible.
1. For XenDesktop 7 deployments, enable the Client COM port redirection policy setting.
2. Log on to Citrix Receiver for Windows.
3. At a command prompt, type:
net use comx: \\client\comz:
where x is the number of the COM port on the server (ports 1 through 9 are available for mapping) and z is the number of
the client COM port you want to map.
4. To confirm the operation, type:
net use
at a command prompt. T he list that appears contains mapped drives, LPT ports, and mapped COM ports.
To use this COM port in a virtual desktop or application, install your user device to the mapped name. For example, if you
map COM1 on the client to COM5 on the server, install your COM port device on COM5 during the session. Use this
mapped COM port as you would a COM port on the user device.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.106
Supporting DNS name resolution
Aug 14 , 20 17
You can configure Citrix Receiver for Windows that use the Citrix XML Service to request a Domain Name Service (DNS)
name for a server instead of an IP address.
Important: Unless your DNS environment is configured specifically to use this feature, Citrix recommends that you do not
enable DNS name resolution in the server farm.
Citrix Receiver for Windows connecting to published applications through the Web Interface also use the Citrix XML
Service. For Citrix Receiver for Windows connecting through the Web Interface, the Web server resolves the DNS name on
behalf of the Citrix Receiver for Windows.
DNS name resolution is disabled by default in the server farm and enabled by default on the Citrix Receiver for Windows .
When DNS name resolution is disabled in the farm, any Citrix Receiver for Windows request for a DNS name returns an IP
address. T here is no need to disable DNS name resolution on Citrix Receiver for Windows.
To disable DNS name resolution f or specific user devices
If your server deployment uses DNS name resolution and you experience issues with specific user devices, you can disable
DNS name resolution for those devices.
Caution: Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system.
Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at
your own risk. Make sure you back up the registry before you edit it.
1. Add a string registry key xmlAddressResolutionT ype to HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA
Client\Engine\Lockdown Profiles\All Regions\Lockdown\Application Browsing.
2. Set the value to IPv4-Port.
3. Repeat for each user of the user devices.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.107
Using proxy servers with XenDesktop
Aug 14 , 20 17
If you do not use proxy servers in your environment, correct the Internet Explorer proxy settings on any user devices running
Internet Explorer 7.0 on Windows XP. By default, this configuration automatically detects proxy settings. If proxy servers
are not used, users will experience unnecessary delays during the detection process. For instructions on changing the proxy
settings, consult your Internet Explorer documentation. Alternatively, you can change proxy settings using the Web
Interface. For more information, consult the Web Interface documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.108
Using Configuration Checker to validate Single Signon configuration
Aug 14 , 20 17
Starting with Release 4.5 of Citrix Receiver for Windows, Configuration Checker helps users to run a test to ensure Single
Sign-on is configured properly. T he test runs on different checkpoints of the Single Sign-on configuration and displays the
configuration results.
1. Logon to Citrix Receiver for Windows.
2. Right-click Citrix Receiver for Windows in the notification area and select Advanced Pref erences.
T he Advanced Preferences window appears.
3. Select Configuration Checker.
T he Citrix Configuration Checker window appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.109
4. Select SSONChecker from the Select pane.
5. Click Run.
A progress bar appears, displaying the status of the test.
T he Configuration Checker window has the following columns:
1. Status: Displays the result of a test on a specific check point.
• A green check mark indicates that the specific checkpoint is configured properly.
• A blue I indicates information about the checkpoint.
• A Red X indicates that the specific checkpoint is not configured properly.
2. Provider: Displays the name of the module on which the test is run. In this case, Single Sign-on.
3. Suite: Indicates the category of the test. For example, Installation.
4. Test: Indicates the name of the specific test that is run.
5. Details: Provides additional information about the test, irrespective of pass or fail.
T he user gets more information about each checkpoint and the corresponding results.
T he following tests are performed:
1. Installed with Single Sign-on
2. Logon credential capture
3. Network Provider registration
T he test result against Network Provider registration displays a green check mark only when “Citrix Single Sign-on” is set
to be first in the list of Network Providers. If Citrix Single Sign-on appears anywhere else in the list, the test result against
Network Provider registration appears with a blue I and additional information.
4. Single Sign-on process is running
5. Group Policy
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.110
By default, this policy is configured on the client.
6. Internet Settings for Security Zones
Ensure that you add the Store/XenApp Service URL to the list of Security Zones in the Internet Options.
If the Security Zones is configured via Group policy, any change in the policy requires the Advanced Preference window to
be reopened for the changes to take effect and to display the correct status of the test.
7. Authentication method for Web Interface/StoreFront.
Note: If the user is accessing Receiver for Web, the test results are not applicable.
If Citrix Receiver for Windows is configured with multiple stores, the authentication method test runs on all configured
stores.
Note: T he test results can be saved as reports and the default format for the report is .txt.
Hiding the Configuration Checker option f rom the Advanced Pref erences dialog
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying
policies to a single computer, or by using the Group Policy Management Console when applying domain policies.
2. In the Group Policy Editor, go to Citrix Components > Citrix Receiver > Self Service > DisableConfigChecker.
3. Select Enabled.
T his hides the Configuration Checker option from the Advanced Preferences window.
4. Click Apply and OK.
5. Open a command prompt.
6. Run gpupdate /force command.
For the changes to take effect, close and reopen the Advance Preferences dialog.
Limitations
Configuration Checker does not include the checkpoint for the configuration of Trust requests sent to the XML service on
XenApp/XenDesktop servers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.111
Improve the user experience
Aug 14 , 20 17
You can improve your user experience with the following features:
Configuring generic client Input Method Editors (IME)
Configuring generic client IME using the command line interf ace
To enable generic client IME, run the wfica32.exe /localime:on command from the Citrix Receiver for Windows installation
folder (C:\Program Files (x86)\Citrix\ICA Client).
Note
You can use the command line switch wfica32.exe /localime:on to enable both generic client IME and keyboard layout
synchronization.
To disable generic client IME, run the wfica32.exe /localgenericime:of f command from the Citrix Receiver for Windows
installation folder (C:\Program Files (x86)\Citrix\ICA Client). T his command does not affect keyboard layout synchronization
settings.
If you have disabled generic client IME using the command line interface, you can enable the feature again by running the
wfica32.exe /localgenericime:on command.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.112
Toggle
Citrix Receiver for Windows supports toggle functionality for this feature. You can run the wfica32.exe
/localgenericime:on command to enable or disable the feature. However, the keyboard layout synchronization settings
take precedence over the toggle switch. If keyboard layout synchronization is set to Of f , toggling does not enable generic
client IME.
Configuring generic client IME using the graphical user interf ace
Generic client IME requires VDA Version 7.13 or later.
Generic client IME feature can be enabled by enabling keyboard layout synchronization. For more information, see
Keyboard layout synchronization.
Citrix Receiver for Windows allows you to configure different options to use generic client IME. You can select from one
these options based on your requirements and usage.
1. In an active application session, right-click the Citrix Receiver icon in the notification area and select Connection Center.
2. Select Pref erences and click Local IME.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.113
T he options below are available to support different IME modes:
1. Enable Server IME – select this option to disable local IME. T his option means that only the languages set on the server
can be used.
2. Set Local IME to High Perf ormance mode – select this option to use local IME with limited bandwidth. T his option
restricts the candidate window functionality.
3. Set Local IME to Best Experience mode – select this option to use local IME with best user experience. T his option
consumes high bandwidth. By default, this option is selected when generic client IME is enabled.
T he change in settings is applied only in the current session.
Enabling hotkey configuration using a registry editor
When generic client IME is enabled, you can use the Shif t+F4 hotkeys to select different IME modes. T he different
options for IME modes appear in the top-right corner of the session.
By default, the hotkey for generic client IME is disabled.
In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\ICA
Client\Engine\Lockdown Profiles\All Regions\Lockdown\Client Engine\Hot Keys.
Select AllowHotKey and change the default value to 1.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.114
Note
Hotkey functionality is supported in both desktop and application sessions.
Limitations
1. Generic client IME does not support UWP (Universal Windows Platform) apps such as Search UI, and the Edge browser of
the Windows 10 operating system. As a workaround, use the server IME instead.
2. Generic client IME is not supported on Internet Explorer Version 11 in Protected Mode. As a workaround, you can disable
Protected Mode by using Internet Options. T o do this, click Security and clear Enable Protected Mode.
Keyboard layout
Keyboard layout synchronization enables users to switch among preferred keyboard layouts on the client device. T his
feature is disabled by default.
To enable keyboard layout synchronization:
1. From the Citrix Receiver for Windows notification area icon, select Advanced Pref erences > Local keyboard layout
setting > Yes.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.115
2. Click Save.
You can disable the feature by selecting No.
You can also enable and disable keyboard layout synchronization through the command line by running wfica32:exe
/localime:on or wfica32:exe /localime:of f from the Citrix Receiver for Windows installation folder (C:\program files
(x86)\Citrix\ICA Client).
Note: Using the local keyboard layout option activates the Client IME (Input Method Editor). If users working in Japanese,
Chinese or Korean prefer to use the Server IME, they must disable the local keyboard layout option by selecting No, or
running wfica32:exe /localime:of f . T he session will revert to the keyboard layout provided by the remote server when they
connect to the next session.
Sometimes, switching the client keyboard layout does not take effect in an active session. To resolve this issue, log off
from Citrix Receiver for Windows and login again.
Limitations:
Remote applications which run with elevated privilege (for example, right click an application icon > Run as administrator)
can’t be synchronized with the client keyboard layout. T o work around this issue, manually change the keyboard layout
on the server side (VDA) or disable UAC.
If the user changes the keyboard layout on the client to a layout which is not supported on the server, then the
keyboard layout synchronization feature will be disabled for security reasons - an unrecognized keyboard layout is
treated as a potential security threat. T o restore the keyboard layout synchronization feature, the user should log off
and back on to the session.
When RDP is deployed as an application and the user is working within an RDP session, it is not possible to change the
keyboard layout using Alt + Shift shortcuts. T o work around this, the user can use the language bar in the RDP session
to switch the keyboard layout.
T his feature is disabled in Windows Server 2016 due to a third-party issue which may introduce performance risk. T he
feature can be enabled with a registry setting on the VDA: in HKLM\Software\Citrix\ICA\IcaIme, add a new key called
DisableKeyboardSync and set the value to 0.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.116
Warning
Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot
guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be
sure to back up the registry before you edit it.
Relative Mouse
Relative Mouse support provides an option to interpret the mouse position in a relative rather than an absolute manner.
T his capability is required for applications that demand relative mouse input rather than absolute.
Note: T his feature can be applied in a published desktop session only.
To enable Relative Mouse support
1. Logon to Citrix Receiver for Windows
2. Launch a published desktop session
3. From the Desktop Viewer toolbar, select Pref erences.
T he Citrix Receiver - Preferences window appears.
4. Select Connections.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.117
5. Under Relative Mouse settings, enable Use relative mouse.
6. Click Apply and OK.
NOTE: T his is a per session feature. It does not persist after reconnecting to a disconnected session. Users must re-enable
the feature every time they connect or reconnect to the published desktop.
Hardware decoding
When using Citrix Receiver for Windows (with HDX engine 14.4), the GPU can be used for H.264 decoding wherever it is
available at the client. T he API layer used for GPU decoding is DXVA (DirectX Video Acceleration).
For more information, see Improved User Experience: Hardware Decoding for Citrix Windows Receiver.
Note
T his feature is not enabled by default for embedded GPUs.
To enable hardware decoding:
1. Copy “receiver.adml” from “root\Citrix\ICA Client\Configuration\en” to “C:\Windows\PolicyDefinitions\en-US”.
2. Copy “receiver.admx” from “root\Citrix\ICA Client\Configuration” to “C:\Windows\PolicyDefinitions\”.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.118
3. Navigate to Local Group policy editor.
4. Under Computer Configuration-> Administrative T emplates -> Citrix Receiver -> User Experience, open Hardware
Acceleration f or graphics.
5. Select Enabled and click OK.
To validate if the policy was applied and hardware acceleration is being used for an active ICA session, look for the
following registry entries:
Registry Path: HKCU\Software\Citrix\ICA Client\CEIP\Data\GfxRender\<session ID>
Tip
T he value for Graphics_Gf xRender_Decoder and Graphics_Gf xRender_Renderer should be 2. If the value is 1, that means CPU
based decoding is being used.
When using the hardware decoding feature, consider the following limitations:
If the client has two GPU’s and if one of the monitors is active on the 2nd GPU, CPU decoding will be used.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.119
When connecting to a XenApp 7.x server running on Windows Server 2008 R2, Citrix recommends that you do not to use
hardware decoding on the user’s Windows device. If enabled, issues like slow performance while highlighting text and
flickering issues will be seen.
Client-side microphone input
Citrix Receiver for Windows supports multiple client-side microphone input. Locally installed microphones can be used for:
Real-time activities, such as softphone calls and Web conferences.
Hosted recording applications, such as dictation programs.
Video and audio recordings.
Citrix Receiver for Windows users can select whether to use microphones attached to their device by changing a
Connection Center setting. XenDesktop users can also use the XenDesktop Viewer Preferences to disable their
microphones and webcams.
Multi-monitor support
You can use up to eight monitors with Citrix Receiver for Windows.
Each monitor in a multiple monitor configuration has its own resolution designed by its manufacturer. Monitors can have
different resolutions and orientations during sessions.
Sessions can span multiple monitors in two ways:
Full screen mode, with multiple monitors shown inside the session; applications snap to monitors as they would locally.
XenDesktop: To display the Desktop Viewer window across any rectangular subset of monitors, resize the window
across any part of those monitors and click Maximize.
Windowed mode, with one single monitor image for the session; applications do not snap to individual monitors.
XenDesktop: When any desktop in the same assignment (formerly "desktop group") is launched subsequently, the window
setting is preserved and the desktop is displayed across the same monitors. Multiple virtual desktops can be displayed on
one device provided the monitor arrangement is rectangular. If the primary monitor on the device is used by the
XenDesktop session, it becomes the primary monitor in the session. Otherwise, the numerically lowest monitor in the
session becomes the primary monitor.
To enable multi-monitor support, ensure the following:
T he user device is configured to support multiple monitors.
T he user device operating system must be able to detect each of the monitors. On Windows platforms, to verify that
this detection occurs, on the user device, view the Settings tab in the Display Settings dialog box and confirm that each
monitor appears separately.
After your monitors are detected:
XenDesktop: Configure the graphics memory limit using the Citrix Machine Policy setting Display memory limit.
XenApp: Depending on the version of the XenApp server you have installed:
Configure the graphics memory limit using the Citrix Computer Policy setting Display memory limit.
From the Citrix management console for the XenApp server, select the farm and in the task pane, select Modify
Server Properties > Modify all properties > Server Default > HDX Broadcast > Display (or Modify Server Properties >
Modify all properties > Server Default > ICA > Display) and set the Maximum memory to use for each session’s
graphics.
Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. If this setting is not high enough, the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.120
published resource is restricted to the subset of the monitors that fits within the size specified.
For information about calculating the session's graphic memory requirements for XenApp and XenDesktop, see Knowledge
Center article CT X115637.
Printer setting overrides on devices
If the Universal printing optimization defaults policy setting Allow non-administrators to modify these settings is enabled,
users can override the Image Compression and Image and Font Caching options specified in that policy setting.
To override the printer settings on the user device
1. From the Print menu available from an application on the user device, choose Properties.
2. On the Client Settings tab, click Advanced Optimizations and make changes to the Image Compression and Image and
Font Caching options.
On-screen keyboard control
To enable touch-enabled access to virtual applications and desktops from Windows tablets, Citrix Receiver for Windows
automatically displays the on-screen keyboard when you activate a text entry field, and when the device is in tent or tablet
mode.
On some devices and in some circumstances, Citrix Receiver for Windows cannot accurately detect the mode of the device,
and the on-screen keyboard may appear when you do not want it to.
To suppress the on-screen keyboard from appearing when using a convertible device ,create
a REG_DWORD value DisableKeyboardPopup in HKEY_CURRENT _USER\SOFT WARE\Citrix\ICA
Client\Engine\Configuration\Advanced\Modules\MobileReceiver and set the value to 1.
Note: On a x64 machine, create the value in HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\ICA
Client\Engine\Configuration\Advanced\Modules\MobileReceiver.
T he keys can be set to 3 different modes as given below:
Automatic: AlwaysKeyboardPopup = 0; DisableKeyboardPopup = 0
Always popup (on-screen keyboard): AlwaysKeyboardPopup = 1; DisableKeyboardPopup = 0
Never popup (on-screen keyboard): AlwaysKeyboardPopup = 0; DisableKeyboardPopup = 1
Keyboard shortcuts
You can configure combinations of keys that Receiver interprets as having special functionality. When the keyboard
shortcuts policy is enabled, you can specify Citrix Hotkey mappings, behavior of Windows hotkeys, and keyboard layout for
sessions.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying
policies to a single computer or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the Citrix Receiver for Windows template into the Group Policy Editor, you can omit Steps
2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative T emplates folder.
3. From the Action menu, choose Add/Remove T emplates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\Program Files\Citrix\ICA Client\Configuration)
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.121
and select the Citrix Receiver for Windows template file.
Note: Depending on the version of the Windows Operating System, select the Citrix Receiver for Windows template file
(receiver.adm or receiver.admx/receiver.adml).
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. In the Group Policy Editor, go to Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix Components
> Citrix Receiver > User Experience > Keyboard shortcuts.
7. From the Action menu, choose Properties, select Enabled, and choose the desired options.
Citrix Receiver f or Windows support f or 32-bit color icons
Citrix Receiver for Windows supports 32-bit high color icons and automatically selects the color depth for applications
visible in the Citrix Connection Center dialog box, the Start menu, and task bar to provide for seamless applications.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
To set a preferred depth, you can add a string registry key named T WIDesiredIconColor to
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Preferences
and set it to the desired value. T he possible color depths for icons are 4, 8, 16, 24, and 32 bits-per-pixel. T he user can select
a lower color depth for icons if the network connection is slow.
Enabling Desktop Viewer
Different enterprises have different corporate needs. Your requirements for the way users access virtual desktops may vary
from user to user and may vary as your corporate needs evolve. T he user experience of connecting to virtual desktops and
the extent of user involvement in configuring the connections depend on how you set up Citrix Receiver for Windows.
Use the Desktop Viewer when users need to interact with their virtual desktop. T he user's virtual desktop can be a
published virtual desktop, or a shared or dedicated desktop. In this access scenario, the Desktop Viewer toolbar
functionality allows the user to open a virtual desktop in a window and pan and scale that desktop inside their local
desktop. Users can set preferences and work with more than one desktop using multiple XenDesktop connections on the
same user device.
Note: Your users must use Citrix Receiver for Windows to change the screen resolution on their virtual desktops. T hey
cannot change Screen Resolution using Windows Control Panel.
Keyboard input in Desktop Viewer sessions
In Desktop Viewer sessions, Windows logo key+L is directed to the local computer.
Ctrl+Alt+Delete is directed to the local computer.
Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibility features) are normally directed to
the local computer.
As an accessibility feature of the Desktop Viewer, pressing Ctrl+Alt+Break displays the Desktop Viewer toolbar buttons in a
pop-up window.
Ctrl+Esc is sent to the remote, virtual desktop.
Note: By default, if the Desktop Viewer is maximized, Alt+T ab switches focus between windows inside the session. If the
Desktop Viewer is displayed in a window, Alt+T ab switches focus between windows outside the session.
Hotkey sequences are key combinations designed by Citrix. For example, the Ctrl+F1 sequence reproduces Ctrl+Alt+Delete,
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.122
and Shift+F2 switches applications between full-screen and windowed mode. You cannot use hotkey sequences with
virtual desktops displayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use them with published
applications (that is, with XenApp sessions).
Connect to virtual desktops
From within a desktop session, users cannot connect to the same virtual desktop. Attempting to do so will disconnect the
existing desktop session. T herefore, Citrix recommends:
Administrators should not configure the clients on a desktop to point to a site that publishes the same desktop
Users should not browse to a site that hosts the same desktop if the site is configured to automatically reconnect users
to existing sessions
Users should not browse to a site that hosts the same desktop and try to launch it
Be aware that a user who logs on locally to a computer that is acting as a virtual desktop blocks connections to that
desktop.
If your users connect to virtual applications (published with XenApp) from within a virtual desktop and your organization has
a separate XenApp administrator, Citrix recommends working with them to define device mapping such that desktop
devices are mapped consistently within desktop and application sessions. Because local drives are displayed as network
drives in desktop sessions, the XenApp administrator needs to change the drive mapping policy to include network drives.
Changing the status indicator time-out
You can change the amount of time the status indicator displays when a user is launching a session. To alter the time out
period, create a REG_DWORD value SI INACT IVE MS in HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA CLIENT \Engine\.
T he REG_DWORD value can be set to 4 if you want the status indicator to disappear sooner.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your
operating system. Citrix cannot guarantee that problems resulting f rom the incorrect use of Registry Editor can
be solved. Use Registry Editor at your own risk. Be sure to back up the registry bef ore you edit it .
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.123
Secure connections
Aug 14 , 20 17
To maximize the security of your environment, the connections between Citrix Receiver for Windows and the resources you
publish must be secured. You can configure various types of authentication for your Citrix Receiver for Windows software,
including smart card authentication, certificate revocation list checking, and Kerberos pass-through authentication.
Windows NT Challenge/Response (NT LM) authentication is supported by default on Windows computers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.124
Configure domain pass-through authentication
Aug 14 , 20 17
For information on configuring domain pass-through authentication, see Knowledge Center article CT X133982.
Citrix Receiver f or Windows installation with Single Sign-on
T here are two ways to enable domain pass-through (SSON) when installing Citrix Receiver for Windows:
using the command line installation
using the graphical user interface
Enable domain pass-through using the command line interface
To enable domain pass-through (SSON) using the command line interface:
1. Install Citrix Receiver 4.x with the /includeSSON switch.
Install one or more StoreFront stores (you can complete this step at a later stage); installing StoreFront stores is not
a prerequisite for setting up domain pass-through authentication.
Verify that pass-through authentication is enabled by starting Citrix Receiver, then confirm that the ssonsvr.exe
process is running in T ask Manager after rebooting the end point where Citrix Receiver is installed.
Note
For information on the syntax for adding one or more StoreFront stores, see Configure and install Receiver for Windows using
command-line parameters.
Enable domain pass-through using the graphical user interface
To enable domain pass-through using the graphical user interface:
1. Locate the Citrix Receiver for Windows installation file (CitrixReceiver.exe).
2. Double click CitrixReceiver.exe to launch the installer.
3. In the Enable Single Sign-on installation wizard, select the Enable single sign-on checkbox to install Citrix Receiver for
Windows with the SSON feature enabled; this is equivalent to installing Citrix Receiver for Windows using the command
line switch /includeSSON.
T he image below illustrates how to enable Single Sign-on:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.125
Note
T he Enable Single Sign-on installation wizard is available only for fresh installation on a domain joined machine.
Verify that pass-through authentication is enabled by restarting Citrix Receiver for Windows, and then confirm that
the ssonsvr.exe process is running in Task Manager after rebooting the endpoint on which Citrix Receiver for Windows is
installed.
Group policy settings f or SSON
Use the information in this section to configure group policy settings for SSON authentication.
Note
T he default value of the GPO policy setting related to SSON is Enable pass-through authentication.
Configuring SSON using Group Policy Object administrative template
1. Open gpedit.msc, right-click Computer Conf iguration > Administrative Templates - > Citrix Component-> Citrix
Receiver->User Authentication.
2. Enable the following local computer GPO settings (on the user's local machine and/or on the VDA desktop golden
image):
Choose the local user name and password.
Select Enabled.
Select Enable pass-through authentication.
3. Reboot the endpoint (on which Citrix Receiver for Windows is installed) or the VDA desktop golden image.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.126
Using an ADM file for SSON group policy
Use the following procedure to configure group policy settings using an ADM file:
1. Open the local group policy editor by selecting Computer Conf iguration > Right-click Administrative Templates >
Choose Add/Remove Templates.
2. Click Add to add a ADM template.
3. After successfully adding the receiver.adm template, expand Computer Conf iguration > Administrative Templates
> Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.127
4. Open Internet Explorer on the local machine and/or on the VDA desktop golden image.
5. In Internet Settings > Security > Trusted Sites, add the StoreFront server(s) fully qualified domain name (FQDN),
without the store path, to the list. For example, https://storefront.example.com.
Note
You can also add the StoreFront server to the Trusted Sites using a Microsoft GPO. T he GPO is called Site to Z one Assignment
List; you can find this list in Computer Configuration > Administrative Templates > Windows Components > Internet
Explorer > Internet Control Panel > Security Page.
6. Log off, and log back on to the Citrix Receiver endpoint.
When Citrix Receiver opens, if the current user is logged on to the domain, the user's credentials are passed through to
StoreFront, along with enumerated apps and desktops within Citrix Receiver, including the user's Start menu settings. When
the user clicks an icon, Citrix Receiver passes through the user's domain credentials to the Delivery Controller and the app
(or desktop) opens.
Enable Delivery Controller to trust XML
Use the following procedure to configure SSON on StoreFront and Web Interface:
1. Log onto the Delivery Controller(s) as an administrator.
2. Open Windows PowerShell (with administrative privileges). Using PowerShell, you can issue commands to enable the
Delivery Controller to trust XML requests sent from StoreFront.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.128
3. If not already loaded, load the Citrix cmdlets by typing Add-PSSnapin Citrix*, and press Enter.
4. Press Enter.
5. T ype Add-PSSnapin citrix.broker.admin.v2, and press Enter.
6. T ype Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True, and press Enter.
7. Close PowerShell.
Configuring SSON on StoreFront and Web Interf ace
StoreFront configuration
To configure SSON on StoreFront and Web Interface, open Citrix Studio on the StoreFront Server and
select Authentication->Add /Remove Methods. Select Domain pass-through.
Web Interface configuration
To configure SSON on the Web Interface, select Citrix Web Interf ace Management > XenApp Sevices Sites >
Authentication Methods and enable Pass-through.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.129
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.130
Configure domain pass-through authentication with
Kerberos
Aug 14 , 20 17
T his topic applies only to connections between Citrix Receiver for Windows and StoreFront, XenDesktop, or XenApp.
Citrix Receiver for Windows supports Kerberos for domain pass-through authentication for deployments that use smart
cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).
When Kerberos authentication is enabled, Kerberos authenticates without passwords for Citrix Receiver for Windows, thus
preventing Trojan horse-style attacks on the user device to gain access to passwords. Users can log on to the user device
with any authentication method; for example, a biometric authenticator such as a fingerprint reader, and still access
published resources without further authentication.
Citrix Receiver for Windows handles pass-through authentication with Kerberos as follows when Citrix Receiver for
Windows, StoreFront, XenDesktop and XenApp are configured for smart card authentication and a user logs on with a
smart card:
1. T he Citrix Receiver for Windows Single Sign-on service captures the smart card PIN.
2. Citrix Receiver for Windows uses IWA (Kerberos) to authenticate the user to StoreFront. StoreFront then provides Citrix
Receiver for Windows with information about available virtual desktops and apps.
Note: You do not have to use Kerberos authentication for this step. Enabling Kerberos on Citrix Receiver for Windows is
only needed to avoid an extra PIN prompt. If you do not use Kerberos authentication, Citrix Receiver for Windows
authenticates to StoreFront using the smart card credentials.
3. T he HDX engine (previously referred to as the ICA client) passes the smart card PIN to XenDesktop or XenApp to log the
user on to the Windows session. XenDesktop or XenApp then deliver the requested resources.
To use Kerberos authentication with Citrix Receiver for Windows, make sure your Kerberos configuration conforms to the
following.
Kerberos works only between Citrix Receiver for Windows and servers that belong to the same or to trusted Windows
Server domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users
and Computers management tool.
Kerberos must be enabled on the domain and in XenDesktop and XenApp. For enhanced security and to ensure that
Kerberos is used, disable on the domain any non-Kerberos IWA options.
Kerberos logon is not available for Remote Desktop Services connections configured to use Basic authentication, to
always use specified logon information, or to always prompt for a password.
T he remainder of this topic describes how to configure domain pass-through authentication for the most common
scenarios. If you are migrating to StoreFront from Web Interface and previously used a customized authentication solution,
contact your Citrix Support representative for more information.
Warning
Some of the configurations described in this topic include registry edits. Using Registry Editor incorrectly can cause serious
problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use
of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.131
To configure domain pass-through authentication with Kerberos f or use with smart cards
If you are not familiar with smart card deployments in a XenDesktop environment, we recommend that you review the
smart card information in the Secure your deployment section in the XenDesktop documentation before continuing.
When you install Citrix Receiver for Windows, include the following command-line option:
/includeSSON
T his option installs the single sign-on component on the domain-joined computer, enabling Citrix Receiver for Windows
to authenticate to StoreFront using IWA (Kerberos). T he single sign-on component stores the smart card PIN, which is
then used by the HDX engine when it remotes the smart card hardware and credentials to XenDesktop. XenDesktop
automatically selects a certificate from the smart card and obtains the PIN from the HDX engine.
A related option, ENABLE_SSON, is enabled by default and should remain enabled.
If a security policy prevents enabling single sign-on on a device, configure Citrix Receiver for Windows through the
following policy:
Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User
authentication > Local user name and password
Note: In this scenario you want to allow the HDX engine to use smart card authentication and not Kerberos, so do not
use the option ENABLE_KERBEROS=Yes, which would force the HDX engine to use Kerberos.
To apply the settings, restart Citrix Receiver for Windows on the user device.
To configure StoreFront:
In the default.ica file located on the StoreFront server, set DisableCtrlAltDel to false.
Note: T his step is not required if all client machines are running Citrix Receiver for Windows 4.2 or above.
When you configure the authentication service on the StoreFront server, select the Domain pass-through check box.
T hat setting enables Integrated Windows Authentication. You do not need to select the Smart card check box unless
you also have non domain joined clients connecting to Storefront with smart cards.
For more information about using smart cards with StoreFront, refer to Configure the authentication service in the
StoreFront documentation.
About FastConnect API and HTTP basic authentication
T he FastConnect API uses the HT T P Basic Authentication method, which is frequently confused with authentication
methods associated with domain pass-through, Kerberos, and IWA. Citrix recommends that you disable IWA on StoreFront
and in ICA group policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.132
Configure smart card authentication
Aug 14 , 20 17
Citrix Receiver for Windows supports the following smart card authentication features. For information about XenDesktop
and StoreFront configuration, refer to the documentation for those components. T his topic describes Citrix Receiver for
Windows configuration for smart cards.
Pass-through authentication (single sign-on) – Pass-through authentication captures smart card credentials when
users log on to Citrix Receiver for Windows. Citrix Receiver for Windows uses the captured credentials as follows:
Users of domain-joined devices who log on to Citrix Receiver for Windows with smart card credentials can start virtual
desktops and applications without needing to re-authenticate.
Users of non-domain-joined devices who log on to Citrix Receiver for Windows with smart card credentials must enter
their credentials again to start a virtual desktop or application.
Pass-through authentication requires StoreFront and Citrix Receiver for Windows configuration.
Bimodal authentication – Bimodal authentication offers users a choice between using a smart card and entering their
user name and password. T his feature is useful if the smart card cannot be used (for example, the user has left it at
home or the logon certificate has expired). Dedicated stores must be set up per site to allow this, using the
DisableCtrlAltDel method set to False to allow smart cards. Bimodal authentication requires StoreFront configuration. If
NetScaler Gateway is present in the solution, is also requires configuration.
Bimodal authentication also now gives the StoreFront administrator the opportunity to offer the end user both user
name and password and smart card authentication to the same store by selecting them in the StoreFront Console. See
StoreFront documentation.
Multiple certif icates – Multiple certificates can be available for a single smart card and if multiple smart cards are in use.
When a user inserts a smart card into a card reader, the certificates are available to all applications running on the user
device, including Citrix Receiver for Windows. T o change how certificates are selected, configure Citrix Receiver for
Windows.
Client certif icate authentication – Client certificate authentication requires NetScaler Gateway and StoreFront
configuration.
For access to StoreFront resources through NetScaler Gateway, users might have to re-authenticate after removing
a smart card.
When the NetScaler Gateway SSL configuration is set to mandatory client certificate authentication, operation is
more secure. However mandatory client certificate authentication is not compatible with bimodal authentication.
Double hop sessions – If a double-hop is required, a further connection is established between Receiver and the user's
virtual desktop. Deployments supporting double hops are described in the XenDesktop documentation.
Smart card-enabled applications – Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office,
allow users to digitally sign or encrypt documents available in virtual desktop or application sessions.
Prerequisites
T his topic assumes familiarity with the smart card topics in the XenDesktop and StoreFront documentation.
Limitations
Certificates must be stored on a smart card, not the user device.
Citrix Receiver for Windows does not save the user certificate choice, but can store the PIN when configured. T he PIN is
only cached in non-paged memory for the duration of the user session and is not stored to disk at any point.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.133
Citrix Receiver for Windows does not reconnect sessions when a smart card is inserted.
When configured for smart card authentication, Citrix Receiver for Windows does not support virtual private network
(VPN) single-sign on or session pre-launch. T o use VPN tunnels with smart card authentication, users must install the
NetScaler Gateway Plug-in and log on through a web page, using their smart cards and PINs to authenticate at each
step. Pass-through authentication to StoreFront with the NetScaler Gateway Plug-in is not available for smart card
users.
Citrix Receiver for Windows Updater communications with citrix.com and the Merchandising Server is not compatible
with smart card authentication on NetScaler Gateway.
Warning
Some of the configuration described in this topic include registry edits. Using Registry Editor incorrectly can cause serious problems
that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
To enable single sign-on f or smart card authentication
To configure Citrix Receiver for Windows, include the following command-line option when you install it:
ENABLE_SSON=Yes
Single sign-on is another term for pass-through authentication. Enabling this setting prevents Citrix Receiver for
Windows from displaying a second prompt for a PIN.
Alternatively, you can perform the configuration through these policy and registry changes:
Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix Components > Citrix Receiver > User
authentication > Local user name and password
Set SSONCheckEnabled to false in either of the following registry keys if the single sign-on component is not installed.
T he key prevents the Citrix Receiver for Windows authentication manager from checking for the single sign-on
component, thus allowing Citrix Receiver for Windows to authenticate to StoreFront.
HKEY_CURRENT _USER\Software\Citrix\AuthManager\protocols\integratedwindows\
HKEY_LOCAL_MACHINE\Software\Citrix\AuthManager\protocols\integratedwindows\
Alternatively, it is possible to enable smart card authentication to Storefront instead of Kerberos. To enable smart card
authentication to StoreFront instead of Kerberos, install Citrix Receiver for Windows with the command line options below.
T his requires administrator privileges. T he machine does not need to be joined to a domain.
/includeSSON installs single sign-on (pass-through) authentication. Enables credential caching and the use of passthrough domain-based authentication.
If the user is logging on to the endpoint with a different method to smart card for Receiver authentication (for example,
user name and password), the command line is:
/includeSSON LOGON_CREDENTIAL_CAPTURE_ENABLE=No
T his prevents the credentials being captured at log on time and allows Citrix Receiver for Windows to store the PIN
when logging on to Citrix Receiver for Windows.
Go to Policy > Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix Components > Citrix Receiver >
User Authentication > Local user name and password.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.134
Enable pass-through authentication. Depending on the configuration and security settings, you may need to select the
Allow pass-through authentication for all ICA option for pass-through authentication to work.
To configure StoreFront:
When you configure the authentication service, select the Smart card check box.
For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront
documentation.
To enable user devices f or smart card use
1. Import the certificate authority root certificate into the device's keystore.
2. Install your vendor's cryptographic middleware.
3. Install and configure Citrix Receiver for Windows.
To change how certificates are selected
By default, if multiple certificates are valid, Citrix Receiver for Windows prompts the user to choose a certificate from the
list. Alternatively, you can configure Citrix Receiver for Windows to use the default certificate (per the smart card provider)
or the certificate with the latest expiry date. If there are no valid logon certificates, the user is notified, and given the
option to use an alternate logon method if available.
A valid certificate must have all of these characteristics:
T he current time of the clock on the local computer is within the certificate validity period.
T he Subject public key must use the RSA algorithm and have a key length of 1024, 2048, or 4096 bits.
Key Usage must contain Digital Signature.
Subject Alternative Name must contain the User Principal Name (UPN).
Enhanced Key Usage must contain Smart Card Logon and Client Authentication, or All Key Usages.
One of the Certificate Authorities on the certificate’s issuer chain must match one of the permitted Distinguished
Names (DN) sent by the server in the T LS handshake.
Change how certificates are selected by using either of the following methods:
On the Citrix Receiver for Windows command line, specify the option AM_CERT IFICAT ESELECT IONMODE={ Prompt |
SmartCardDefault | LatestExpiry }.
Prompt is the default. For SmartCardDefault or LatestExpiry, if multiple certificates meet the criteria, Citrix Receiver for
Windows prompts the user to choose a certificate.
Add the following key value to the registry key HKCU or HKLM\Software\[Wow6432Node\]Citrix\AuthManager:
CertificateSelectionMode={ Prompt | SmartCardDefault | LatestExpiry }.
Values defined in HKCU take precedence over values in HKLM to best assist the user in selecting a certificate.
To use CSP PIN prompts
By default, the PIN prompts presented to users are provided by Citrix Receiver for Windows rather than the smart card
Cryptographic Service Provider (CSP). Citrix Receiver for Windows prompts users to enter a PIN when required and then
passes the PIN to the smart card CSP. If your site or smart card has more stringent security requirements, such as to
disallow caching the PIN per-process or per-session, you can configure Citrix Receiver for Windows to instead use the CSP
components to manage the PIN entry, including the prompt for a PIN.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.135
Change how PIN entry is handled by using either of the following methods:
On the Citrix Receiver for Windows command line, specify the option AM_SMART CARDPINENT RY=CSP.
Add the following key value to the registry key HKLM\Software\[Wow6432Node\]Citrix\AuthManager:
SmartCardPINEntry=CSP.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.136
Enable certificate revocation list checking for
improved security
Aug 14 , 20 17
When certificate revocation list (CRL) checking is enabled, Citrix Receiver checks whether or not the server’s certificate is
revoked. By forcing Citrix Receiver to check this, you can improve the cryptographic authentication of the server and the
overall security of the T LS connection between a user device and a server.
You can enable several levels of CRL checking. For example, you can configure Citrix Receiver to check only its local
certificate list or to check the local and network certificate lists. In addition, you can configure certificate checking to allow
users to log on only if all CRLs are verified.
If you are making this change on a local computer, exit Citrix Receiver if it is running. Make sure all Citrix Receiver
components, including the Connection Center, are closed.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying
policies to a single computer or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the Citrix Receiver for Windows template into the Group Policy Editor, you can omit Steps
2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative T emplates folder.
3. From the Action menu, choose Add/Remove T emplates.
4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\Program Files\Citrix\ICA
Client\Configuration) and select the Citrix Receiver for Windows template file.
Note: Depending on the version of the Windows operating system, select the Citrix Receiver for Windows template file
(receiver.adm or receiver.admx/receiver.adml).
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. In the Group Policy Editor, go to Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix Components
> Citrix Receiver > Network routing > T LS/SSL data encryption and server identification.
7. From the Action menu, choose Properties and select Enabled.
8. From the CRL verification drop-down menu, select one of the options.
Disabled. No certificate revocation list checking is performed.
Only check locally stored CRLs. CRLs that were installed or downloaded previously are used in certificate validation.
Connection fails if the certificate is revoked.
Require CRLs for connection. CRLs locally and from relevant certificate issuers on the network are checked.
Connection fails if the certificate is revoked or not found.
Retrieve CRLs from network. CRLs from the relevant certificate issuers are checked. Connection fails if the certificate
is revoked.
If you do not set CRL verification, it defaults to Only check locally stored CRLs.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.137
Secure communications
Aug 14 , 20 17
To secure the communication between XenDesktop Sites or XenApp server farms and Citrix Receiver for Windows, you can
integrate your Citrix Receiver for Windows connections using security technologies such as the following:
Citrix NetScaler Gateway. For information, refer to topics in this section as well as the NetScaler Gateway, and
StoreFront documentation.
Note: Citrix recommends using NetScaler Gateway to secure communications between StoreFront servers and user
devices.
A firewall. Network firewalls can allow or block packets based on the destination address and port. If you are using Citrix
Receiver for Windows through a network firewall that maps the server's internal network IP address to an external
Internet address (that is, network address translation, or NAT ), configure the external address.
T rusted server configuration.
For XenApp or Web Interface deployments only; not applicable to XenDesktop 7: A SOCKS proxy server or secure proxy
server (also known as security proxy server, HT T PS proxy server). You can use proxy servers to limit access to and from
your network and to handle connections between Receiver and servers. Receiver supports SOCKS and secure proxy
protocols.
For XenApp or Web Interface deployments only; not applicable to XenDesktop 7, XenDesktop 7.1, XenDesktop 7.5, or
XenApp 7.5: SSL Relay solutions with T ransport Layer Security (T LS) protocols.
For XenApp 7.6 and XenDesktop 7.6, you can enable an SSL connection directly between users and VDAs.
Citrix Receiver for Windows is compatible with and functions in environments where the Microsoft Specialized Security Limited Functionality (SSLF) desktop security templates are used. T hese templates are supported on various Windows
platforms. Refer to the Windows security guides available at http://technet.microsoft.com for more information about the
templates and related settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.138
Configure and enable TLS
Aug 14 , 20 17
T his topic applies to XenApp and XenDesktop Version 7.6 and later.
To use T LS encryption for all Citrix Receiver for Windows communications, configure the user device, Citrix Receiver for Windows ,
and, if using Web Interface, the server running the Web Interface. For information about securing StoreFront communications, see
Secure section in the StoreFront documentation. For information about securing Web Interface, see Secure section in the Web
Interface documentation.
Pre-requisites:
User devices must meet the requirements specified in the System requirements.
Use this policy to configure the T LS options that ensure the Citrix Receiver for Windows securely identifies the server that it is
connecting to, and encrypts all communication with the server.
You can use the options below to:
Enforce use of T LS. Citrix recommends that all connections over untrusted networks, including the Internet, use T LS.
Enforce use of FIPS (Federal Information Processing Standards) Approved cryptography and help comply with the
recommendations in NIST SP 800-52. T hese options are disabled by default.
Enforce use of a specific version of T LS, and specific T LS cipher suites, Citrix supports T LS 1.0, T LS 1.1 and T LS 1.2 protocols
between Citrix Receiver for Windows, and XenApp or XenDesktop.
Connect only to specific servers.
Check for revocation of the server certificate.
Check for a specific server certificate issuance policy.
Select a particular client certificate, if the server if is configured to request one.
To configure TLS support using Group Policy Object
administrative template
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
T o apply the policy on a single computer, launch the Citrix Receiver Group Policy Object administrative template from the Start
menu.
T o apply the policy on a domain, launch the Citrix Receiver Group Policy Object administrative template using the Group Policy
Management Console.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Receiver > Network routing, and select the
TLS and Compliance Mode Configuration policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.139
3. Select Enabled to enable secure connections and to encrypt communication on the server. Set the following options:
Note: Citrix recommends T LS for secure connections.
1. Select Require TLS f or all connections to force Citrix Receiver for Windows to use T LS for all connections to published
applications and desktops.
2. From the Security Compliance Mode drop-down, select the appropriate option:
1. None - No compliance mode is enforced.
2. SP800-52 – Select SP800-52 for compliance with NIST SP 800-52. Select this option only if the servers or gateway
complies with NIST SP 800-52 recommendations.
Note: If you select SP800-52, FIPS Approved cryptography is automatically used, even if Enable FIPS is not selected. You must
also enable the Windows security option, System Cryptography: Use FIPS-compliant algorithms f or encryption, hashing,
and signing. Otherwise, Citrix Receiver for Windows might fail to connect to published applications and desktops.
If you select SP800-52, you must select either the Certificate Revocation Check Policy setting with Full Access Check,
or Full access check and CRL required.
If you select SP800-52, Citrix Receiver for Windows verifies that the server certificate complies with the recommendations
in NIST SP 800-52. If the server certificate does not comply, Citrix Receiver for Windows might fail to connect.
3. Enable FIPS – Select this option to enforce the use of FIPS approved cryptography. You must also enable the
Windows security option from the operating system group policy, System Cryptography: Use FIPS-compliant
algorithms f or encryption, hashing, and signing. Otherwise, Citrix Receiver for Windows might fail to connect to
published applications and desktops.
4. From the Allow TLS Servers drop-down, select the port number. You can ensure that Citrix Receiver connects only
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.140
to a specified server by a comma-separated list. You can specify wildcards and port numbers. For example,
*.citrix.com:4433 allows connections to any server whose common name ends with .citrix.com on port 4433. T he
issuer of the certificate asserts the accuracy of the information in a security certificate. If Citrix Receiver does not
recognize and trust the issuer, the connection is rejected.
5. From the TLS version drop-down, select any of the following options:
> TLS 1.0, TLS 1.1, or TLS 1.2 - T his is the default setting. T his option is recommended only if there is a business
requirement for T LS 1.0 for compatibility.
> TLS 1.1 or TLS 1.2 – Use this option to ensure that the ICA connections use either T LS 1.1 or T LS 1.2
> TLS 1.2 - T his option is recommended if T LS 1.2 is a business requirement.
6. TLS cipher suite - To enforce the use of specific T LS cipher suites, select either Government (GOV), Commercial
(COM), or All (ALL). In certain cases of NetScaler Gateway configurations, you might need to select COM.
Citrix Receiver for Windows supports RSA keys of 1024, 2048, and 3072-bit lengths. Root certificates with RSA keys
of 4096-bit length are also supported.
Note: Citrix does not recommend using RSA keys of 1024-bit length
See the table below that lists all the supported cipher suites.
> Any: When "Any" is set, the policy is not configured and any of the following cipher suites are allowed:
-T LS_RSA_WIT H_RC4_128_MD5
-T LS_RSA_WIT H_RC4_128_SHA
-T LS_RSA_WIT H_3DES_EDE_CBC_SHA
-T LS_RSA_WIT H_AES_128_CBC_SHA
-T LS_RSA_WIT H_AES_256_CBC_SHA
- T LS_RSA_WIT H_AES_128_GCM_SHA256
-T LS_RSA_WIT H_AES_256_GCM_SHA384
> Commercial: When "Commercial" is set, only the following cipher suites are allowed:
-T LS_RSA_WIT H_RC4_128_MD5
-T LS_RSA_WIT H_RC4_128_SHA
-T LS_RSA_WIT H_AES_128_CBC_SHA
-T LS_RSA_WIT H_AES_128_GCM_SHA256
>Government: When "Government" is set, only the following cipher suites are allowed:
-T LS_RSA_WIT H_AES_256_CBC_SHA
-T LS_RSA_WIT H_3DES_EDE_CBC_SHA
-T LS_RSA_WIT H_AES_128_GCM_SHA256
-T LS_RSA_WIT H_AES_256_GCM_SHA384
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.141
7. From the Certificate Revocation Check Policy drop-down, select any of the following:
> Check with No Network Access - Certificate Revocation list check is performed. Only local certificate
revocation list stores are used. All distribution points are ignored. Finding the Certificate Revocation List is not
mandatory to verify the server certificate that is presented by the target SSL Relay/Secure Gateway server.
> Full Access Check - Certificate Revocation List check is performed. Local Certificate Revocation List stores
and all distribution points are used. If revocation information for a certificate is found, the connection is
rejected. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by
the target server.
> Full Access Check and CRL Required - Certificate Revocation List check is performed, excluding the root CA.
Local Certificate Revocation List stores and all distribution points are used. If revocation information for a
certificate is found, the connection is rejected. Finding all required Certificate Revocation Lists is critical for
verification.
> Full Access Check and CRL Required All - Certificate Revocation List check is performed, including the root
CA. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a
certificate is found, the connection is rejected. Finding all required Certificate Revocation Lists is critical for
verification.
>No Check - No Certificate Revocation List check is performed.
8. Using the Policy Extension OID, you can limit Citrix Receiver for Windows to connect only to servers with a specific
certificate issuance policy. When you select Policy Extension OID, Citrix Receiver for Windows accepts only server
certificates containing that Policy Extension OID.
9.From the Client Authentication drop-down, select any of the following:
> Disabled - Client Authentication is disabled.
>Display certificate selector - Always prompt the user to select a certificate.
>Select automatically if possible - Prompt the user only if there a choice of the certificate to identify.
> Not configured – Indicates that client authentication is not configured.
>Use specified certificate - Use the client certificate as set in the Client Certificate option.
10.Use the Client Certificate setting to specify the identifying certificate's thumbprint to avoid prompting the user
unnecessarily.
4. Click Apply and OK to save the policy.
T he following table lists the cipher suites in each set:
TLS cipher suite
GOV
COM
ALL
GOV
COM
ALL
GOV
COM
ALL
Enable FIPS
Off
Off
Off
On
On
On
On
On
On
Security Compliance Mode SP800-52
Off
Off
Off
Off
Off
Off
On
On
On
T LS_ECDHE_RSA_WIT H_AES_256_GCM_SHA384
X
X
X
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
p.142
T LS_ECDHE_RSA_WIT H_AES_256_CBC_SHA384
X
X
X
X
T LS_RSA_WIT H_AES_256_GCM_SHA384
X
X
X
X
X
T LS_RSA_WIT H_AES_128_GCM_SHA256
X
X
X
X
X
T LS_RSA_WIT H_AES_256_CBC_SHA256
X
X
X
X
T LS_RSA_WIT H_AES_256_CBC_SHA
X
X
X
X
X
T LS_RSA_WIT H_AES_128_CBC_SHA
X
X
T LS_RSA_WIT H_RC4_128_SHA
X
X
T LS_RSA_WIT H_RC4_128_MD5
X
X
T LS_RSA_WIT H_3DES_EDE_CBC_SHA
https://docs.citrix.com
X
X
X
X
X
© 1999-2017 Citrix Systems, Inc. All rights reserved.
X
X
X
X
X
X
X
X
X
X
X
p.143
Configure smart card authentication for Web Interface
5.4
Aug 14 , 20 17
If Citrix Receiver for Windows is installed with a SSON component, pass-through authentication is enabled by default even
if the PIN pass-through for smart card is not enabled on the XenApp PNAgent site; the pass-through setting for
authentication methods will no longer be effective. T he screen below illustrates how to enable smart card as the
authentication method when Citrix Receiver for Windows is properly configured with SSON.
See How to Manually install and configure Citrix Receiver for Pass-through Authentication for more information.
Use the smart card removal policy to control the behavior for smart card removal when a user authenticates to the Citrix
Web Interface 5.4 PNAgent site.
When this policy is enabled, the user is logged off from the XenApp session if the smart card is removed from the client
device. However, the user is still logged into Citrix Receiver for Windows.
For this policy to take effect, the smart card removal policy must set in Web Interface XenApp Services site. T he settings
can be found on Web Interface 5.4, XenApp Services Site > Pass-through with smart card > Enable Roaming >
Logof f the sessions when smart card removed.
When the smart card removal policy is disabled, the user’s XenApp session is disconnected if the smart card is removed from
the client device; smart card removal on the Web Interface XenApp Services site does not have any effect.
Note: T here are separate policies for 32bit and 64bit clients. For 32bit devices, the policy name is Smartcard Removal
Policy (32Bit machine) and for 64bit devices, the policy name is Smartcard Removal Policy (64 Bit machine).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.144
Smart card support and removal changes
Consider the following when connecting to a XenApp 6.5 PNAgent site:
Beginning with Citrix Receiver for Windows 4.5, smart card login is supported for PNAgent site logins.
T he smart card removal policy has changed on the PNAgent Site:
A XenApp session is logged off when the smart card is removed – if the PNAgent site is configured with smart card as
the authentication method, the corresponding policy has to be configured on Receiver for Windows to enforce the
XenApp session for logoff. Enable roaming for smart card authentication on the XenApp PNAgent site and enable the
smart card removal policy, which logs off XenApp from the Receiver session; the user is still logged into the Receiver
session.
Known issue
When a user logs in to the PNAgent site using smart card authentication, the username is displayed as Logged On.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.145
Connect with Secure Gateway
Aug 14 , 20 17
T his topic applies only to deployments using the Web Interface.
You can use the Secure Gateway in either Normal mode or Relay mode to provide a secure channel for communication
between Citrix Receiver for Windows and the server. No Citrix Receiver for Windows configuration is required if you are
using the Secure Gateway in Normal mode and users are connecting through the Web Interface.
Citrix Receiver for Windows uses settings that are configured remotely on the server running the Web Interface to connect
to servers running the Secure Gateway. See the topics for the Web Interface for information about configuring proxy
server settings for Citrix Receiver for Windows.
For more information about configuring proxy server settings, see Web Interface documentation.
If the Secure Gateway Proxy is installed on a server in the secure network, you can use the Secure Gateway Proxy in Relay
mode.
If you are using Relay mode, the Secure Gateway server functions as a proxy and you must configure Citrix Receiver for
Windows to use:
T he fully qualified domain name (FQDN) of the Secure Gateway server.
T he port number of the Secure Gateway server. Note that Relay mode is not supported by Secure Gateway Version 2.0.
T he FQDN must list, in sequence, the following three components:
Host name
Intermediate domain
T op-level domain
For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, a host name (my_computer), an
intermediate domain (my_company), and a top-level domain (com). T he combination of intermediate and top-level domain
(my_company.com) is generally referred to as the domain name.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.146
Connect through a firewall
Aug 14 , 20 17
Network firewalls can allow or block packets based on the destination address and port. If you are using a firewall in your
deployment, Citrix Receiver for Windows must be able to communicate through the firewall with both the Web server and
Citrix server.
Common Citrix Communication Ports
Source
Type
Port
Details
Citrix Receiver
TCP
80/443
Communication with StoreFront
ICA/HDX
TCP
1494
Access to applications and virtual desktops
TCP
2598
Access to applications and virtual desktops
TCP
443
Access to applications and virtual desktops
TCP
8008
Access to applications and virtual desktops
ICA/HDX Audio over UDP
TCP
16500-16509
Port range for ICA/HDX audio
IMA
TCP
2512
Independent Management Architecture (IMA)
Management Console
TCP
2513
ICA/HDX with Session
Reliability
ICA/HDX over SSL
ICA/HDX from HT ML5
Receiver
Citrix Management Consoles and
*WCF services Note: For FMA based platforms 7.5 and later, port 2513 is NOT
used.
Application/Desktop
Request
STA
TCP
80/8080/443
XML Service
TCP
80/8080/443
Secure T icketing Authority (embedded into XML Service)
Note
* In XenApp 6.5 port 2513 is used by XenApp Command Remoting Services through WCF.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.147
If the firewall is configured for Network Address Translation (NAT ), you can use the Web Interface to define mappings from
internal addresses to external addresses and ports. For example, if your XenApp or XenDesktop server is not configured
with an alternate address, you can configure the Web Interface to provide an alternate address to Receiver. Citrix Receiver
for Windows then connects to the server using the external address and port number. For more information, see the Web
Interface documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.148
Connect through a proxy server
Aug 14 , 20 17
Proxy servers are used to limit access to and from your network, and to handle connections between Citrix Receiver for
Windows and servers. Citrix Receiver for Windows supports SOCKS and secure proxy protocols.
When communicating with the server farm, Receiver uses proxy server settings that are configured remotely on the server
running Receiver for Web or the Web Interface. For information about proxy server configuration, refer to StoreFront or
Web Interface documentation.
In communicating with the Web server, Receiver uses the proxy server settings that are configured through the Internet
settings of the default Web browser on the user device. You must configure the Internet settings of the default Web
browser on the user device accordingly.
Configure the proxy settings using the registry editor to enforce Citrix Receiver for Windows to honor or discard the proxy
server during connections.
Warning
Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot
guarantee that problems resulting from the incorrect use of Registry
1. Navigate to HKLM\Software\Citrix\AuthManager\
2. Set the ProxyEnabled(REG_SZ) .
1. T rue – indicates that Citrix Receiver for Windows honors the proxy server during connections.
2. False- indicates that Citrix Receiver for Windows discards the proxy server during connections.
3. Close the registry editor.
4. Restart the Citrix Receiver for Windows session for the changes to take effect.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.149
Enforce trust relationship
Aug 14 , 20 17
Trusted server configuration identifies and enforces trust relations in Citrix Receiver for Windows connections.
When you enable Trusted server feature, Citrix Receiver for Windows specifies the requirements and decides if the
connection to the server can be trusted or not. For example, a Citrix Receiver for Windows connecting to a certain address
(such as https://*.citrix.com) with a specific connection type (such as T LS) is directed to a trusted zone on the server
When you enable this feature, connected server resides in the Windows Trusted Sites zone. For instructions about adding
servers to the Windows Trusted Sites zone, see the Internet Explorer online help.
To enable trusted server configuration using Group Policy Object administrative template
Pre-requisite:
Exit from the Citrix Receiver for Windows components including the Connection Center.
1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
1. T o apply the policy on a single computer, launch the Citrix Receiver Group Policy Object administrative template from
the Start menu.
2. T o apply the policy on a domain, launch the Citrix Receiver Group Policy Object administrative template using the
Group Policy Management Console.
2. Under the Computer Configuration node, go to Administrative T emplates > Classic Administrative T emplates (ADM) >
Citrix Components > Citrix Receiver > Network Routing > Configure trusted server configuration.
3. Select Enabled to force Citrix Receiver for Windows to perform region identification.
4. Select Enf orce trusted server conf iguration. T his forces the client to perform the identification using a trusted server.
5. From the Windows internet zone drop-down, select the client server address. T his setting is applicable only to
Windows T rusted Site zone.
6. In the Address field, set the client server address for trusted site zone other than Windows. You can use a commaseparated list.
7. Click OK and Apply.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.150
Elevation level and wfcrun32.exe
Aug 14 , 20 17
When User Access Control (UAC) is enabled on devices running Windows 10, Windows 8, Windows 7, only processes at the
same elevation/integrity level as wfcrun32.exe can launch virtual applications.
Example 1:
When wfcrun32.exe is running as a normal user (un-elevated), other processes such as Receiver must be running as a normal
user to launch applications through wfcrun32.exe.
Example 2:
When wfcrun32.exe is running in elevated mode, other processes such as Receiver, Connection Center, and third party
applications using the ICA Client Object that are running in non-elevated mode cannot communicate with wfcrun32.exe.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.151
ICA file signing to protect against application or
desktop launches from untrusted servers
Aug 14 , 20 17
T his topic applies only to deployments with Web Interface using Administrative Templates.
T he ICA File Signing feature helps protect users from unauthorized application or desktop launches. Citrix Receiver for
Windows verifies that a trusted source generated the application or desktop launch based on administrative policy and
protects against launches from untrusted servers. You can configure this Citrix Receiver for Windows security policy for
application or desktop launch signature verification using Group Policy Objects, StoreFront, or Citrix Merchandising Server.
ICA file signing is not enabled by default. For information about enabling ICA file signing for StoreFront, refer to the
StoreFront documentation.
For Web Interface deployments, the Web Interface enables and configures application or desktop launches to include a
signature during the launch process using the Citrix ICA File Signing Service. T he service can sign ICA files using a certificate
from the computer's personal certificate store.
T he Citrix Merchandising Server with Citrix Receiver for Windows enables and configures launch signature verification using
the Citrix Merchandising Server Administrator Console > Deliveries wizard to add trusted certificate thumbprints.
To use Group Policy Objects to enable and configure application or desktop launch signature verification, follow this
procedure:
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying
policies to a single computer or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the ica-file-signing.adm template into the Group Policy Editor, you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative T emplates folder.
3. From the Action menu, choose Add/Remove T emplates.
4. Choose Add and browse to the Citrix Receiver for Windows configuration folder (usually C:\Program Files\Citrix\ICA
Client\Configuration) and select ica-file-signing.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. In the Group Policy Editor, go to Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix Components
> Citrix Receiver and navigate to Enable ICA File Signing.
7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or
remove signing certificate thumbprints from the white list by clicking Show and using the Show Contents screen. You can
copy and paste the signing certificate thumbprints from the signing certificate properties. Use the Policy drop-down
menu to select Only allow signed launches (more secure) or Prompt user on unsigned launches (less secure).
Option
Description
Only allow
Allows only properly signed application or desktop launches from a trusted server. T he user sees a
signed
Security Warning message in Citrix Receiver for Windows if an application or desktop launch has
launches (more
an invalid signature. T he user cannot continue and the unauthorized launch is blocked.
secure)
Prompt user
Prompts the user every time an unsigned or invalidly signed application or desktop attempts to
on unsigned
launch. T he user can either continue the application launch or abort the launch (default).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.152
launches (less
Option
secure)
Description
To select and distribute a digital signature certificate
When selecting a digital signature certificate, Citrix recommends you choose from this prioritized list:
1. Buy a code-signing certificate or SSL signing certificate from a public Certificate Authority (CA).
2. If your enterprise has a private CA, create a code-signing certificate or SSL signing certificate using the private CA.
3. Use an existing SSL certificate, such as the Web Interface server certificate.
4. Create a new root CA certificate and distribute it to user devices using GPO or manual installation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.153
Citrix Receiver for Windows Desktop Lock
Aug 14 , 20 17
You can use the Citrix Receiver for Windows Desktop Lock when you do not need to interact with the local desktop. You
can still use the Desktop Viewer (if enabled), however it has only the required set of options on the toolbar: Ctrl+Alt+Del,
Preferences, Devices, and Disconnect.
Citrix Receiver for Windows Desktop Lock works on domain-joined machines, which are SSON-enabled (Single Sign-On) and
store configured; it can also be used on non-domain joined machines without SSON enabled. It does not support PNA sites.
Previous versions of Desktop Lock are not supported when you upgrade to Citrix Receiver for Windows 4.2 or later.
You must install Citrix Receiver for Windows with the /includeSSON flag. You must configure the store and Single Sign-on,
either using the adm/admx file or cmdline option. For more information, see Install and configure Citrix Receiver using the
command line.
T hen, install the Citrix Receiver for Windows Desktop Lock as an administrator using the CitrixReceiverDesktopLock.MSI
available in the Citrix Downloads page.
System requirements f or Citrix Receiver Desktop Lock
Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. For more information, see the Microsoft
Download page.
Supported on Windows 7 (including Embedded Edition), Windows 7 T hin PC, Windows 8, and Windows 8.1 and Windows
10 (Anniversary update included).
Connects to StoreFront through native protocols only.
Domain-joined and non-domain joined end points.
User devices must be connected to a local area network (LAN) or wide area network (WAN).
Local App Access
Important
Enabling Local App Access may permit local desktop access unless a full lock down has been applied with the Group Policy Object
template or a similar policy. See Configure Local App Access and URL redirection in XenApp and XenDesktop for more information.
Working with Citrix Receiver f or Windows Desktop Lock
You can use Citrix Receiver for Windows Desktop Lock with the following Citrix Receiver for Windows features:
3Dpro, Flash, USB, HDX Insight, Microsoft Lync 2013 plug-in, and local app access
Domain, two-factor, or smart card authentication only
Disconnecting the Citrix Receiver for Windows Desktop Lock session logs out the end device.
Flash redirection is disabled on Windows 8 and later versions. Flash redirection is enabled on Windows 7.
T he Desktop Viewer is optimized for Citrix Receiver for Windows Desktop Lock with no Home, Restore, Maximize, and
Display properties.
Ctrl+Alt+Del is available on the Viewer toolbar.
Most windows shortcut keys are passed to the remote session, with the exception of Windows+L. For details, see
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.154
Passing Windows shortcut keys to the remote session.
Ctrl+F1 triggers Ctrl+Alt+Del when you disable the connection or Desktop Viewer for desktop connections.
To install Citrix Receiver f or Windows Desktop Lock
T his procedure installs Citrix Receiver for Windows so that virtual desktops appear using Citrix Receiver for Windows
Desktop Lock. For deployments that use smart cards, see T o configure smart cards for use with devices running Receiver
Desktop Lock.
1. Log on using a local administrator account.
2. At a command prompt, run the following command (located in the Citrix Receiver and Plug-ins > Windows > Citrix
Receiver for Windows folder on the installation media).
For example:
CitrixReceiver.exe
/includeSSON
STORE0="DesktopStore;https://my.storefront.server/Citrix/MyStore/discovery;on;Desktop Store"
For command details, see the Citrix Receiver for Windows install documentation at Configure and install Receiver for
Windows using command-line parameters.
3. In the same folder on the installation media, double-click CitrixReceiverDesktopLock.MSI . T he Desktop Lock wizard
opens. Follow the prompts.
4. When the installation completes, restart the user device. If you have permission to access a desktop and you log on as a
domain user, the device appears using Receiver Desktop Lock.
To allow administration of the user device after installation, the account used to install CitrixReceiverDesktopLock.msi is
excluded from the replacement shell. If that account is later deleted, you will not be able to log on and administer the
device.
To run a silent install of Receiver Desktop Lock, use the following command line: msiexec /i CitrixReceiverDesktopLock.msi
/qn
To configure Citrix Receiver f or Windows Desktop Lock
Grant access to only one virtual desktop running Citrix Receiver for Windows Desktop Lock per user.
Using Active Directory policies, prevent users from hibernating virtual desktops.
Use the same administrator account to configure Citrix Receiver for Windows Desktop Lock as you did to install it.
Ensure that the receiver.admx (or receiver.adml) and receiver_usb.admx (.adml) files are loaded into Group Policy (where
the policies appear in Computer Configuration or User Configuration > Administrative T emplates > Classic Administrative
T emplates (ADMX) > Citrix Components). T he .admx files are located in %Program Files%\Citrix\ICA Client\Configuration\.
USB preferences - When a user plugs in a USB device, that device is automatically remoted to the virtual desktop; no user
interaction is required. T he virtual desktop is responsible for controlling the USB device and displaying it in the user
interface.
Enable the USB policy rule.
In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable and configure the Existing USB Devices
and New USB Devices policies.
Drive mapping - In Citrix Receiver > Remoting client devices, enable and configure the Client drive mapping policy.
Microphone - In Citrix Receiver > Remoting client devices, enable and configure the Client microphone policy.
To configure smart cards f or use with devices running Citrix Receiver f or Windows Desktop Lock
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.155
1. Configure StoreFront.
1. Configure the XML Service to use DNS Address Resolution for Kerberos support.
2. Configure StoreFront sites for HT T PS access, create a server certificate signed by your domain certificate authority,
and add HT T PS binding to the default website.
3. Ensure pass-through with smart card is enabled (enabled by default).
4. Enable Kerberos.
5. Enable Kerberos and Pass-through with smart card.
6. Enable Anonymous access on the IIS Default Web Site and use Integrated Windows Authentication.
7. Ensure the IIS Default Web Site does not require SSL and ignores client certificates.
2. Use the Group Policy Management Console to configure Local Computer Policies on the user device.
1. Import the Receiver.admx template from %Program Files%\Citrix\ICA Client\Configuration\.
2. Expand Administrative T emplates > Classic Administrative T emplates (ADMX) > Citrix Components > Citrix Receiver >
User authentication.
3. Enable Smart card authentication.
4. Enable Local user name and password.
3. Configure the user device before installing Citrix Receiver for Windows Desktop Lock.
1. Add the URL for the Delivery Controller to the Windows Internet Explorer T rusted Sites list.
2. Add the URL for the first Delivery Group to the Internet Explorer T rusted Sites list in the form desktop://deliverygroup-name.
3. Enable Internet Explorer to use automatic logon for T rusted Sites.
When Citrix Receiver for Windows Desktop Lock is installed on the user device, a consistent smart card removal policy is
enforced. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log
off from the user device as well, regardless of the Windows smart card removal policy set on it. T his ensures that the user
device is not left in an inconsistent state. T his applies only to user devices with the Citrix Receiver for Windows Desktop
Lock.
To remove Citrix Receiver f or Windows Desktop Lock
Be sure to remove both of the components listed below.
1. Log on with the same local administrator account that was used to install and configure Citrix Receiver for Windows
Desktop Lock.
2. From the Windows feature for removing or changing programs:
Remove Citrix Receiver for Windows Desktop Lock.
Remove Citrix Receiver for Windows.
Passing Windows shortcut keys to the remote session
Most windows shortcut keys are passed to the remote session. T his section highlights some of the common ones.
Windows
Win+D - Minimize all windows on the desktop.
Alt+T ab - Change active window.
Ctrl+Alt+Delete - via Ctrl+F1 and the Desktop Viewer toolbar.
Alt+Shift+T ab
Windows+T ab
Windows+Shift+T ab
Windows+All Character keys
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.156
Windows 8
Win+C - Open charms.
Win+Q - Search charm.
Win+H - Share charm.
Win+K - Devices charm.
Win+I - Settings charm.
Win+Q - Search apps.
Win+W - Search settings.
Win+F - Search files.
Windows 8 apps
Win+Z - Get to app options.
Win+. - Snap app to the left.
Win+Shift+. - Snap app to the right.
Ctrl+T ab - Cycle through app history.
Alt+F4 - Close an app.
Desktop
Win+D - Open desktop.
Win+, - Peek at desktop.
Win+B - Back to desktop.
Other
Win+U - Open Ease of Access Center.
Ctrl+Esc - Start screen.
Win+Enter - Open Windows Narrator.
Win+X - Open system utility settings menu.
Win+PrintScrn - T ake a screen shot and save to pictures.
Win+T ab - Open switch list.
Win+T - Preview open windows in taskbar.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.157
SDK and API
Aug 14 , 20 17
Citrix Virtual Channel SDK
T he Citrix Virtual Channel software development kit (SDK) supports writing server-side applications and client-side drivers for
additional virtual channels using the ICA protocol. T he server-side virtual channel applications are on XenApp or XenDesktop
servers. T his version of the SDK supports writing new virtual channels for Receiver for Windows. If you want to write virtual
drivers for other client platforms, contact Citrix Technical support.
T he Virtual Channel SDK provides:
T he Citrix Virtual Driver Application Programming Interface (VDAPI) is used with the virtual channel functions in the Citrix
Server API SDK (WFAPI SDK) to create new virtual channels. T he virtual channel support provided by VDAPI makes it easy
to write your own virtual channels.
T he Windows Monitoring API, which enhances the visual experience and support for third-party applications integrated
with ICA.
Working source code for virtual channel sample programs to demonstrate programming techniques.
T he Virtual Channel SDK requires the WFAPI SDK to write the server side of the virtual channel.
For more information on the SDK documentation, see Citrix Virtual Channel SDK for Citrix Receiver for Windows.
Fast Connect 3 Credential Insertion API
T he Fast Connect 3 Credential Insertion API provides an interface that supplies user credentials to the Single Sign-on
(SSON) feature.T his feature is available from Citrix Receiver for Windows Version 4.2 and later. Using this API, Citrix partners
can provide authentication and SSO products that use StoreFront or the Web Interface to log users on to virtual
applications or desktops and then disconnect users from those sessions.
For more information on the Fast Connect API documentation, see Fast Connect 3 Credential Insertion API for Citrix
Receiver for Windows.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.158